aws-vault: "The security token included in the request is invalid"

I couldn’t find a related issue on this. I am getting this error:

The error

An error occurred: IamRoleLambdaExecution - The security token included in the request is invalid (Service: AmazonIdentityManagement; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: a42d8546-3142-11e9-8b89-ef3966ba0855).

My use case

I am running aws-vault exec myprofile -- longrunningscript.sh. It could take longrunningscript.sh about 3-5 minutes before it gets to the point where it hits the AWS API.

My workaround

I have been doing AWS_PROFILE=myprofile longrunningscript.sh just to get by, but this isn’t going to work all the time

Additionally: A README question

According to the README.md it says:

These expire in a short period of time, so the risk of leaking credentials is reduced.

What exactly is a short period of time? Is this my issue? Is there any way to extend it?

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 5
  • Comments: 17 (3 by maintainers)

Most upvoted comments

@plektra if you need access to IAM operations with a session token, it should be MFA authenticated. It’s a requirement from AWS. Please add mfa_serial propery in the aws config file, then aws-vault will prompt for MFA token,

+22
frezbo on Apr 16, 2020

I’m using aws-vault version 5.3.2 and having similar issues with Serverless Framework. When executing “sls deploy”, the corresponding CloudFormation update operation fails when it tries to update an IAM role, due to following error:

The security token included in the request is invalid (Service: AmazonIdentityManagement; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: asdfafsddfasdasfasfdafsd)

To work around this issue I’m using --no-session for now.

+8
plektra on Apr 16, 2020 
prompt$ aws-vault exec eks-pilot -- aws configure
AWS Access Key ID [****************]: xxxxxxxxx
AWS Secret Access Key [****************]:xxxxxxxxxxx
Default region name [ap-northeast-1]: eu-west-1
Default output format [json]:

When my colleague/customer sets the aws api credentials hard in environment it does work.

$ export AWS_ACCESS_KEY_ID="anaccesskey"
$ export AWS_SECRET_ACCESS_KEY="asecretkey"
$ export AWS_DEFAULT_REGION="eu-west-1"
+3
geertn on May 31, 2019

Thanks @frezbo @plektra, if you can update USAGE.md to make this common gotcha easier to find that would be excellent

+2
mtibben on Apr 24, 2020

Argh, apologies, I meant aws configure list

You’ll now want to check you don’t have anything in your ~/.aws/credentials file as that will trump anything that aws-vault puts out.

+1
lox on May 31, 2019
Read more comments on GitHub
← aws-vault: STS fails due to missing region after upgrade to v6.5.0
aws-vault: Ubuntu: The collection "aws-vault" does not exist. Please add a key first →