aws-vault: Key rotation: documentation and/or bug

I’m attempting to aws-vault rotate <profile> where profile is an IAM user with AdministratorAccess policy attached, and I’m seeing something like https://github.com/99designs/aws-vault/issues/15:

$ aws-vault rotate pda
Enter passphrase to unlock /home/pda/.awsvault/keys:
Using old credentials to create a new access key
aws-vault: error: InvalidClientTokenId: The security token included in the request is invalid
        status code: 403, request id: ...

Using a v3.7.1-23-g8c008d3 build of aws-vault.

Same error for any aws iam ... operation, but all other AWS services are working;

$ aws-vault exec pda -- aws iam list-access-keys
Enter passphrase to unlock /home/pda/.awsvault/keys:
An error occurred (InvalidClientTokenId) when calling the ListAccessKeys operation: The security token included in the request is invalid

Is this expected? Is there an IAM setting/policy somewhere that needs to be changed? Or does rotation only work for non-IAM root account credentials? Should we be using the stored access key rather than a session token for the rotate command?

I’ve used aws-vault rotate before on work AWS accounts, but never with this personal AWS account.

As https://github.com/99designs/aws-vault/issues/129 pointed out, there’s no mention of aws-vault rotate in the README etc; I’m happy to add that if I can figure out how to use it 😃

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 2
  • Comments: 36 (2 by maintainers)

Most upvoted comments

for me this worked aws-vault rotate --no-session PROFILE hope this helps someone. I still have issue with 5.3.2

+8
jacoor on Apr 1, 2020

A follow up to this. Initially I still could not get the key rotation to work after upgrading to 4.1.0. I tried all the usual tricks from above but no luck.

These kinds of errors: aws-vault: error: Can't delete old access key AKIAIVVMLTZWMPGV6BHQ aws-vault: error: InvalidClientTokenId: The security token included in the request is invalid.

aws-vault: error: Failed to get credentials for ******: InvalidClientTokenId: The security token included in the request is invalid.

In the end I had to remove and re-add the key and now rotation works fine.

And then another member of my team, even after removing and re-adding, installing and reinstalling, still was getting InvalidClientTokenId. The only way he got around it was to delete the entire keychain and re-add new keys.

+2
damonmaria on Nov 1, 2017

manually upgraded to $ aws-vault --version v4.1.0

$ aws-vault rotate jenkins
Rotating credentials for profile "jenkins"
Done!

and it worked (after i removed the extra key left from the previous run.

can a sort of counter or dotted line show up while the task is in a sleep/pull cycle?

some users might think it is hanged

+1
FernandoMiguel on Nov 1, 2017
Read more comments on GitHub
← aws-vault: InvalidClientTokenId error when creating IAM role with vault credentials and terraform
aws-vault: rotate fails "resource: user null" →