The security token included in the request is invalid


I am patching my RHEL server using Patch manager but I am getting below error

ClientError: An error occurred (UnrecognizedClientException) when calling the GetDeployablePatchSnapshotForInstance operation: The security token included in the request is invalid root [INFO]: Unable to retrieve snapshot with default ssm client, retry with fallback ssm client botocore.credentials [INFO]: Found credentials in shared credentials file: ~/.aws/credentials

How to clear the credentials in ~/.aws/credentials in session manager ? Enter image description here

1 Answer
Accepted Answer


I think it is probably reading the credentials of the user (root) running SSM Agent, so I think you need to look for the "/root/.aws/credentials" setting.

On Linux and macOS, SSM Agent runs as the root user. Therefore, the environment variables and credentials file that SSM Agent looks for in this process are those of the root user only (/root/.aws/credentials). SSM Agent doesn't look at the environment variables or credentials file of any other users on the instance during the search for credentials.

By the way, are you trying to apply the patch to RHEL running on EC2?
In that case, I think you can use it without setting an access key by setting the IAM policy "AmazonSSMManagedInstanceCore" in the EC2 IAM role.

profile picture
answered 4 months ago
profile pictureAWS
reviewed 4 months ago
  • Thank you in a million. I found it in "/root/.aws/credentials and deleted it. I was able to patch the ec2 instance successfully.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions