AWS secrets engine - InvalidAccessKeyId


I use AWS Secret Engine to generate AccessKey and SecretAccessKey to access S3.
Sometimes I get the following error:

An error occurred (InvalidAccessKeyId) when calling the PutObject operation: The AWS Access Key Id you provided does not exist in our records.

If I do a “sleep” between the generation of identifiers and their use, I no longer have any problems. Is it a normal behaviour ? Any Best Practices about that?

It’s a bit buried in the middle of the page, but it is documented:

Unfortunately, IAM credentials are eventually consistent with respect to other Amazon services. If you are planning on using these credential in a pipeline, you may need to add a delay of 5-10 seconds (or more) after fetching credentials before they can be used successfully.

If you want to be able to use credentials without the wait, consider using the STS method of fetching keys. IAM credentials supported by an STS token are available for use as soon as they are generated.

from AWS - Secrets Engines | Vault | HashiCorp Developer

Basically don’t use the iam_user type unless you must, and can deal with this.

I just saw this paragraph just after posting…
My first use case was to get AWS Credentials to backup Vault so it’s no a problem to deal with 10 sec delay. But I’m going to take a look to the STS method. I wasn’t aware about it.

Thank you.