InvalidClientTokenId error aws when trying to get caller identity

2
votes

hi I am unable to run this command aws sts get-caller-identity.

when I do sudo nano ~/.aws/credentials I can only locate this

[default]
aws_access_key_id = my_id
aws_secret_access_key = my_secret_id

and after doing successful steps of command aws configure when I am doing aws sts get-caller-identity I am getting this error

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

any reason which could cause this ?

1
amazon-web-servicesaws-cliaws-sts
Looks like you are missing aws_session_token ? - Paolo
@Paolo can't I do without session token ? as my teammates are doing without token and that's working fine but issue on my side - pie
@pie are you using credentials of an IAM user? Otherwise if those credentials are from an SSO user or generated when using sts assume-role then the aws_session_token is required - Omar Rosadio
@OmarRosadio yes using credentials of an IAM user. - pie
Ok, and you only have configured credentials in /.aws/credentials? Can you check env vars? Because env vars take priority over credentialas config file. So if a previous configuration in env vars was incorrect, it stills cause conflict - Omar Rosadio

1 Answers

1
votes

Sometimes this kind of issues are caused by another credential configuration.

Environment variables credential configuration takes prority over credentials config file. So in case there are present the environment variables "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY" or "AWS_SESSION_TOKEN" these could generate issues if it were missconfigured or have been expired.

Try checking the env vars associated to AWS Credentials and removing them using the 'unset' command in linux.

Additionally, to remove env vars permanently you need to remove the lines related on configuration files like:

  • /etc/environment
  • /etc/profile
  • ~/.profile
  • ~/.bashrc

Reference:

Configuration settings and precedence