How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?
Solution 1
If you're using the CLI with MFA, you have to set the session token in addition to setting the access and secret keys. Please refer to this article: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
Solution 2
Try to go to the security credentials on your account page: Click on your name in the top right corner -> My security credentials
Then generate access keys over there and use those access keys in your credentials file (aws configure)
Solution 3
I had the same error, even after re-running aws configure
, and inputting a new AWS_ACESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
What fixed it for me was to delete my ~/.aws/credentials
file and re-run aws configure
.
It seems that my ~/.aws/credentials
file had an additional value: aws_session_token
which was causing the error. After deleting and re-creating the ~/.aws/configure
using the command aws configure
, there is now only values for aws_access_key_id
and aws_secret_access_key
.
Solution 4
In my case, there were two different 'AWS_SECRET_ACCESS_KEY' and 'AWS_ACCESS_KEY_ID' values set one through the Windows environment variable and one through the command line.
So, update these two and the default_region using a command line
> aws configure
Press enter and follow the steps to fill the correct
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
and AWS_DEFAULT_REGION
> aws sts get-caller-identity
should return the new set credentials
Solution 5
If you have been given a Session Token also, then you need to manually set it after configure
:
aws configure set aws_session_token "<<your session token>>"
Killesk
Updated on February 01, 2022Comments
-
Killesk over 2 years
I
cd
into the directory where all the pem/key files are and run the following:aws iam upload-server-certificate --server-certificate-name certificate_name --certificate-body file://webservercertificate.pem --private-key file://server.key --certificate-chain file://certificate_chain_file.pem
I get the following error:
A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.
I have 1 'user' in 'users'. That user has been assigned the following permissions:
IAMFullAccess IAMReadOnlyAccess IAMUserSSHKeys
I've downloaded the credentials for this user and put them into my user variables
AWS_ACCESS_KEY **** AWS_SECRET_KEY ****
I have 1 role on my elastic beanstalk
aws-elasticbeanstalk-ec2-role
-
Purefan almost 6 yearsThat folder does not exist for me, running Ubuntu 18.04 and aws-cli/1.15.11 Python/3.5.2 Linux/4.15.0-20-generic botocore/1.10.11
-
havoc1 over 5 yearsAdding the --no-sign-request option just returned a "missing Authentication Token" message. So it appears, at least in my case, that the token is needed and just turning it off won't do.
-
aitchkhan over 4 yearsIf you are using MFA, this is the answer. Worked for me.
-
png over 4 yearsWhat would you recommend if running
get-session-token
results in the same error (InvalidClientTokenId)? -
Naveen Reddy Marthala over 3 yearsI am using circleCI to run task in AWS ECS. I got this error and this seems to work. but, why aren't access key id and secret access key of a user with programatic access and just enough permissions enough to deploy to AWS ECS.
-
Wild Teddy over 3 yearsI have multiple profile in ~/.aws/config file. The error go away when I run
aws iam list-server-certificates --profile another-profile
-
burglarhobbit over 3 yearsThis answer was god send!
-
schmijos over 3 yearsOn Mac OSX using
awscli
from Homebrew it doesn't exist either. -
mpiliszcz about 3 yearsAfter enabling MFA, creating new access key and using it with aws configure was the solution. Then I could get "aws sts get-caller-identity" containing MFA arn and "aws sts get-session-token --serial-number XXX --token-code YYY" was successful
-
R13mus about 3 yearsthanks ! you are the only one mentioning this --endpoint flag, which helped a lot with my local configuration with a docker container :P cheers !!
-
harshainfo almost 3 yearsI was using expired credentials. When I looked in the credentials of the IAM console, I could not find any active Access Key ID and Secret Access Key, as they had expired. So I generated new credentials and saved them in my .aws/credentials file and the error is gone.
-
Cloud Cho almost 3 years@PrasanthLouis and @png, Do I have to update my
\.aws\credential
with the generated keys? According to the web link, it looks like updating by command line input... -
Thiago Prochnow almost 3 yearsThat did it for me. But also I had to manually update my ~/.aws/credentials file. For some reason it wasent updating with new credentials values.
-
devklick over 2 yearsTo return only environment variables that start with "AWS", you can use the caret symbol, e.g.
env | grep ^AWS
. Most (if not all) "AWS" environment variables start with AWS, so this can help filter out other rubbish that clutters your console. -
larrydalmeida over 2 yearsThis worked for me. Thank you!
-
theberzi over 2 years
get-session-token
was failing for me because I still had the environment variablesAWS_SESSION_TOKEN
andAWS_SECURITY_TOKEN
set. These should beunset
first or AWS will try to use them implicitly and fail because they're invalid. -
insideClaw over 2 yearsThat line of thinking did it for me too - the token that had somehow snuck into ~/.aws/credentials wasn't needed. Only after removing the file, logging in again worked. Presumably just clearing the token from the file would've done it too.
-
bvmcode over 2 yearsworked for me as well, thanks
-
Nachokhan about 2 yearshow do i get that token?
-
GKP about 2 years@DuckMaestro just mentioning "<<your session token>>" does not make any sense, you have to explain the process to get the session token as asked by Nachokhan
-
GKP about 2 years@Nachokhan you can go to your .aws directory (in mac it's ~/.aws) and do a ls -ltrh , you can see a file called "credentials" in that file you will get the aws_session_token. Example aws_access_key_id = XXXXXXXXXXXXX aws_secret_access_key = XXXXXXXXXXXXX aws_session_token = XXXXXXXXXXXXX aws_security_token = XXXXXXXXXXXXX x_principal_arn = arn:aws:sts::XXXXXXXXXXXXX:assumed-role/XXXXXXXXXXXXX/gourabp@XXXXXXXXXXXXX
-
GKP about 2 yearsmore documentation here : docs.aws.amazon.com/sdkref/latest/guide/file-location.html
-
pacoverflow about 2 yearsI do not see
My security credentials
when clicking on my username on the top right corner. All I see areAccount
,Organization
,Service Quotas
,Billing Dashboard
,Switch Role
,Signout
. -
Neethu Lalitha almost 2 yearsThanks , it helped. I had to manually specify the session token
-
Bruno Rodrigues almost 2 yearsTo add to the above, the token expires. That's why re-creating it worked :)