InvalidClientTokenId - The security token included in the request is invalid.

[dam...@zuora.com]

I'm trying to troubleshoot an issue with the AWS auth backend IAM authentication method.

I'm getting the following response when trying to authenticate:

$ vault auth -method=aws header_value=vault.example.org role=dev-role-iam

Error making API request.

URL: PUT https://stg.vault.example.org:8200/v1/auth/aws/login

Code: 400. Errors:

* error making upstream request: received error code %!!(MISSING)s(int=403) from STS: <ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">

  <Error>

    <Type>Sender</Type>

    <Code>InvalidClientTokenId</Code>

    <Message>The security token included in the request is invalid.</Message>

  </Error>

  <RequestId>0000fff-0000-ffff-0000-ffff0000ff00</RequestId>

I should mention that I am using Vault version 0.8.1 and that I have had success using the AWS auth backend EC2 authentication method for a different role. I've basically been following the steps in the official documentation for the AWS auth backend.

I would appreciate any insight into this problem or suggestions on how to get additional information to troubleshoot the issue.

Thanks in advance,

Dario

[Joel Thompson]

Hi Dario,

Can you run "aws sts get-caller-identity" on the same host and report the results?

Usually when I've seen errors like this, it's due to weird issues with things like environment variables or ~/.aws/credentials conflicting in weird ways with IAM instance profiles. The cleanest test would be to unset the relevant environment variables first:

$ for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done

and also ensure that you have nothing in ~/.aws/config or ~/.aws/credentials, then rerun the test.

--Jeol

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/cea35c3c-552e-4127-9905-a1c77d19fbca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[dam...@zuora.com]

Hi Joel,

Thank you for the help. When I ran "aws sts get-caller-identity" I got

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

Then I followed your instructions on removing existing AWS credentials. There were no AWS environment variables; however, there were ~/.aws/config and ~/.aws/credentials files. Once I moved those the command worked successfully.

Regards,

Dario