Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I resolve the IAM error "AWS was not able to validate the provided access credentials" in some Regions?
I assumed an AWS Identity and Access Management (IAM) role, and my API call returned the error: "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."
Short description
By default, AWS doesn't activate new AWS Regions, and new Regions accept only version 2 tokens. When version 1 tokens make a request to service endpoints in a Region that AWS doesn't activate, the following error occurs:
"An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."
It's a best practice to use AWS Security Token Service (AWS STS) Regional endpoints because session tokens from an STS Regional endpoint are version 2 tokens and valid in all Regions. Or, you can change the Region compatibility settings for session tokens from the global endpoint.
Resolution
Obtain tokens from a Regional endpoint
Important: For Regions that AWS activates by default, you must activate the STS Regional endpoint in the AWS account that generates the temporary credentials, regardless of the account that makes the request. For Regions that you manually activate, activate the Region in both the account that makes the request and the account that generates the credentials. If you don't activate the Region in both accounts, then you receive the "InvalidClientTokenId" error.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
You can use either an AWS SDK or the AWS CLI to obtain tokens.
For example, you can run the following AWS SDK for Python (Boto3) command:
# Replace existing code to create STS client with the following: sts_client = boto3.client('sts', region_name='your-region', endpoint_url='https://sts.your-region.amazonaws.com')
Note: Replace your-region with your Region and endpoint_url with your endpoint.
Or, run the following assume-role command:
aws sts assume-role --role-arn arn:aws:iam::444455556666:role/RoleName --role-session-name RoleName --region your-region --endpoint-url https://sts.your-region.amazonaws.com
Note: Replace your-region with your Region, role-arn with your IAM Amazon Resource Name (ARN), and endpoint_url with your endpoint.
Change Region compatibility settings for session tokens from the global endpoint
By default, STS calls that you make to the global endpoint issue version 1 tokens. To use session tokens in all Regions, configure the STS global endpoint to issue version 2 tokens.
Important: Version 2 tokens contain more characters than version 1. The increase in token size might affect existing systems that temporarily store session tokens. Make sure that the system that stores your tokens can manage the increased token size.
- Language
- English
"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."
done all the above steps and yet same issue
hi @awsofficial
I would need your assistance for a similar issue. I have performed all the necessary steps to enable global endpoints in STS but still whenever I am making an API call I get this error from lambda.
"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."
Would appreciate any help possible.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- AWS OFFICIALUpdated 7 months ago
