[英]How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?
I cd
into the directory where all the pem/key files are and run the following:我
cd
进入所有 pem/key 文件所在的目录并运行以下命令:
aws iam upload-server-certificate
--server-certificate-name certificate_name
--certificate-body file://webservercertificate.pem
--private-key file://server.key
--certificate-chain file://certificate_chain_file.pem
I get the following error:我收到以下错误:
A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.
调用 UploadServerCertificate 操作时发生客户端错误 (InvalidClientTokenId):请求中包含的安全令牌无效。
I have 1 'user' in 'users'.我在“用户”中有 1 个“用户”。 That user has been assigned the following permissions:
该用户已被分配以下权限:
IAMFullAccess IAMReadOnlyAccess IAMUserSSHKeys
I've downloaded the credentials for this user and put them into my user variables我已经下载了该用户的凭据并将它们放入我的用户变量中
AWS_ACCESS_KEY ****
AWS_SECRET_KEY ****
I have 1 role on my elastic beanstalk aws-elasticbeanstalk-ec2-role
我在我的弹性 beantalk
aws-elasticbeanstalk-ec2-role
上有 1 个角色
Try to go to the security credentials on your account page: Click on your name in the top right corner -> My security credentials尝试转到您帐户页面上的安全凭证:单击右上角的您的姓名 -> 我的安全凭证
Then generate access keys over there and use those access keys in your credentials file (aws configure)然后在那里生成访问密钥并在您的凭据文件中使用这些访问密钥(aws 配置)
If you're using the CLI with MFA , you have to set the session token in addition to setting the access and secret keys.如果您将 CLI与 MFA 结合使用,则除了设置访问密钥和密钥外,您还必须设置会话令牌。 Please refer to this article: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
请参考这篇文章: https : //aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
In my case, there were two different 'AWS_SECRET_ACCESS_KEY' and 'AWS_ACCESS_KEY_ID' values set one through the Windows environment variable and one through the command line.就我而言,有两种不同的“AWS_SECRET_ACCESS_KEY”和“AWS_ACCESS_KEY_ID”值,一种是通过 Windows 环境变量设置的,一种是通过命令行设置的。
So, update these two and the default_region using a command line因此,使用命令行更新这两个和 default_region
> aws configure
Press enter and follow the steps to fill the correct AWS_ACESS_KEY_ID
AWS_SECRET_ACCESS_KEY
and AWS_DEFAULT_REGION
按回车并按照步骤填写正确的
AWS_ACESS_KEY_ID
AWS_SECRET_ACCESS_KEY
和AWS_DEFAULT_REGION
> aws sts get-caller-identity
should return the new set credentials应该返回新的设置凭据
如果您还获得了会话令牌,则需要在configure
后手动设置它:
aws configure set aws_session_token "<<your session token>>"
如果从使用临时 IAM 角色凭证切换到使用 IAM 用户凭证,请不要忘记确保仅用于临时凭证的AWS_SESSION_TOKEN
不再具有值:
unset AWS_SESSION_TOKEN # unset the environment variable
尝试导出正确的配置文件,即$ export AWS_PROFILE="default"
如果您只有默认配置文件,请确保密钥正确并重新运行aws configure
I had the same error, even after re-running aws configure
, and inputting a new AWS_ACESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.即使在重新运行
aws configure
并输入新的AWS_ACESS_KEY_ID
和AWS_SECRET_ACCESS_KEY
之后,我也遇到了同样的错误。
What fixed it for me was to delete my ~/.aws/credentials
file and re-run aws configure
.为我修复的是删除我的
~/.aws/credentials
文件并重新运行aws configure
。
It seems that my ~/.aws/credentials
file had an additional value: aws_session_token
which was causing the error.似乎我的
~/.aws/credentials
文件有一个附加值: aws_session_token
导致错误。 After deleting and re-creating the ~/.aws/configure
using the command aws configure
, there is now only values for aws_access_key_id
and aws_secret_access_key
.使用命令
aws configure
删除并重新创建~/.aws/configure
aws configure
,现在只有aws_access_key_id
和aws_secret_access_key
值。
I had to specify the AWS profile to use --profile default
explicitly to get rid of this error while running AWS CLI commands.我必须指定 AWS 配置文件以显式使用
--profile default
以在运行 AWS CLI 命令时消除此错误。 I could not understand though that why it did not pick up this profile automatically as there was only [dafault]
profile present in my aws config and credentials file.我不明白为什么它没有自动选择这个配置文件,因为我的 aws 配置和凭据文件中只有
[dafault]
配置文件。
I hope this helps.我希望这有帮助。
Cheers, Kunal干杯,库纳尔
$ aws configure
and use the new key and secret.$ aws configure
并使用新的密钥和秘密。 Run the command again:再次运行命令:
serverless invoke local --function create --path mocks/create-event.json
This happened to me when using java sdk.这发生在我使用 java sdk 时。 The problem was for me was i wasnt using the session token from assumed role.
