Solve the Security Token included in the Request is Invalid

avatar

Borislav Hadzhiev

Wed Sep 15 20213 min read

banner

Photo by Azka Nurakli

Solving The Security Token in the Request is Invalid #

The error "the Security Token included in the Request in Invalid" can occur for multiple reasons:

  1. The user's credentials are inactive. Open the IAM console, click on the user, and in the Security Credentials tab, make sure the security credentials of the user are active.

inactive user credentials

  1. The user's access key ID and / or secret access key are incorrect. Verify that the values of your access key and secret access key are correct, or in case you don't have them generate new ones and make sure to delete the old keys.

    The AWS CLI resolves the credentials in the following order:

    • It looks for environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
    • In case the environment variables are not set it looks in: ~/.aws/credentials on Linux and macOS and in C:\Users\USERNAME\.aws\credentials on Windows.
  2. The user has forgotten to specify the correct --profile parameter in the call to the AWS CLI (in cases where the default profile is not the desired caller).

  1. The user has switched from temporary MFA Credentials to User credentials, but forgot to unset the AWS_SESSION_TOKEN environment variable or the aws_session_token setting in the credentials file.

  2. The user has Multi Factor Authentication enabled, but has not set a valid session token in the AWS_SESSION_TOKEN environment variable or aws_session_token setting in the credentials file.

  • To generate temporary MFA credentials, open the IAM console and click on the user. Then copy the MFA device ARN, because it's required in the call to the get-session-token API:

mfa device arn

  • Other than the MFA device ARN, you will need an MFA Token, from your authenticator app, f.e. Google Authenticator (Most likely a 6 digit code, e.g. 001219).

  • Once you have the MFA device ARN and the MFA Token, call the get-session-token API:

shell
aws sts get-session-token --serial-number MFA_DEVICE_ARN --token-code MFA_TOKEN_CODE
  • The output from the call to the get-session-token will look something like:
get-session-token
{ "Credentials": { "SecretAccessKey": "secret-access-key", "SessionToken": "temporary-session-token", "Expiration": "expiration-date-time", "AccessKeyId": "access-key-id" } }
  • To update the credentials in your credentials file, run the aws configure command, it allows you to set the access key and secret access key values, then you have to also set the session token:
shell
# for default profile aws configure # for profile named admin aws configure --profile admin # set the session token for default profile aws configure set aws_session_token YOUR_SESSION_TOKEN # set the session token for a profile named admin aws configure set aws_session_token YOUR_SESSION_TOKEN --profile admin
  • Note that the session token is temporary and valid for 12 hours by default

  • If you prefer the Environment variable approach you can set the following environment variables:

shell
# on Linux and macOS export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY export AWS_SESSION_TOKEN=YOUR_SESSION_TOKEN # on Windows setx AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID setx AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY setx AWS_SESSION_TOKEN=YOUR_SESSION_TOKEN

Further Reading #

Add me on LinkedIn

I'm a Web Developer with TypeScript, React.js, Node.js and AWS experience.

Let's connect on LinkedIn

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee