Aws-vault: Error: The security token included in the request is invalid

Created on 19 May 2018  Â·  11Comments  Â·  Source: 99designs/aws-vault

I have a problem and I cannot figure out why.

My AWS Account has an admin-user with a default Administrator policy.

My ~/.aws/config(created with aws-vault add admin-aim) contains:

[admin-iam]
region=eu-west-2

When I do:

aws-vault exec admin-iam -- aws iam create-user --user-name fooo

I've got an error:

An error occurred (InvalidClientTokenId) when calling the CreateUser operation: The security token included in the request is invalid

Any idea what could be wrong? Thx!

stale

Most helpful comment

I've encountered the same problem. It's caused by the AWS API restrictions, that won't allow you to touch IAM related APIs using the account with MFA enabled, unless you pass the MFA token within the request.
Work around it is to call:

$ aws-vault exec admin-iam --no-session -- your_command

It won't use temporary credentials then. I know that's not a perfect solution, but it works ;)

All 11 comments

hmmm apparently fixed after running aws-vault exec admin-iam -- aws sts get-caller-identity?

Aren't you missing fields in that config?
Where is the IAM account?
Where is the role you want to assume?

--
Fernando Miguel

On Sat, 19 May 2018, 19:19 Joost Saanen, notifications@github.com wrote:

I have a problem and I cannot figure out why.

My AWS Account has an admin-user with an Administrator policy.

My ~/.aws/config contains:

region=eu-west-2
mfa_serial=arn:aws:iam:::mfa/joost.saanen```

When I do:
aws-vault exec admin-iam -- aws iam create-user --user-name fooo

I've got an error:

An error occurred (InvalidClientTokenId) when calling the CreateUser operation: The security token included in the request is invalid

Any idea what could be wrong? Thx!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/99designs/aws-vault/issues/260, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAKRrrUZrUh5UydP0xQLrdmXr99wUsAOks5t0GI6gaJpZM4UFzea
.

I've encountered the same problem. It's caused by the AWS API restrictions, that won't allow you to touch IAM related APIs using the account with MFA enabled, unless you pass the MFA token within the request.
Work around it is to call:

$ aws-vault exec admin-iam --no-session -- your_command

It won't use temporary credentials then. I know that's not a perfect solution, but it works ;)

Confirmed the workaround @artursmet mentioned works. Thanks!

just set the mfa_serial in your aws/config for the profile and IAM operations will work, and the methodology mentioned in the aws-vault README is a very good posture. Have a RO IAM user and that assumes role with MFA. I have updated my accounts to do the same

This doesn't work for me and i do have mfa_serial specified for each profile.

aws-vault: error: Failed to get credentials for root (source profile for dev): InvalidClientTokenId: The security token included in the request is invalid.

Just calling the aws cli works fine.

aws-vault --version
v4.4.1

If the workaround above (aws-vault exec <profile> -- ...) works for you, you can always spawn a shell with the profile added to the environment by just aws-vault exec <profile> and then carry on with whatever aws-api utilities you happen to want to use.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Has anyone encountered a problem where specifying an mfa_serial still will not, under any circumstances, prompt for an MFA? Authentication still succeeds, but it succeeds without MFA (bizarrely, to be honest), so I am unable to perform IAM api calls. There is no output to suggest that it tried and failed, and there is absolutely no difference in the debu logging if mfa_serial is configured or not, so there is no clue as to what is happening, except no token prompt and no IAM api calls work. Specifying a token with a command line param doesn't change the behaviour. It simply refuses to use MFA< even though it is configured to. It also won't fail authentication due to lack of MFA, but will fail authorization on IAM calls. It's bizarre and impossible to debug. I have two machines, both configured EXACTLY the same, running exactly the same terraform command via aws-vault. On one host, MFA works just fine. On the other host, it just silently fails with no clue as to why offered.

I'm also struggling.

$ uname -a
Darwin tyo-mpy1d 19.6.0 Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64 x86_64
$ aws-vault --version
v6.2.0

$ aws-vault exec dev --no-session -- terraform init
Enter token for arn:aws:iam::xxxx:mfa/[email protected]: xxxx
aws-vault: error: exec: Failed to get credentials for dev: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: dd062af4-8bd2-4c14-8825-c6e7e0ea5fa4

"mfa_serial" is definitely set on my .aws/config. Any ideas?

https://github.com/99designs/aws-vault/blob/master/USAGE.md#aws-single-sign-on-aws-sso

try using the AWS SSO sign on?

Was this page helpful?
0 / 5 - 0 ratings