对我来说问题是我没有使用来自假定角色的会话令牌。
Working code example ( in kotlin )工作代码示例(在 kotlin 中)
val identityUserPoolProviderClient = AWSCognitoIdentityProviderClientBuilder
.standard()
.withCredentials(AWSStaticCredentialsProvider(BasicSessionCredentials("accessKeyId", ""secretAccessKey, "sessionToken")))
.build()
You are somehow using wrong AWS Credentials (AccessKey and SecretKey) of AWS Account.您不知何故使用了 AWS 账户的错误 AWS 凭证(AccessKey 和 SecretKey)。 So make sure they are correct else you need to create new and use them - in that case may be @Prakash answer is good for you
因此,请确保它们是正确的,否则您需要创建新的并使用它们 - 在这种情况下,@Prakash 答案可能对您有好处
I had the same error but was caused by a different issue.我有同样的错误,但由不同的问题引起。
The credentials were changed on AWS but I was still using a cached MFA session token for the config profile. AWS 上的凭证已更改,但我仍在使用缓存的 MFA 会话令牌作为配置文件。
There is a cache file for each profile under ~/.aws/cli/cache/
containing the session token. ~/.aws/cli/cache/
下的每个配置文件都有一个包含会话令牌的缓存文件。
Remove the cache file, reissue the command and enter a new MFA token and its good to go.删除缓存文件,重新发出命令并输入新的 MFA 令牌,一切顺利。
This can also happen when you disabled MFA.禁用 MFA 时也会发生这种情况。 There will be an old long term entry in the AWS credentials.
AWS 凭证中将有一个旧的长期条目。
Edit the file manually with editor of choice, here using vi (please backup before):使用选择的编辑器手动编辑文件,这里使用 vi(请先备份):
vi ~/.aws/credentials
Then remove the [default-long-term] section.然后删除[default-long-term]部分。 As result in a minimal setup there should be one section [default] left with the actual credentials.
作为最小设置的结果,应该有一个部分[default]留下实际凭据。
[default-long-term]
aws_access_key_id = ...
aws_secret_access_key = ...
aws_mfa_device = ...
Similar to Pat's response, check your environment variables.与 Pat 的响应类似,请检查您的环境变量。 Particularly
AWS_SESSION_TOKEN
AND AWS_SECURITY_TOKEN
特别是
AWS_SESSION_TOKEN
和AWS_SECURITY_TOKEN
Try unsetting them: unset VAR_NAME
尝试
unset VAR_NAME
: unset VAR_NAME
To see what variables are set try env | grep AWS
要查看设置了哪些变量,请尝试
env | grep AWS
env | grep AWS
and expect something like: env | grep AWS
并期待以下内容:
AWS_REGION=ap-southeast-2
AWS_PAGER=
AWS_SECRET_ACCESS_KEY=...
AWS_ACCESS_KEY_ID=...
AWS_SESSION_TOKEN=...
AWS_SECURITY_TOKEN=...
I thought you could avoid it by just passing the --no-sign-request param, like so:我认为您可以通过传递 --no-sign-request 参数来避免它,如下所示:
aws --region us-west-2 --no-sign-request --endpoint-url=http://192.168.99.100:4572 \
s3 mb s3://mytestbucket
In my situation, the problem was due to running powershell as an admin , so it was looking for the aws credentials in the root of my admin user.在我的情况下,问题是由于以admin身份运行 powershell ,所以它在我的管理员用户的根目录中寻找 aws 凭据。 There's probably a better way to resolve this, but what worked quickly for me was recreating my .aws folder in the root of my admin user .
可能有更好的方法来解决这个问题,但对我来说快速有效的是在我的 admin 用户的根目录中重新创建我的 .aws 文件夹。
我把访问密钥和秘密密钥搞混了:)
A little late to the game here, but this may be helpful for someone.这里的游戏有点晚了,但这可能对某人有所帮助。 Using Windows.
使用 Windows。 I had switched from one account to another.
我已经从一个帐户切换到另一个帐户。 Before working in the first account, I ran
在第一个帐户工作之前,我跑了
SET AWS_ACCESS_KEY_ID=ABCDE....
SET AWS_SECRET_ACCESS_KEY=12345...
SET AWS_SESSION_TOKEN=a1b2c3...
When I switched to the second account, I ran the following.当我切换到第二个帐户时,我运行了以下内容。 This second account did not require a session token:
第二个帐户不需要 session 令牌:
SET AWS_ACCESS_KEY_ID=FGHIJ....
SET AWS_SECRET_ACCESS_KEY=67890...
When I then tried to connect I recived the error:然后当我尝试连接时,我收到了错误:
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
I cleared the session toke variable by running set AWS_SESSION_TOKEN=
and then I was able to authenticate.我通过运行
set AWS_SESSION_TOKEN=
清除了 session 令牌变量,然后我能够进行身份验证。 Note that there is no space before the equals sign.请注意,等号之前没有空格。
I was able to use AWS cli fully authenticated, so for me the issue was within terraform for sure.我能够使用完全经过身份验证的 AWS cli,所以对我来说问题肯定在 terraform 中。 I tried all the steps above with no success.
我尝试了上述所有步骤,但没有成功。 A reboot fixed it for me, there must be some a cache somewhere in terraform that was causing this issue.
重新启动为我修复了它,在导致此问题的 terraform 某处必须有一些缓存。
This is weird, but in my case whenever I wanted to retype the access id and the key by typing aws configure
.这很奇怪,但就我而言,每当我想通过键入
aws configure
重新键入访问 ID 和密钥时。
Adding the id access end up always with a mess in the access id entry in the file located ~/.aws/credentials
(see the picture)添加 id 访问最终总是在位于
~/.aws/credentials
的文件中的访问 id 条目中出现混乱(见图)
I have removed this mess and left only the access id.我已经删除了这个烂摊子,只留下了访问 ID。 And the error resolved.
并且错误解决了。
当我在弹性 Beanstalk 上部署我的 django 应用程序时,我遇到了类似的问题,我发现当我尝试各种方法时,在 ~/.aws/ 文件夹中的配置文件中创建了一个 eb-cli 配置文件,所以一旦我摆脱了它一切正常!
I had a similar issue for uploading a certificate using the cli.我在使用 cli 上传证书时遇到了类似的问题。 I needed to use a programmatic access from a newly created iam user (with its own keys).
我需要使用来自新创建的 iam 用户(使用自己的密钥)的编程访问。 The MFA that I used to authenticate myself to the AWS console (web) in my AWS account was interfering when using the aws configure command with the new iam user credentials for programmatic access.
当使用 aws configure 命令和新的 iam 用户凭证进行编程访问时,我用来向 AWS 账户中的 AWS 控制台 (web) 验证自己的 MFA 会产生干扰。 In the new credentials file (created from the aws configure command) the session token from the MFA log was somehow persisted.
在新的凭证文件(通过 aws configure 命令创建)中,MFA 日志中的会话令牌以某种方式保留下来。 Deleting manually from the credentials file the session token helped in my case.
从凭据文件中手动删除会话令牌对我有帮助。
thank you DuckMaestro , I solved my problems with your suggestion.谢谢DuckMaestro ,我用你的建议解决了我的问题。
I configured like this.我是这样配置的。
# aws configure
but, I met error this.但是,我遇到了这个错误。
# aws iam list-users
An error occurred (InvalidClientTokenId) when calling the ListUsers operation: The security token included in the request is invalid.
# aws sts get-caller-identity
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
and I did like this with your suggestion.我确实喜欢你的建议。
# aws configure set aws_session_token "<<your session token>>"
I solved it !!我解决了!! thanks.
谢谢。
After so much research I found out that my AWS account was suspended due to payment.经过大量研究,我发现我的 AWS 账户因付款而被暂停。
So, kindly confirm your account is not suspended.因此,请确认您的帐户没有被暂停。
In my case we use both AWS CN and COM, even though I have valid keys and config/credential files and even specify the exports and --profile
in the command I get this error.在我的情况下,我们同时使用 AWS CN 和 COM,即使我有有效的密钥和配置/凭证文件,甚至在命令中指定了导出和
--profile
我--profile
收到此错误。
To fix: ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
修复:
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
I add --region
to the command as well.我也将
--region
添加到命令中。
For anyone who is getting this error when using AWS SDK on the Cloud9 editor, the problem could be due to the AWS-managed temporary credentials which might restrict what the identity (the AWS-managed temporary credentials which AWS sets for you) can do.对于在 Cloud9 编辑器上使用 AWS 开发工具包时遇到此错误的任何人,问题可能是由于 AWS 管理的临时凭证可能会限制身份(AWS 为您设置的 AWS 管理的临时凭证)可以执行的操作。
If you run cat ~/.aws/credentials
you will see a profile already created for you, and this also lists the session token.如果您运行
cat ~/.aws/credentials
,您将看到已为您创建的配置文件,其中还列出了会话令牌。 Note: this is managed by AWS and cannot be modified/deleted.注意:这是由 AWS 管理的,不能修改/删除。
A get-around is turning off the AWS-managed temporary credentials.一种解决方法是关闭 AWS 管理的临时凭证。 Here is some info on how these temporary credentials are managed and how you can turn them off: https://docs.aws.amazon.com/cloud9/latest/user-guide/security-iam.html#auth-and-access-control-temporary-managed-credentials .
