The security token included in the request is invalid

Question

I am patching my RHEL server using Patch manager but I am getting below error

ClientError: An error occurred (UnrecognizedClientException) when calling the GetDeployablePatchSnapshotForInstance operation: The security token included in the request is invalid
root [INFO]: Unable to retrieve snapshot with default ssm client, retry with fallback ssm client
botocore.credentials [INFO]: Found credentials in shared credentials file: ~/.aws/credentials

How to clear the credentials in  ~/.aws/credentials in session manager ? 
![Enter image description here](/media/postImages/original/IMar3g5-H3RF6w8OrdOcfSvA)

Riku_Kobayashi · Accepted Answer

Hello.

I think it is probably reading the credentials of the user (root) running SSM Agent, so I think you need to look for the "/root/.aws/credentials" setting.  
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html  
> On Linux and macOS, SSM Agent runs as the root user. Therefore, the environment variables and credentials file that SSM Agent looks for in this process are those of the root user only (/root/.aws/credentials). SSM Agent doesn't look at the environment variables or credentials file of any other users on the instance during the search for credentials.

By the way, are you trying to apply the patch to RHEL running on EC2?  
In that case, I think you can use it without setting an access key by setting the IAM policy "AmazonSSMManagedInstanceCore" in the EC2 IAM role.  
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html

The security token included in the request is invalid

Relevant content