运行 aws iam upload-server-certificate 时如何解决“请求中包含的安全令牌无效”错误？

Question

I cd into the directory where all the pem/key files are and run the following:

aws iam upload-server-certificate 
    --server-certificate-name certificate_name 
    --certificate-body file://webservercertificate.pem  
    --private-key file://server.key   
    --certificate-chain file://certificate_chain_file.pem 

I get the following error:

A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.

I have 1 'user' in 'users'. That user has been assigned the following permissions:

IAMFullAccess IAMReadOnlyAccess IAMUserSSHKeys

I've downloaded the credentials for this user and put them into my user variables

AWS_ACCESS_KEY ****
AWS_SECRET_KEY ****

I have 1 role on my elastic beanstalk aws-elasticbeanstalk-ec2-role

Answer 1

Try to go to the security credentials on your account page: Click on your name in the top right corner -> My security credentials

Then generate access keys over there and use those access keys in your credentials file (aws configure)

Answer 2

If you're using the CLI with MFA , you have to set the session token in addition to setting the access and secret keys. Please refer to this article: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Answer 3

In my case, there were two different 'AWS_SECRET_ACCESS_KEY' and 'AWS_ACCESS_KEY_ID' values set one through the Windows environment variable and one through the command line.

So, update these two and the default_region using a command line

> aws configure

Press enter and follow the steps to fill the correct AWS_ACESS_KEY_ID AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGION

> aws sts get-caller-identity

should return the new set credentials

Answer 4

如果您还获得了会话令牌，则需要在configure后手动设置它：

aws configure set aws_session_token "<<your session token>>"

Answer 5

如果从使用临时 IAM 角色凭证切换到使用 IAM 用户凭证，请不要忘记确保仅用于临时凭证的AWS_SESSION_TOKEN不再具有值：

unset AWS_SESSION_TOKEN # unset the environment variable

Answer 6

尝试导出正确的配置文件，即$ export AWS_PROFILE="default"如果您只有默认配置文件，请确保密钥正确并重新运行aws configure

Answer 7

I had the same error, even after re-running aws configure , and inputting a new AWS_ACESS_KEY_ID and AWS_SECRET_ACCESS_KEY .

What fixed it for me was to delete my ~/.aws/credentials file and re-run aws configure .

It seems that my ~/.aws/credentials file had an additional value: aws_session_token which was causing the error. After deleting and re-creating the ~/.aws/configure using the command aws configure , there is now only values for aws_access_key_id and aws_secret_access_key .

Answer 8

I had to specify the AWS profile to use --profile default explicitly to get rid of this error while running AWS CLI commands. I could not understand though that why it did not pick up this profile automatically as there was only [dafault] profile present in my aws config and credentials file.

I hope this helps.

Cheers, Kunal

Answer 9

1. Click on your username in the top nav, My Security Credentials
2. Click on Access Key Tab, Create New, copy the key and secret.
3. From the terminal run $ aws configure and use the new key and secret.

4. Run the command again:

    serverless invoke local --function create --path mocks/create-event.json

Answer 10

This happened to me when using java sdk. The problem was for me was i wasnt using the session token from assumed role.

Working code example ( in kotlin )

        val identityUserPoolProviderClient = AWSCognitoIdentityProviderClientBuilder
            .standard()
            .withCredentials(AWSStaticCredentialsProvider(BasicSessionCredentials("accessKeyId", ""secretAccessKey, "sessionToken")))
            .build()

Answer 11

You are somehow using wrong AWS Credentials (AccessKey and SecretKey) of AWS Account. So make sure they are correct else you need to create new and use them - in that case may be @Prakash answer is good for you

Answer 12

I had the same error but was caused by a different issue.

The credentials were changed on AWS but I was still using a cached MFA session token for the config profile.

There is a cache file for each profile under ~/.aws/cli/cache/ containing the session token.

Remove the cache file, reissue the command and enter a new MFA token and its good to go.

Answer 13

This can also happen when you disabled MFA. There will be an old long term entry in the AWS credentials.

Edit the file manually with editor of choice, here using vi (please backup before):

vi ~/.aws/credentials

Then remove the [default-long-term] section. As result in a minimal setup there should be one section [default] left with the actual credentials.

[default-long-term]
aws_access_key_id = ...
aws_secret_access_key = ...
aws_mfa_device = ...

Answer 14

Similar to Pat's response, check your environment variables. Particularly AWS_SESSION_TOKEN AND AWS_SECURITY_TOKEN

Try unsetting them: unset VAR_NAME

To see what variables are set try env | grep AWS env | grep AWS and expect something like:

AWS_REGION=ap-southeast-2
AWS_PAGER=
AWS_SECRET_ACCESS_KEY=...
AWS_ACCESS_KEY_ID=...
AWS_SESSION_TOKEN=...
AWS_SECURITY_TOKEN=...

Answer 15

I thought you could avoid it by just passing the --no-sign-request param, like so:

aws --region us-west-2 --no-sign-request --endpoint-url=http://192.168.99.100:4572 \
 s3 mb s3://mytestbucket

Answer 16

In my situation, the problem was due to running powershell as an admin , so it was looking for the aws credentials in the root of my admin user. There's probably a better way to resolve this, but what worked quickly for me was recreating my .aws folder in the root of my admin user .

