Go SDK v2 + SSO question


I'm trying to get authenticated using my SSO account, which does seem to be working, but as soon as I call GetCallerIdentity() on the sts client, I get an invalid token id error. On my laptop, I am logged in to the same SSO profile that I'm trying to use and I can run aws sts get-caller-identity from the command line just fine.

func whoAmI() {
		ctx := context.TODO()

		fmt.Printf("AWS profile: '%s'\n", os.Getenv("AWS_PROFILE")) // shows the name of the profile under which i'm currently authenticated just for reference

		cfg, err := config.LoadDefaultConfig(
		if err != nil {

		fmt.Printf("%+v\n", cfg) // shows me all the right stuff (keys, region, etc.)

		client := sts.NewFromConfig(cfg)
		identity, err := client.GetCallerIdentity(
		if err != nil {

		fmt.Printf("%+v", identity)

		return nil


operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: <whatever>, api error InvalidClientTokenId: The security token included in the request is invalid

What am I missing here? As mentioned, I can run the analogous awscli command with no issue and I have full admin access to the account.

1 Answer

"fmt.Printf("AWS profile: '%s'\n", os.Getenv("AWS_PROFILE"))" seems to display authentication information, are you sure you have the correct content here?
If not, try setting environment variables in the shell where you are running the script.

profile picture
answered a year ago
  • It's correct. I have a few data points to indicate that I am authenticated at the command line level and this line indicates that the Go code seems to recognize the env variable is set, but most importantly, the fmt.Printf("%+v\n", cfg) statement prints exactly what I'd expect to see. It's reading my config and fetching the correct information.

  • Try deleting the cache of credentials, etc.
    You can remove it with the following command.

    del /s /q %UserProfile%\.aws\cli\cache


    rm -r ~/.aws/cli/cache

    Now it is time to make sure that your profile is up-to-date with the following.

    aws_access_key_id = XXXXXXXXX
    aws_secret_access_key = XXXXXXXXX
  • No luck after deleting the cache. My profile itself is fine - as mentioned, when I dump the identity value all of the info I'd expect is both present and accurate including recognizing my administrator role (SSORoleName:AdministratorAccess). The code is definitely reading the profile properly, it's just getting rejected upstream for some reason. I've now tried with both STS (from the original post) and the SecretsManager services. Both fail for similar reasons (security token) even though the response code is different for whatever reason.

    operation error Secrets Manager: ListSecrets, https response error StatusCode: 400, RequestID: b52c4071-4949-4508-a3f8-1d521fea1f3b, api error UnrecognizedClientException: The security token included in the request is invalid

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions