terraform-provider-aws: InvalidClientTokenId: Terraform 0.9.2

This issue was originally opened by @sherabi as hashicorp/terraform#13333. It was migrated here as part of the provider split. The original body of the issue is below.

terraform --version
Terraform v0.9.2

Credentials file

[nonprod]
aws_access_key_id = ACCESS
aws_secret_access_key = SECRET

Provider

provider "aws" {
  region = "${var.aws_region}"
  shared_credentials_file = "/Users/me/.aws/credentials"
  profile = "nonprod"
 }

Error

Error refreshing state: 1 error(s) occurred:

* provider.aws: InvalidClientTokenId: The security token included in the request is invalid.
	status code: 403, request id: 99c8662c-1943-11e7-bd65-978e35f3b40a

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 21 (1 by maintainers)

Most upvoted comments

Have any workarounds been identified? The only thing I can figure out is to use hard code AWS Access Tokens in the AWS Providers instead of using TF variables.

+5
brianwallace on Jun 27, 2017

Hi, I fixed my issue with

terraform init -backend-config="access_key=..." -backend-config="secret_key=..."

this is related with partial configuration

https://www.terraform.io/docs/backends/config.html

Terraform v0.11.0

+3
wzalazar on Dec 14, 2017

@farhie you mean to say by using shared_credentials_file = ~/.aws/credentials worked for you? I had a failed attempt in that too!

I tried once again but that doesn’t work. That is the bug right? The issue is the same. Even after modifying my vars.tf file to this:

/* Variables */
provider "aws" {
  region = "${var.region}"
  shared_credentials_file = "~/.aws/credentials"
  profile = "default"
}

variable "region" {
  description = "Select the default AWS region for the deployment."
  default = "us-east-2"
}

terraform {
  backend "s3" {
    bucket = "mybucket"
    key = "path/to/iam/terraform.tfstate"
    region = "us-east-2"
  }
}

This terraform init thing doesn’t work and cannot initialize S3 as backend.

+2
armankoradia on Oct 6, 2017

I’ve figured out whats happening. The provider and the backend configuration for credentials is independent. I was expecting the credentials mentioned in the provider to be used by the backend. This is wrong.

I’ll try giving the credentials in backend and will post the results.

Update: There were few problems migrating the state. But I tried again on a new slate and everything is fine now.

+1
mallikarjuna-palle on May 7, 2018

@armankoradia I moved to having a default profile in ~/.aws/credentials. That worked fine.

+1
Farhie on Oct 5, 2017

Same issue here with 0.10.6. If I explicitly export the AWS environment variables, including the security token then it works.

Anyone found a workaround that doesn’t rely on me exporting env variables?

+1
Farhie on Sep 27, 2017
Read more comments on GitHub
← terraform-provider-aws: Invalid Index Error when using element and count.index
terraform-provider-aws: KMS doesn't work with newest verision of provider →