amazon-kinesis-scaling-utils: The security token included in the request is invalid.

How are security tokens configured when using the CLI? I have tokens for profiles configured in my ~/.aws/config file, but I don’t see how I supply to the CLI which token it should be using.

$ java -cp KinesisScalingUtils.jar-complete.jar -Dstream-name=mytest -Dscaling-action=scaleUp -Dcount=5 -Dregion=us-east-1 ScalingClient
Exception in thread "main" com.amazonaws.AmazonServiceException: The security token included in the request is invalid. (Service: AmazonKinesis; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: UUID-OMIT)
    at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1078)
    at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:726)
    at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:461)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:296)
    at com.amazonaws.services.kinesis.AmazonKinesisClient.invoke(AmazonKinesisClient.java:2498)
    at com.amazonaws.services.kinesis.AmazonKinesisClient.describeStream(AmazonKinesisClient.java:861)
    at com.amazonaws.services.kinesis.scaling.StreamScalingUtils.safeDescribeStream(StreamScalingUtils.java:122)
    at com.amazonaws.services.kinesis.scaling.StreamScalingUtils.getOpenShards(StreamScalingUtils.java:202)
    at com.amazonaws.services.kinesis.scaling.StreamScalingUtils.getOpenShardCount(StreamScalingUtils.java:145)
    at com.amazonaws.services.kinesis.scaling.StreamScaler.scaleUp(StreamScaler.java:127)
    at ScalingClient.run(ScalingClient.java:148)
    at ScalingClient.main(ScalingClient.java:196)

About this issue

Original URL
State: closed
Created 9 years ago
Comments: 25 (4 by maintainers)

Links to this issue

using githubaction with codebuild

Most upvoted comments

Hello,

The utility uses the DefaultAWSCredentialsProviderChain (http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html), which uses the following order of precedence:

Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
Java System Properties - aws.accessKeyId and aws.secretKey
Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI
Instance profile credentials delivered through the Amazon EC2 metadata service

If you specify multiple profiles in the credentials file, then it appears that the ProfileCredentialsProvider (part of the default provider chain) will try each one (http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/profile/ProfileCredentialsProvider.html).

So it sounds like rather than ~/.aws/config you need to create a ‘credentials’ file in the same directory in format as outlined at http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/credentials.html.

Do let us know if that helps.

Ian

+29

IanMeyers on Mar 27, 2015

SOLUCIONADO!!! cuando estes en la linea de comando, y presiones aws configure, en la seccion que pregunta por la region, debes de poner la palabra local. y listo funciona.

+23

andresisaza on Feb 20, 2020

For anyone else who stumbles across this, it’s AWS_SECRET_ACCESS_KEY not AWS_SECRET_KEY.

In my case, I was just using the aws CLI and setting AWS_PROFILE did not work, but setting these variables did. Thanks for the find.

+16

tobiasmcnulty on Jun 26, 2016

worked for me after setting “AWS_SESSION_TOKEN” env variable along with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY since I had temporary access .

+11

sharathbjgowda on Oct 15, 2020

How to work aws device farm using aws api. I have a java+TestNG project i want to create project by usng aws api can some help me on this. May be i kept at wrong place. please help me.

mohammedghouse36 on May 23, 2017

Hi Everyone,

I am new to this aws thing i need some help how to authenthicate and create a project can some one please help me i struct intially. If some one boost up i can go further.

mohammedghouse36 on May 23, 2017

I have chosen a region that is not activated for my account, choosing another region solved the problem.

ms10596 on Nov 23, 2019

isn’t it AWS_SECRET_ACCESS_KEY not AWS_SECRET_KEY? @IanMeyers can you update pls thx

ORESoftware on May 20, 2019

Just in case…if someone visits here…

In my case when my account was suspended (due to non-payment of dues) I got the same errors. Visiting aws console helped to find that issue

ragowthaman on Sep 6, 2016

Was able to get it working using AWS_ACCESS_KEY_ID and AWS_SECRET_KEY. Thanks for the very responsive help! 👍

lexicalunit on Mar 27, 2015

if you use both AWS China and .com you might also need to specify the region with your command by doing

--region cn-northwest-1 
--region cn-north-1

depending on your needs

(I apologize for necro)

levellearning-admin on Nov 29, 2021

I followed the same steps, making sure all the credentials are updated AND that the region values in my ~/.aws/config matches ~/.aws/credentials but somehow the token would still be invalid. In my case, I had to cd into ~/.aws and rm both config and credentials files. From there, running the command aws configure and providing the access id, secret access key, region, and output.

arsiaardalancanopy on Jun 24, 2020

The access key and secret key when used in this way come from the IAM User or Role that you have assumed in order to make calls to AWS Services. You can read more about Access and Secret keys at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html. These are very different from the Key Management Service keys, which are used for envelope encryption (among other things) - read more at https://aws.amazon.com/kms.

IanMeyers on Feb 2, 2017