Terraform-provider-aws: InvalidClientTokenId: The security token included in the request is invalid.

Created on 1 Feb 2019 · 10Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7
+ provider.aws v1.57.0
+ provider.random v2.0.0
+ provider.template v2.0.0
+ provider.tls v1.2.0

Affected Resource(s)

Anything AWS - the issue is with the provider authentication.

Terraform Configuration Files

provider "aws" {
  shared_credentials_file = "${var.shared_credentials_file}"
  region                  = "${var.region}"
  profile                 = "${var.profile}"
  assume_role {
    role_arn = "${var.role_arn}"
  }
}

Debug Output

https://gist.github.com/TommyKTheDJ/5353d40f8e373dcb4aa5063549c17964

Expected Behavior

terraform plan -out=plan should work

Actual Behavior

Error: Error refreshing state: 1 error(s) occurred:

* provider.aws: The role "arn:aws:iam::accountnumber:role/FullAdmin" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid

Steps to Reproduce

Use saml2aws login to authenticate and get temporary STS token with details auto-saved to ~/.aws/credentials
terraform plan -out=plan

References

I've looked at quite a few similar issues, but none have quite had the same config and the resolutions for them haven't worked for me.

provider

Source

TommyKTheDJ

👍10

Most helpful comment

Hii,

I am getting this error.

I am trying to set access key and secret key in environment variable(windows OS)

Error: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
status code: 403, request id: 56afabf0-bcd5-11e9-bbec-5b509b30c4d6

on main.tf line 1, in provider "aws":
1: provider "aws" {

need help,
Thanks

YugandharaP on 12 Aug 2019

👍3

All 10 comments

Note - I have replaced the real account number with accountnumber in the submission above and the gist.

TommyKTheDJ on 1 Feb 2019

Hi @TommyKTheDJ I tested the provided Terraform configuration, using my credentials, to verify authenticating via a role. I've seen this particular error occur when there is no trust relationship between the user and the role that is trying to be assumed.

Have you tried confirming that the credentials given by the saml2aws login have permission to assume the role in question?

nywilken on 5 Feb 2019

👍1

@nywilken well, I am able to use the aws cli assuming that role, so would assume the answer is yes - I will double check though.

TommyKTheDJ on 5 Feb 2019

@nywilken I have just checked and the trust relationship is with our ADFS environment. I've just tried logging onto the console and I am able to assume that role. I will keep digging.

TommyKTheDJ on 6 Feb 2019

Update: I suspect this is an issue with compliance checks our central team have instigated - I am investigating with them.

TommyKTheDJ on 8 Feb 2019

OK, so this has been resolved. Basically, because saml2aws login already handles the assuming of the role, that is not required within the .tf file. So the below example works no problem:

provider "aws" {
  shared_credentials_file = "${var.shared_credentials_file}"
  region                  = "${var.region}"
  profile                 = "${var.profile}"
}

Where ~/.aws/credentials contains:

[saml]
aws_access_key_id        = <access_key_id>
aws_secret_access_key    = <access_key>
aws_session_token        = <token>
aws_security_token       = <token>
x_principal_arn          = arn:aws:sts::xxxxx:assumed-role/RoleName/Login
x_security_token_expires = <expiration_date/time>

TommyKTheDJ on 12 Feb 2019

Closing as this is not a bug or issue.

TommyKTheDJ on 12 Feb 2019

@TommyKTheDJ thanks for updating the issue with the details around your investigation. I'm happy to hear that you were able to narrow down the issue. Please feel free to reach back out if you run into any other issues using the AWS provider.

nywilken on 13 Feb 2019

👍1

Hii,

I am getting this error.

I am trying to set access key and secret key in environment variable(windows OS)

on main.tf line 1, in provider "aws":
1: provider "aws" {

need help,
Thanks

YugandharaP on 12 Aug 2019

👍3

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 1 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

AWS ECS services are force updated on each apply

EmmN · 3Comments

S3 Lifecycle Rule Unnecessarily Updates on Each Terraform Apply

hashibot · 3Comments

aws_alb_target_group_attachment does not support list for target_id

hashibot · 3Comments

Provide releases more often

dvishniakov · 3Comments

Failed to destroy AWS node with volume: * aws_volume_attachment.jenkins_disk_attachment: Error waiting for Volume (vol-XXXX) to detach from Instance: i-XXXXX

hashibot · 3Comments