InvalidClientTokenID error when running Terraform Plan/Apply
Solution 1
This is usually caused by some certain characters (\ @ !, etc) in the credentials. It can be fixed by re-generating credentials your aws access code and secret key.
Solution 2
This is a general error that can be cause by a few reasons.
Some examples:
1) Invalid credentials passed as environment variables or in ~/.aws/credentials
.
Solution: Remove old profiles / credentials and clean all your environment vars:
for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done
2) When your aws_secret_access_key
contains characters like the plus-sign +
or multiple forward-slash /
. See more in here.
Solution: Delete credentials and generate new ones.
3) When you try to execute Terraform inside a region which must be explicitly enabled (and wasn't).
(In my case it was me-south-1 (Bahrain)
- See more in here).
Solution: Enable region or move to an enabled one.
4) In cases where you work with 3rd party tools like Vault and don't supply valid AWS credentials to communicate with - See more in here.
All will lead to a failure of aws sts:GetCallerIdentity
API.
Lastweek
Updated on June 16, 2022Comments
-
Lastweek almost 2 years
I'm setting up a HA cluster in AWS using Terraform and user data. My main.tf looks like this:
provider "aws" { access_key = "access_key" secret_key = "secret_key" } resource "aws_instance" "etcd" { ami = "${var.ami}" // coreOS 17508 instance_type = "${var.instance_type}" key_name = "${var.key_name}" key_path = "${var.key_path}" count = "${var.count}" region = "${var.aws_region}" user_data = "${file("cloud-config.yml")}" subnet_id = "${aws_subnet.k8s.id}" private_ip = "${cidrhost("10.43.0.0/16", 10 + count.index)}" associate_public_ip_address = true vpc_security_group_ids = ["${aws_security_group.terraform_swarm.id}"] tags { name = "coreOS-master" } }
However, when I run
terraform plan
I get the following errorprovider.aws: InvalidClientTokenId: The security token included in the request is invalid. status code: 403, request id: 45099d1a-4d6a-11e8-891c-df22e6789996
I've looked around some suggestions were to clear out my ~/.aws/credentials file or update it with the new aws IAM credentials. I'm pretty lost on how to fix this error.
-
Gi1ber7 over 3 yearsPlease try to be precise on your replies. Your response looks more like a guess than a solution to the problem. If you can't identify what really solve the issue you're wild guessing and that's an absolute (no no) in programming and development.
-
Matthew Pigram over 3 yearsThanks for the advice! I narrowed it down to the shared credentials file - even if there were special characters in my password it still completed afterwards.