How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?

332,800

Solution 1

If you're using the CLI with MFA, you have to set the session token in addition to setting the access and secret keys. Please refer to this article: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Solution 2

Try to go to the security credentials on your account page: Click on your name in the top right corner -> My security credentials

Then generate access keys over there and use those access keys in your credentials file (aws configure)

Solution 3

I had the same error, even after re-running aws configure, and inputting a new AWS_ACESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

What fixed it for me was to delete my ~/.aws/credentials file and re-run aws configure.

It seems that my ~/.aws/credentials file had an additional value: aws_session_token which was causing the error. After deleting and re-creating the ~/.aws/configure using the command aws configure, there is now only values for aws_access_key_id and aws_secret_access_key.

Solution 4

In my case, there were two different 'AWS_SECRET_ACCESS_KEY' and 'AWS_ACCESS_KEY_ID' values set one through the Windows environment variable and one through the command line.

So, update these two and the default_region using a command line

> aws configure

Press enter and follow the steps to fill the correct AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGION

> aws sts get-caller-identity

should return the new set credentials

Solution 5

If you have been given a Session Token also, then you need to manually set it after configure:

aws configure set aws_session_token "<<your session token>>"

View more solutions

332,800

Author by

Killesk

Updated on February 01, 2022

Comments

Killesk over 2 years
I cd into the directory where all the pem/key files are and run the following:
```
aws iam upload-server-certificate 
    --server-certificate-name certificate_name 
    --certificate-body file://webservercertificate.pem  
    --private-key file://server.key   
    --certificate-chain file://certificate_chain_file.pem 
```
I get the following error:

A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.

I have 1 'user' in 'users'. That user has been assigned the following permissions:
```
IAMFullAccess IAMReadOnlyAccess IAMUserSSHKeys
```
I've downloaded the credentials for this user and put them into my user variables
```
AWS_ACCESS_KEY ****
AWS_SECRET_KEY ****
```
I have 1 role on my elastic beanstalk aws-elasticbeanstalk-ec2-role
Purefan almost 6 years

That folder does not exist for me, running Ubuntu 18.04 and aws-cli/1.15.11 Python/3.5.2 Linux/4.15.0-20-generic botocore/1.10.11
havoc1 over 5 years

Adding the --no-sign-request option just returned a "missing Authentication Token" message. So it appears, at least in my case, that the token is needed and just turning it off won't do.
aitchkhan over 4 years

If you are using MFA, this is the answer. Worked for me.
png over 4 years

What would you recommend if running get-session-token results in the same error (InvalidClientTokenId)?
Naveen Reddy Marthala over 3 years

I am using circleCI to run task in AWS ECS. I got this error and this seems to work. but, why aren't access key id and secret access key of a user with programatic access and just enough permissions enough to deploy to AWS ECS.
Wild Teddy over 3 years

I have multiple profile in ~/.aws/config file. The error go away when I run aws iam list-server-certificates --profile another-profile
burglarhobbit over 3 years

This answer was god send!
schmijos over 3 years

On Mac OSX using awscli from Homebrew it doesn't exist either.
mpiliszcz about 3 years

After enabling MFA, creating new access key and using it with aws configure was the solution. Then I could get "aws sts get-caller-identity" containing MFA arn and "aws sts get-session-token --serial-number XXX --token-code YYY" was successful
R13mus about 3 years

thanks ! you are the only one mentioning this --endpoint flag, which helped a lot with my local configuration with a docker container :P cheers !!
harshainfo almost 3 years

I was using expired credentials. When I looked in the credentials of the IAM console, I could not find any active Access Key ID and Secret Access Key, as they had expired. So I generated new credentials and saved them in my .aws/credentials file and the error is gone.
Cloud Cho almost 3 years

@PrasanthLouis and @png, Do I have to update my \.aws\credential with the generated keys? According to the web link, it looks like updating by command line input...
Thiago Prochnow almost 3 years

That did it for me. But also I had to manually update my ~/.aws/credentials file. For some reason it wasent updating with new credentials values.
devklick over 2 years

To return only environment variables that start with "AWS", you can use the caret symbol, e.g. env | grep ^AWS. Most (if not all) "AWS" environment variables start with AWS, so this can help filter out other rubbish that clutters your console.
larrydalmeida over 2 years

This worked for me. Thank you!
theberzi over 2 years

get-session-token was failing for me because I still had the environment variables AWS_SESSION_TOKEN and AWS_SECURITY_TOKEN set. These should be unset first or AWS will try to use them implicitly and fail because they're invalid.
insideClaw over 2 years

That line of thinking did it for me too - the token that had somehow snuck into ~/.aws/credentials wasn't needed. Only after removing the file, logging in again worked. Presumably just clearing the token from the file would've done it too.
bvmcode over 2 years

worked for me as well, thanks
Nachokhan about 2 years

how do i get that token?
GKP about 2 years

@DuckMaestro just mentioning "<<your session token>>" does not make any sense, you have to explain the process to get the session token as asked by Nachokhan
GKP about 2 years

@Nachokhan you can go to your .aws directory (in mac it's ~/.aws) and do a ls -ltrh , you can see a file called "credentials" in that file you will get the aws_session_token. Example aws_access_key_id = XXXXXXXXXXXXX aws_secret_access_key = XXXXXXXXXXXXX aws_session_token = XXXXXXXXXXXXX aws_security_token = XXXXXXXXXXXXX x_principal_arn = arn:aws:sts::XXXXXXXXXXXXX:assumed-role/XXXXXXXXXXXXX/gourab‌p@XXXXXXXXXXXXX
GKP about 2 years

more documentation here : docs.aws.amazon.com/sdkref/latest/guide/file-location.html
pacoverflow about 2 years

I do not see My security credentials when clicking on my username on the top right corner. All I see are Account, Organization, Service Quotas, Billing Dashboard, Switch Role, Signout.
Neethu Lalitha almost 2 years

Thanks , it helped. I had to manually specify the session token
Bruno Rodrigues almost 2 years

To add to the above, the token expires. That's why re-creating it worked :)