Answer 17

我把访问密钥和秘密密钥搞混了:)

Answer 18

A little late to the game here, but this may be helpful for someone. Using Windows. I had switched from one account to another. Before working in the first account, I ran

SET AWS_ACCESS_KEY_ID=ABCDE....
SET AWS_SECRET_ACCESS_KEY=12345...
SET AWS_SESSION_TOKEN=a1b2c3...

When I switched to the second account, I ran the following. This second account did not require a session token:

SET AWS_ACCESS_KEY_ID=FGHIJ....
SET AWS_SECRET_ACCESS_KEY=67890...

When I then tried to connect I recived the error:

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid

I cleared the session toke variable by running set AWS_SESSION_TOKEN= and then I was able to authenticate. Note that there is no space before the equals sign.

Answer 19

I was able to use AWS cli fully authenticated, so for me the issue was within terraform for sure. I tried all the steps above with no success. A reboot fixed it for me, there must be some a cache somewhere in terraform that was causing this issue.

Answer 20

This is weird, but in my case whenever I wanted to retype the access id and the key by typing aws configure .

Adding the id access end up always with a mess in the access id entry in the file located ~/.aws/credentials (see the picture)

I have removed this mess and left only the access id. And the error resolved.

Answer 21

当我在弹性 Beanstalk 上部署我的 django 应用程序时，我遇到了类似的问题，我发现当我尝试各种方法时，在 ~/.aws/ 文件夹中的配置文件中创建了一个 eb-cli 配置文件，所以一旦我摆脱了它一切正常！

Answer 22

I had a similar issue for uploading a certificate using the cli. I needed to use a programmatic access from a newly created iam user (with its own keys). The MFA that I used to authenticate myself to the AWS console (web) in my AWS account was interfering when using the aws configure command with the new iam user credentials for programmatic access. In the new credentials file (created from the aws configure command) the session token from the MFA log was somehow persisted. Deleting manually from the credentials file the session token helped in my case.

Answer 23

thank you DuckMaestro , I solved my problems with your suggestion.

I configured like this.

# aws configure

but, I met error this.

# aws iam list-users


An error occurred (InvalidClientTokenId) when calling the ListUsers operation: The security token included in the request is invalid.

# aws sts get-caller-identity

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

and I did like this with your suggestion.

# aws configure set aws_session_token "<<your session token>>"

I solved it !! thanks.

Answer 24

After so much research I found out that my AWS account was suspended due to payment.

So, kindly confirm your account is not suspended.

Answer 25

In my case we use both AWS CN and COM, even though I have valid keys and config/credential files and even specify the exports and --profile in the command I get this error.

To fix: ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid. ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.

I add --region to the command as well.

Answer 26

For anyone who is getting this error when using AWS SDK on the Cloud9 editor, the problem could be due to the AWS-managed temporary credentials which might restrict what the identity (the AWS-managed temporary credentials which AWS sets for you) can do.

If you run cat ~/.aws/credentials you will see a profile already created for you, and this also lists the session token. Note: this is managed by AWS and cannot be modified/deleted.

A get-around is turning off the AWS-managed temporary credentials. Here is some info on how these temporary credentials are managed and how you can turn them off: https://docs.aws.amazon.com/cloud9/latest/user-guide/security-iam.html#auth-and-access-control-temporary-managed-credentials . Once you discontinue using the AWS-managed credentials, and re-run the above command ( cat ~/.aws/credentials ), you will notice that the file is empty. Now, you must set a profile manually and use this profile for AWS SDK/CLI.

To configure a profile, you'll need to run: aws configure <name-of-the-profile> . If you do not pass a name for the profile, it will default to default (and subsequently override this default profile). With the profile set, use this profile with AWS SDK/CLI/API.

Answer 27

If that can help anyone, I had the same problem and eventually I found that it's because my AWS profile region was eu-south-1 . By setting it to us-west-2 it worked.

Doesn't make any sense to me, but it seems it's something to check if you're having this problem.

Answer 28

Had similar issue where i had to re-configure my aws

what fixed this for me was resetting environment variables

export AWS_ACCESS_KEY=<key>
export AWS_SECRET_ACCESS_KEY=<key>

Answer 29

In my case I automatically created Api keys, then used them directly using Assume role. They didn't work when using sts assume-role.

I did a sleep for around 10 seconds after the api keys was created. That solved the problem for me.

Answer 30

In my situation, this error occurs due to wrong AWS credentials. Try to verify before retrying.

Answer 31

opened my ~/.aws/credentials file and saw that the secret key was interchanged with my Access ID strangely, switching it solved the problem

Answer 32

In my case, I was getting this error trying to send emails with AWS SES using the SDK. I had to restart the application (.NET 6 in Docker with docker-compose) for the credentials to be reloaded by the application, so they must be cached once loaded.

Answer 33

In my case I had triple checked the.aws/credentials file, environment variables, command line arguments, project config etc. but some old credentials were still being found somewhere.

In the end it was an old auth token header configured in Postman which I was using to call the API.