以下是有关如何管理这些临时凭证以及如何关闭它们的一些信息: https ://docs.aws.amazon.com/cloud9/latest/user-guide/security-iam.html#auth-and-access -control-temporary-managed-credentials 。 Once you discontinue using the AWS-managed credentials, and re-run the above command (
cat ~/.aws/credentials
), you will notice that the file is empty.一旦您停止使用 AWS 管理的凭证并重新运行上述命令 (
cat ~/.aws/credentials
),您会注意到该文件为空。 Now, you must set a profile manually and use this profile for AWS SDK/CLI.现在,您必须手动设置配置文件并将此配置文件用于 AWS 开发工具包/CLI。
To configure a profile, you'll need to run: aws configure <name-of-the-profile>
.要配置配置文件,您需要运行:
aws configure <name-of-the-profile>
。 If you do not pass a name for the profile, it will default to default (and subsequently override this default profile).如果您不传递配置文件的名称,它将默认为默认值(并随后覆盖此默认配置文件)。 With the profile set, use this profile with AWS SDK/CLI/API.
使用配置文件集,将此配置文件与 AWS 开发工具包/CLI/API 一起使用。
If that can help anyone, I had the same problem and eventually I found that it's because my AWS profile region was eu-south-1
.如果这可以帮助任何人,我遇到了同样的问题,最终我发现这是因为我的 AWS 配置文件区域是
eu-south-1
。 By setting it to us-west-2
it worked.通过将其设置为
us-west-2
它可以工作。
Doesn't make any sense to me, but it seems it's something to check if you're having this problem.对我来说没有任何意义,但似乎需要检查你是否有这个问题。
Had similar issue where i had to re-configure my aws有类似的问题,我不得不重新配置我的 aws
what fixed this for me was resetting environment variables为我解决这个问题的是重置环境变量
export AWS_ACCESS_KEY=<key>
export AWS_SECRET_ACCESS_KEY=<key>
In my case I automatically created Api keys, then used them directly using Assume role.就我而言,我自动创建了 Api 密钥,然后使用 Assume 角色直接使用它们。 They didn't work when using sts assume-role.
使用 sts 假设角色时,它们不起作用。
I did a sleep for around 10 seconds after the api keys was created.在创建 api 密钥后,我睡了大约 10 秒钟。 That solved the problem for me.
这为我解决了问题。
In my situation, this error occurs due to wrong AWS credentials.在我的情况下,此错误是由于错误的 AWS 凭证而发生的。 Try to verify before retrying.
在重试之前尝试验证。
opened my ~/.aws/credentials file and saw that the secret key was interchanged with my Access ID strangely, switching it solved the problem打开我的 ~/.aws/credentials 文件,发现密钥与我的访问 ID 奇怪地互换了,切换它解决了问题
In my case, I was getting this error trying to send emails with AWS SES
using the SDK.就我而言,我在尝试使用 SDK 使用
AWS SES
发送电子邮件时遇到此错误。 I had to restart the application (.NET 6 in Docker with docker-compose) for the credentials to be reloaded by the application, so they must be cached once loaded.我必须重新启动应用程序(使用 docker-compose 的 Docker 中的 .NET 6)才能由应用程序重新加载凭据,因此加载后必须缓存它们。
In my case I had triple checked the.aws/credentials file, environment variables, command line arguments, project config etc. but some old credentials were still being found somewhere.在我的例子中,我对 .aws/credentials 文件、环境变量、命令行参数、项目配置等进行了三次检查,但仍然在某处找到了一些旧的凭证。
In the end it was an old auth token header configured in Postman which I was using to call the API.最后,它是我用来调用 API 的 Postman 中配置的旧身份验证令牌标头。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.