STS global endpoint issue for a lambda container image



I am trying to build an API that fetches a list of EC2 instances from an account. I referred to the below blog post for solution.

[](blog post)

Without revelaing too much details, I am sharing the python code that I am using to achieve this

sts = boto3.client('sts',region_name=regionCode, endpoint_url=f'https://sts.{regionCode}')
    #role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    role_arn = f"arn:aws:iam::{accountId}:role/xxxxxxx"
    acct = sts.assume_role(RoleArn=role_arn,RoleSessionName="role-session")
    access_key = acct['Credentials']['AccessKeyId']
    secret_access_key = acct['Credentials']['SecretAccessKey']
    session_token = acct['Credentials']['SessionToken']
    ec2 = boto3.client('ec2',

here region code and accountId is parameterized which dynamically changes with a new id. Despite all the activity I am getting the below error message whilst invoking the function.

"An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid."

Request help as early as possible.

1 Resposta

I just ran the script myself and it works fine

  • Who are you running the python code as?
  • Does the python script have the IAM permissions to assume a role?
  • Does the role your assuming trust your role/account your executing the script as?
  • Does the python script your running the script as force MFA?
profile picture
respondido há 5 meses
  • Hi ,

    Please find my replies

    1. Who are you running the python code as? I am running it as an IAM user with AK and SAK enabled with a self managed IAM policy
    2. Does the python script have the IAM permissions to assume a role? Yes it does , sts:assumeRole is enabled in the trust policy
    3. Does the role your assuming trust your role/account your executing the script as? Yes
    4. Does the python script your running the script as force MFA? no
  • I cant reproduce your issue with my setup. The only time I have seen this before is when the IAM user has MFA enforced for CLi Access.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas