Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?

3 minute read
1

I assumed an AWS Identity and Access Management (IAM) role and my API call returned an error similar to the following: "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."

Short description

The AWS Security Token Service (AWS STS) supports an updated version of session tokens, version 2. New AWS Regions (for example, Bahrain) are not enabled by default and only accept the updated version of session tokens. This error can occur if version 1 session tokens are used to make a request to service endpoints in an AWS Region that are not enabled by default. For more information, see Managing AWS STS in an AWS Region.

Resolution

Session tokens obtained from Regional AWS STS endpoint are of version 2 and valid in all AWS Regions. As a best practice, it is recommended to use Regional STS endpoints. Using an endpoint that is geographically closer to your application reduces latency and provides better response times.

Use one of the following methods to resolve this issue.

Obtain tokens from a Regional endpoint

The following example command uses AWS SDK for Python (Boto3).

Note:

  • Replace your-region, AccountID, and RoleName as per your environment.
  • Setting the endpoint_url is required to configure the STS client for the Regional endpoint.
# Replace existing code to create STS client with the following
sts_client = boto3.client('sts', region_name='your-region', endpoint_url='https://sts.your-region.amazonaws.com')

Include region and endpoint url options in the existing bash script/command to use regional endpoints.

aws sts assume-role --role-arn arn:aws:iam::AccountID:role/RoleName --role-session-name RoleName --region your-region --endpoint-url https://sts.your-region.amazonaws.com

Change Region compatibility of session tokens for global endpoint

By default, the AWS STS calls to the global endpoint issues session tokens which are of version 1. Version 1 tokens are only valid in AWS Regions that are enabled by default. However, you can also configure the STS global endpoint to issue tokens in version 2 that can be used in all AWS Regions.

For instructions, see change the Region compatibility of session tokens for the global endpoint.

Important: Version 2 tokens include more characters than version 1. This might affect the existing systems where you temporarily store tokens.


Related information

AWS Security Token Service (STS) now supports enabling the global STS endpoint to issue session tokens compatible with all AWS Regions

Regions and endpoints

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
3 Comments

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

done all the above steps and yet same issue

replied 4 months ago

hi @awsofficial

I would need your assistance for a similar issue. I have performed all the necessary steps to enable global endpoints in STS but still whenever I am making an API call I get this error from lambda.

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

Would appreciate any help possible.

replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago