Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: The security token included in the request is invalid #260

Closed
JoostSaanen opened this issue May 19, 2018 · 14 comments
Closed

Error: The security token included in the request is invalid #260

JoostSaanen opened this issue May 19, 2018 · 14 comments
Labels
stale

Comments

@JoostSaanen
Copy link

JoostSaanen commented May 19, 2018
edited
Loading

I have a problem and I cannot figure out why.

My AWS Account has an admin-user with a default Administrator policy.

My ~/.aws/config(created with aws-vault add admin-aim) contains:

[admin-iam]
region=eu-west-2

When I do:

aws-vault exec admin-iam -- aws iam create-user --user-name fooo

I've got an error:

An error occurred (InvalidClientTokenId) when calling the CreateUser operation: The security token included in the request is invalid

Any idea what could be wrong? Thx!
@JoostSaanen
Copy link
Author

hmmm apparently fixed after running aws-vault exec admin-iam -- aws sts get-caller-identity?

@FernandoMiguel
Copy link
Collaborator

FernandoMiguel commented May 19, 2018 via email

@artursmet
Copy link

artursmet commented Jun 15, 2018
edited
Loading

I've encountered the same problem. It's caused by the AWS API restrictions, that won't allow you to touch IAM related APIs using the account with MFA enabled, unless you pass the MFA token within the request.
Work around it is to call:

$ aws-vault exec admin-iam --no-session -- your_command

It won't use temporary credentials then. I know that's not a perfect solution, but it works ;)

@errygg
Copy link

errygg commented Oct 3, 2018
edited
Loading

Confirmed the workaround @artursmet mentioned works. Thanks!

@frezbo
Copy link
Contributor

frezbo commented Oct 4, 2018

just set the mfa_serial in your aws/config for the profile and IAM operations will work, and the methodology mentioned in the aws-vault README is a very good posture. Have a RO IAM user and that assumes role with MFA. I have updated my accounts to do the same

@JGjorgji
Copy link

This doesn't work for me and i do have mfa_serial specified for each profile.

aws-vault: error: Failed to get credentials for root (source profile for dev): InvalidClientTokenId: The security token included in the request is invalid.

Just calling the aws cli works fine.

aws-vault --version
v4.4.1

@robacarp
Copy link

robacarp commented Jan 12, 2019
edited
Loading

If the workaround above (aws-vault exec <profile> -- ...) works for you, you can always spawn a shell with the profile added to the environment by just aws-vault exec <profile> and then carry on with whatever aws-api utilities you happen to want to use.

@stale
Copy link

stale bot commented Sep 3, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Sep 3, 2019
@stale stale bot closed this as completed Sep 10, 2019
@hdx-machine
Copy link

Has anyone encountered a problem where specifying an mfa_serial still will not, under any circumstances, prompt for an MFA? Authentication still succeeds, but it succeeds without MFA (bizarrely, to be honest), so I am unable to perform IAM api calls. There is no output to suggest that it tried and failed, and there is absolutely no difference in the debu logging if mfa_serial is configured or not, so there is no clue as to what is happening, except no token prompt and no IAM api calls work. Specifying a token with a command line param doesn't change the behaviour. It simply refuses to use MFA< even though it is configured to. It also won't fail authentication due to lack of MFA, but will fail authorization on IAM calls. It's bizarre and impossible to debug. I have two machines, both configured EXACTLY the same, running exactly the same terraform command via aws-vault. On one host, MFA works just fine. On the other host, it just silently fails with no clue as to why offered.

@hisashiyamaguchi
Copy link

I'm also struggling.

$ uname -a
Darwin tyo-mpy1d 19.6.0 Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64 x86_64
$ aws-vault --version
v6.2.0

$ aws-vault exec dev --no-session -- terraform init
Enter token for arn:aws:iam::xxxx:mfa/xxxx@xxxx.com: xxxx
aws-vault: error: exec: Failed to get credentials for dev: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: dd062af4-8bd2-4c14-8825-c6e7e0ea5fa4

"mfa_serial" is definitely set on my .aws/config. Any ideas?

@johnacliffe
Copy link

https://github.com/99designs/aws-vault/blob/master/USAGE.md#aws-single-sign-on-aws-sso

try using the AWS SSO sign on?

@msokolov93
Copy link

List of possible solutions:

  1. Use no-session flag to assume user access_key_id and secret_access_key

aws-vault exec admin-iam -n

  1. Add mfa authentication to aws-vault, by taking mfa arn from your user and adding it to ~/.aws/config file. This will require authentication code for every login.
[profile admin-iam]
mfa_serial=arn:aws:iam::{account_id}:mfa/{username}
  1. To assume role instead of assuming credentials.
    I) Create Role with wanted permissions and allow user to assume policy in Trust Relationships:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{account_id}:user/{username}"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

II) Create another profile in ~/.aws/config file to link existing profile with user credentials to role.

[profile admin-iam]

[profile admin-with-role]
region=eu-central-1
source_profile=admin-iam
role_arn=arn:aws:iam::{account_id}:role/{RoleName}

None of the methods above are considered safe by AWS. As compromised credentials can directly impact account. Instead, every user has to assume roles manually after logging in, as role names are only known to people who use them.

@juliusashu
Copy link

Please I have the error below,
An error occurred (InvalidClientTokenId) when calling the CreateUser operation: The security token included in the request is invalid

I have changed several AWS Access Key ID and AWS Secret Access Key but still getting the same error. There is no MFA on the user account.

Please any help to resolve this error will be very grateful.

@mikethm
Copy link

mikethm commented Nov 5, 2022
edited
Loading

try using

--no-session

ref:
https://github.com/99designs/aws-vault/blob/master/USAGE.md#temporary-credentials-limitations-with-sts-iam

@SennaSemakula SennaSemakula mentioned this issue Dec 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests