Terraform-provider-aws: InvalidClientTokenId when creating IAM Roles.

Created on 17 Aug 2018  ·  7Comments  ·  Source: hashicorp/terraform-provider-aws

I am trying to create the following IAM Role with a Policy. The Role is attached to a Lambda.

resource "aws_lambda_function" "lambda" {
    function_name = "test"

    s3_bucket = "${aws_s3_bucket.deployment_bucket.id}"
    s3_key = "${var.deployment_key}"

    handler = "${var.function_handler}"
    runtime = "${var.lambda_runtimes[var.desired_runtime]}"
    role = "${aws_iam_role.lambda_role.arn}"
}

resource "aws_iam_role" "lambda_role" {
    name = "test-role"

    assume_role_policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          },
          "Effect": "Allow",
          "Sid": ""
        }
      ]
    }
    EOF
}

resource "aws_iam_role_policy" "lambda_policy" {
    name = test-policy"
    role = "${aws_iam_role.lambda_role.id}"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
            "xray:PutTelemetryRecords",
            "xray:PutTraceSegments",
            "logs:CreateLogGroup",
            "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

I run terraform apply from an EC2 instance that has an IAM Role attached to it. The IAM Role has the AdministratorAccess and can deploy VPCs and EC2s with Terraform without any issue. When I try to create the IAM Role and Policy above though it fails with InvalidClientTokenId error.

  • aws_iam_role.lambda_role: Error creating IAM Role test-role: InvalidClientTokenId: The security token included in the request is invalid

I then generated a set of access key credentials and hard-coded them and it still failed. Is there something special I need to do when creating an IAM Role? Any other terraform apply commands I run from this machine work fine until I need to create an IAM Role.

question serviciam
Source
picture scionwest
👍5

Most helpful comment

+1, seeing this using AdministratorAccess credentials =

Follow up: I was seeing this on a new employer's QA account which didn't enforce 2fa, once I added an MFA device everything was fine.

picture crielly on 19 Oct 2018
👍2

All 7 comments

+1

Seeing this exact issue. I've not yet isolated it down to / or + being in the session token, but it's definitely related to the dynamic keys that are in use.

jbeisser picture jbeisser on 17 Sep 2018
👍1

+1, seeing this using AdministratorAccess credentials =

Follow up: I was seeing this on a new employer's QA account which didn't enforce 2fa, once I added an MFA device everything was fine.

crielly picture crielly on 19 Oct 2018
👍2

-------------------- Update Skill Project --------------------
Skill Id: amzn1.ask.skill.933e5790-82cd-4bef-9ef7-25c6672c49ab
Skill deployment finished.
Model deployment finished.
Create role error.
InvalidClientTokenId: The security token included in the request is invalid.

I'm getting this error please help me out..

shivangi4742 picture shivangi4742 on 20 Nov 2018

Thank you @crielly that fixed it for me too.. seems to have something to do with using AWS_SECURITY_TOKEN & AWS_SESSION_TOKEN without 2FA
It works both with plain AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY as with session token generated with 2fa

kevinduterne picture kevinduterne on 6 Feb 2019
👍1

Thank you for using Terraform and for opening up this question, @scionwest! It appears @crielly has provided a possible solution to your issue.

Issues on GitHub are intended to be related to bugs or feature requests with the provider codebase. If needed, please use https://discuss.hashicorp.com/c/terraform-providers for additional feedback, community discussions, and questions around Terraform.

This issue will not be closed, but if you believe that your issue was miscategorized as a question or closed in error, please create a new issue using one of the following provided templates: bug report or feature request. Please make sure to provide us with the appropriate information so we can best determine how to assist with the given issue.

tracypholmes picture tracypholmes on 8 Jul 2019

@tracypholmes the solution by @crielly didn’t work for me as my IAM User already had MFA setup.

Closing this is fine though as I’m having the same issue with the AWS SDK. I believe this to be an AWS issue with how my machine is handling keys.

scionwest picture scionwest on 8 Jul 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 2 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

andywirv picture andywirv  ·  3Comments
carmas picture carmas  ·  3Comments
blaltarriba picture blaltarriba  ·  3Comments
hazmeister picture hazmeister  ·  3Comments
modax picture modax  ·  3Comments