serverless: 1.20.1: sls CLI says security token is invalid despite credentials being correct

This is a Bug Report

Description

For bug reports:

  • What went wrong? In all serverless projects, attempting to use serverless CLI to interact with AWS returns error message ServerlessError: The security token included in the request is invalid, despite credentials being correct. Does this happen to anyone else? I have spent nearly the full day trying to figure out why to no avail. In addition, I have found this to be true across multiple accounts – I cannot talk to any of my AWS accounts with the serverless CLI. I have also tried to create a new project from scratch – the creation works, but the instant I try to deploy the same error shows up. I have tried with Python 2.7 and 3.6, but no other languages.

Example commands: sls deploy --aws-profile <profile-name> sls invoke -f <function-name> --aws-profile <profile-name>

  • What did you expect should have happened? It should deploy/invoke/etc without permissions issues. I know the credentials (stored in ~/.aws/credentials) are correct because I can use the AWS CLI and do not have permissions issues. For instance, aws --profile <profile-name> iam list-users or aws --profile <profile-name> ec2 describe-instances both work just fine.

  • What was the config you used? This is true of all my serverless projects but here is one example.

service: <service-name>
provider:
  name: aws
functions:
  send:
    handler: handler.send
    events:
      - http:
          path: send
          method: post
          cors: true
plugins:
  - serverless-python-requirements
custom:
  pythonRequirements:
    dockerizePip: true
  • What stacktrace or error message from your provider did you see?
sls deploy --aws-profile <profile-name> --verbose
Serverless: Parsing Python requirements.txt
Serverless: Installing required Python packages for runtime python2.7...
Serverless: Docker Image: lambci/lambda:build-python2.7
Serverless: Linking required Python packages...
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Unlinking required Python packages...
 
  Serverless Error ---------------------------------------
 
  ServerlessError: The security token included in the request is invalid.
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Forums:        forum.serverless.com
     Chat:          gitter.im/serverless/serverless
 
  Your Environment Information -----------------------------
     OS:                     darwin
     Node Version:           6.11.2
     Serverless Version:     1.20.1

Similar or dependent issues:

  • #1518 is similar, but I’ve tried everything listed there and not been resolved. plus, I am able to use AWS CLI with these credentials, so I don’t think that is the problem.

Additional Data

  • Serverless Framework Version you’re using: 1.20.1
  • Operating System: mac os Sierra
  • Stack Trace: see above
  • Provider Error messages: see above

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 29 (4 by maintainers)

Most upvoted comments

@dileephell use export AWS_ACCESS_KEY_ID=AWSID export AWS_SECRET_ACCESS_KEY=AWSKEY export AWS_DEFAULT_REGION=REGION

You should be able to bypass the security issue.

+9
kenzotan95 on Jun 13, 2018

Also encountering this issue, while needing to use AWS_SESSION_TOKEN.

ServerlessError: The security token included in the request is invalid.

Get Support -------------------------------------------- Docs: docs.serverless.com Bugs: github.com/serverless/serverless/issues Issues: forum.serverless.com Your Environment Information ----------------------------- OS: linux Node Version: 8.11.0 Serverless Version: 1.39.0

Attempted exports:

export AWS_ACCESS_KEY_ID= blah
export AWS_SECRET_ACCESS_KEY= blah
export AWS_SESSION_TOKEN=blah
export AWS_DEFAULT_REGION=blah

to no avail. Also tried setting AWS_REGION and that also did not work.

Workaround Hackery:

temp_role=$(aws sts assume-role --role-arn arn:aws:iam::<123456789>:role/<some-example-role> --role-session-name <some-example-session> --region <your-region>)
export accessKeyId=$(echo $temp_role | jq -r .Credentials.AccessKeyId)
export secretAccessKey=$(echo $temp_role | jq -r .Credentials.SecretAccessKey)
export sessionToken=$(echo $temp_role | jq -r .Credentials.SessionToken)
export AWS_REGION=<some-region>

rm -rf ~/.aws/credentials

echo -e "[default]\naws_access_key_id = $accessKeyId\naws_secret_access_key = $secretAccessKey\naws_session_token = $sessionToken" > ~/.aws/credentials

Seems like various permutations of this bug have been cropping up since at least 1.20…This should be reopened.

+5
Ray-B on Mar 15, 2019

I have the exact error with version 1.26.1

screen_shot_2018-03-26_at_11_08_23_am
+3
joemocha-coxauto on Mar 26, 2018

I have the exact error with a superior version

problem

+3
maxalmonte14 on Mar 26, 2018

My workaround was to provide the AWS profile I intend to use.

sudo serverless deploy --aws-profile testADM

and having the testADM in my ~/.aws/credentials file

+1
proxy-project on Nov 27, 2020

This happened to me as well on the latest version a few minutes back. It was working until today morning suddenly giving the error. @kenzotan95’s suggestion worked.

+1
maityneil001 on Aug 8, 2018
Read more comments on GitHub
← serverless: Unexpected end of JSON input in v2.2. Cant sls deploy
serverless: 1.48.1 gives Credentials error. →