Invalid security token in Python container in ECS

0

I am trying to access a DynamoDB table in one of my ECS containers via Python code using boto3. I keep getting an error in my container saying the Security token is invalid. However I have checked the following:

  1. My ECS Task Execution Role has DynamoDB access
  2. My ECS Task Role has DynamoDB access
  3. This my code: session = boto3.session.Session() dynamo=session.resource('dynamodb') table = dynamo.Table(TABLE_NAME)

If anyone could help me out with this issue, I would greatly appreciate it. We have deployed it using Fargate and ensured that both the roles are attached to the task definition.

  • In your code, can you add this piece of code and run it within your container:

    client = boto3.client('sts')
    print(client.get_caller_identity())
    
  • "botocore.exceptions.ClientError: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid."

  • Interesting, have a look at my answer.

Emily
asked a month ago63 views
2 Answers
2

I believe your issue is caused by having stale credentials on the host, either in the form of exported environment variables or through configuring the CLI credentials through aws configure.

Credentials follow a chain, and it will pick up both environment variables and aws CLI credentials before using a role attached to your instance. To fix, make sure you do not have anything blocking the chain from picking up the execution role. You can delete any credentials at .aws/credentials and unset any environment variables which may hold AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Provider Chain

Credential providerDescription
AWS access keysAWS access keys for an IAM user (such as AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY).
Federate with web identity or OpenID Connect - Assume role credential providerSign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. Assume the permissions of an IAM role using a web identity token from AWS Security Token Service (AWS STS).
IAM Identity Center credential providerGet credentials from AWS IAM Identity Center.
Assume role credential providerGet access to other resources by assuming the permissions of an IAM role. (Retrieve and then use temporary credentials for a role).
Container credential providerAmazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) credentials. The container credential provider fetches credentials for the customer’s containerized application.
Process credential providerCustom credential provider. Get your credentials from an external source or process, including IAM Roles Anywhere.
IMDS credential providerAmazon Elastic Compute Cloud (Amazon EC2) instance profile credentials. Associate an IAM role with each of your EC2 instances. Temporary credentials for that role are made available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service.
profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
-1

You have already checked several important points. Even though you've set up the roles correctly, there might be a problem with how the credentials are being accessed or used within your container. If solution outlined in the comment section by "Leeroy Hannigan" doesn't work then here are a few things to check and try:

  1. Verify AWS region configuration in the container.
  2. Try explicitly using EC2 instance metadata for credentials.
  3. Ensure IAM roles for tasks are enabled in your ECS cluster.
  4. Double-check execution and task role ARNs in the task definition.
  5. Look for any restrictive permissions boundaries on IAM roles.
  6. If using a private subnet, confirm DynamoDB VPC endpoint is set up.
  7. Enable DEBUG logging for boto3 for more detailed credential info.

Hope this helps.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions