The security token included in the request is invalid

[keithbeller]

I've manually added a user the General Settings > Users and groups.

I launch the application locally, navigate to the login page, enter creds from the account and get the following error message when submitting the login request:

An unhandled exception occurred while processing the request.
**HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown.**
Amazon.Runtime.HttpWebRequestMessage.GetResponseAsync(CancellationToken cancellationToken) in HttpRequestMessageFactory.cs, line 539
**AmazonCognitoIdentityProviderException: The security token included in the request is invalid.**
Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleException(IExecutionContext executionContext, HttpErrorResponseException exception) in HttpErrorResponseExceptionHandler.cs, line 60
**CognitoServiceException: Failed to find the Cognito User by Id**
Amazon.AspNetCore.Identity.Cognito.CognitoUserStore<TUser>.FindByIdAsync(string userId, CancellationToken cancellationToken)

App Configuration

Using the latest Sample application unmodified.
appsettings.Development.json set as follows:
"AWS": {
"Region": "us-east-1", // value taken from General settings
"UserPoolClientId": "6u.....", // value taken from General settings > App clients > App client id
"UserPoolClientSecret": "i6....", // value taken from General settings > App clients > App client secret
"UserPoolId": "us-east-1_....." // value taken from General settings > Pool Id
}

User Pool Configuration:

Attributes

• Username
• Standard attributes required = email

Policies

• Minimum length 8 and all requires checked
• Only allow admins

MFA and verifications

• Off

App clients

• App client id & App client secret
• no boxes checked

App integration > App client settings

• Enabled Identity Providers = Cognito User Pool checked
• Sign in and sign out URLs > Callback and Sign out URLs set to https://localhost:44339 for testing
• OAuth 2.0 > Allowed OAuth Flows = Auth code grant
• OAuth 2.0 > Allowed OAuth Scopes - email, openid, profile

[klaytaybai]

Hi @keithbeller, this is most likely due to invalid AWS credentials. Can you please check your credentials setup and provide us with more information about how you're using credentials if you are still experience an issue.

[scionwest]

@klaytaybai I'm experiencing this as well. I just issued myself brand new IAM User credentials that have Administrator Access attached as a policy. When I use this SDK, I receive the same exception.

Edit: To clarify, I ran aws configure from the CLI, configuring it with a brand new set of credentials. I only have one profile, the default, and the SDK doesn’t seem to pick it up on my Windows 10 PC. I’ve verified they exist in ~/.aws/credentials as well.

[klaytaybai]

@scionwest are you using the VS Toolkit?

[scionwest]

@klaytaybai at one point in VS 2017 I was. I’ve since uninstalled the toolkit and VS 17; using VS 19 vanilla now.

[scionwest]

Is there any update to this or other ways I can receive help? Our Enterprise support said we need to post this to GitHub to receive support. I’ve not been able to get this answered though.

It’s starting to get frustrating that the only way to get support on an Amazon SDK item is on GitHub. Why can’t these items be covered by our (expensive) Enterprise support agreement?

[assyadh]

Hi @scionwest, Can you please make sure you have a credential file with a default profile:

https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html#creds-file

It may be that due to the VS19 without toolkit installed you don't have any creds being picked up.

This really look like a credentials / wrong user pool secret issue because of the computed hashes.

[klaytaybai]

It may also be helpful for us if you can provide an example of how you are naming your profile in the credentials file.

[scionwest]

.aws/config

[default]
output = json
region = us-east-1

.aws/credentials

[default]
aws_access_key_id = ###
aws_secret_access_key = ###

I've fully uninstalled Visual Studio, all of the extensions, cleaned up any environment variables I had that were related to the AWS SDK, blown away the credentials/config files and re-generated them with aws configure and I get the same error. It doesn't matter what API I use at this point... Even CLI commands are failing for me to AWS. Somehow, my local credentials are screwed up and I can't figure out what the CLI/SDK is looking at - why they're ignoring my .aws/credentials file.

[antgustech]

I have the same issue however I have configured an app client instead and calling it like this from android app:
`

            final String clientId = "***********3";
            final String clientSecret = "******************************g1";
            final Regions region = Regions.EU_WEST_1;

            final AWSCredentials basicAWSCredentials = new BasicAWSCredentials(clientId, clientSecret);

            AWSCredentialsProvider basicCredProvider = new AWSCredentialsProvider() {
                @Override
                public AWSCredentials getCredentials() {
                    return basicAWSCredentials;
                }

                @Override
                public void refresh() {

                }
            };



            //Create kinesis client
            KinesisVideoClient mKinesisVideoClient;
            try {
                mKinesisVideoClient = KinesisVideoAndroidClientFactory.createKinesisVideoClient(
                        getApplicationContext(),
                        region,
                        basicCredProvider);


                AndroidCameraMediaSource mCameraMediaSource = (AndroidCameraMediaSource) mKinesisVideoClient
                        .createMediaSource("TEST", getCurrentConfiguration());
                mCameraMediaSource.start();

            } catch (KinesisVideoException e) {
                Log.e("KINESIS", "Failed to create Kinesis Video client", e);
            }
        }
    });`

2019-11-18 14:27:59.306 8222-8259/com.example.testauth D/platform-utils: describeStreamResultEvent(): Describe stream result event. 2019-11-18 14:27:59.347 8222-8262/com.example.testauth D/KinesisVideoAndroidClient: calling describe stream: {StreamName: TEST,} 2019-11-18 14:27:59.366 8222-8262/com.example.testauth W/System: Ignoring header x-amz-security-token because its value was null. 2019-11-18 14:27:59.484 8222-8262/com.example.testauth E/KinesisVideoAndroidClient: 2019-11-18T14:27Z T2643: EXCEPTION: AmazonServiceException: Service call failed.: The security token included in the request is invalid. (Service: AWSKinesisVideo; Status Code: 403; Error Code: UnrecognizedClientException; Request ID: 756a8be4-90ef-4380-8d08-8ee55dcaff2e) 2019-11-18 14:27:59.485 8222-8262/com.example.testauth E/KinesisVideoAndroidClient: Kinesis Video service client returned an error com.amazonaws.AmazonServiceException: The security token included in the request is invalid. (Service: AWSKinesisVideo; Status Code: 403; Error Code: UnrecognizedClientException; Request ID: 756a8be4-90ef-4380-8d08-8ee55dcaff2e). Reporting to Kinesis Video PIC. 2019-11-18 14:27:59.485 8222-8262/com.example.testauth D/platform-utils: Java_com_amazonaws_kinesisvideo_internal_producer_jni_NativeKinesisVideoProducerJni_describeStreamResultEvent(): Describe stream event for handle 0x0000007cee4c3140. 2019-11-18 14:27:59.485 8222-8262/com.example.testauth D/platform-utils: describeStreamResultEvent(): Describe stream result event. 2019-11-18 14:27:59.521 8222-8262/com.example.testauth D/KinesisVideoAndroidClient: calling describe stream: {StreamName: TEST,} 2019-11-18 14:27:59.536 8222-8262/com.example.testauth W/System: Ignoring header x-amz-security-token because its value was null. 2019-11-18 14:27:59.616 8222-8262/com.example.testauth E/KinesisVideoAndroidClient: 2019-11-18T14:27Z T2643: EXCEPTION: AmazonServiceException: Service call failed.: The security token included in the request is invalid. (Service: AWSKinesisVideo; Status Code: 403; Error Code: UnrecognizedClientException; Request ID: d582f1ce-bf6c-4257-85cf-c21303bc6ceb) 2019-11-18 14:27:59.616 8222-8262/com.example.testauth E/KinesisVideoAndroidClient: Kinesis Video service client returned an error com.amazonaws.AmazonServiceException: The security token included in the request is invalid. (Service: AWSKinesisVideo; Status Code: 403; Error Code: UnrecognizedClientException; Request ID: d582f1ce-bf6c-4257-85cf-c21303bc6ceb). Reporting to Kinesis Video PIC. 2019-11-18 14:27:59.617 8222-8262/com.example.testauth D/platform-utils: Java_com_amazonaws_kinesisvideo_internal_producer_jni_NativeKinesisVideoProducerJni_describeStreamResultEvent(): Describe stream event for handle 0x0000007cee4c3140. 2019-11-18 14:27:59.617 8222-8262/com.example.testauth D/platform-utils: describeStreamResultEvent(): Describe stream result event. 2019-11-18 14:27:59.654 8222-8262/com.example.testauth D/KinesisVideoAndroidClient: calling describe stream: {StreamName: TEST,} 2019-11-18 14:27:59.673 8222-8262/com.example.testauth W/System: Ignoring header x-amz-security-token because its value was null. 2019-11-18 14:27:59.750 8222-8262/com.example.testauth E/KinesisVideoAndroidClient: 2019-11-18T14:27Z T2643: EXCEPTION: AmazonServiceException: Service call failed.: The security token included in the request is invalid. (Service: AWSKinesisVideo; Status Code: 403; Error Code: UnrecognizedClientException; Request ID: 8facdadf-a9f2-41c6-abaf-2345b2d5d863) 2019-11-18 14:27:59.750 8222-8262/com.example.testauth E/KinesisVideoAndroidClient: Kinesis Video service client returned an error com.amazonaws.AmazonServiceException: The security token included in the request is invalid. (Service: AWSKinesisVideo; Status Code: 403; Error Code: UnrecognizedClientException; Request ID: 8facdadf-a9f2-41c6-abaf-2345b2d5d863). Reporting to Kinesis Video PIC.

I have set up a App Client in my user pool as the following docs describe: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html

[keithbeller]

I figured out my issue. I didn't set the variables: AWS_SECRET_KEY and AWS_ACCESS_KEY_ID. When I did the issue resolved. Thank you for your help.

I followed the directions on Snevsky.com to find my answer.

If you haven’t generated these keys already: open up the AWS console home page, click your name in the top right corner, click “My Security Credentials”, expand the “Access keys” section and “Create New Access Key”. Set the Environment Variables for your project once they are generated.

Here was the change I made to the Startup.cs file. If you inject the AmazonCognitoIdentityProviderClient and CognitoUserPool services the sample works.

public void ConfigureServices(IServiceCollection services)
{
	// Adds your own instance of Amazon Cognito clients 
	// cognitoIdentityProvider and cognitoUserPool are variables you would have instanciated yourself

	var credentials = new Credentials
	{
		AccessKeyId = Configuration["AWS_SECRET_ACCESS_KEY"], 
		SecretKey = Configuration["AWS_SECRET_KEY"]
	};

	var provider = new AmazonCognitoIdentityProviderClient(credentials, RegionEndpoint.USEast1);
	var pool = new CognitoUserPool(Configuration["UserPoolId"],
				                             Configuration["UserPoolClientId"], 
				                             provider,
  				                             Configuration["UserPoolClientSecret"]);

	services.AddSingleton<IAmazonCognitoIdentityProvider>(provider);
        services.AddSingleton<CognitoUserPool>(pool);

        services.AddCognitoIdentity();

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}

[jerhewet]

For anyone else encountering "The security token included in the request is invalid" exception, the solution is to create your AmazonCognitoIdentityProviderClient using the Amazon.RegionEndpoint parameter instead of passing in the region as a string. For example:

AmazonCognitoIdentityProviderClient cognito = new AmazonCognitoIdentityProviderClient(
    configuration["AWS:AWSKey"],
    configuration["AWS:AWSSecret"],
    Amazon.RegionEndpoint.USWest2);

[brainox]

For anyone else encountering "The security token included in the request is invalid" exception, the solution is to create your AmazonCognitoIdentityProviderClient using the Amazon.RegionEndpoint parameter instead of passing in the region as a string. For example:

AmazonCognitoIdentityProviderClient cognito = new AmazonCognitoIdentityProviderClient(
    configuration["AWS:AWSKey"],
    configuration["AWS:AWSSecret"],
    Amazon.RegionEndpoint.USWest2);

@jerhewet
Please Where do I type this command? In the CLI or somewhere else? I just began AWS last week. So the terms here are still new.

[aleksander-ivanov]

Looks like instanciating AmazonCognitoIdentityProviderClient only with ClientId + ClientSecret won't work. It required User AccessKey + SecretKey at least.
var client = new AmazonCognitoIdentityProviderClient(AccessKey, SecretKey, RegionEndpoint.GetBySystemName(Region))