Still having an InvalidClientTokenId after investigations

headyj · April 1, 2022, 9:01am

Hello,

I’m having an InvalidClientTokenId error while trying to use vault generated sts credentials: AWS - Secrets Engines | Vault | HashiCorp Developer


Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: f4084bd0-6acd-4900-90e2-ff4022afed6c, api error InvalidClientTokenId: The security token included in the request is invalid

│

│ with provider["registry.terraform.io/hashicorp/aws"].eu_south_1,

│ on vpc_peering.tf line 135, in provider "aws":

│ 135: provider "aws" {

I’m using multiple aws providers for cross-region VPC peerings, so that’s why I have this setup on my vpc_peering.tf file:

provider "aws" {
  alias  = "eu_central_1"
  region = "eu-central-1"
}
provider "aws" {
  alias  = "eu_west_1"
  region = "eu-west-1"
}
provider "aws" {
  alias  = "eu_west_2"
  region = "eu-west-2"
}
provider "aws" {
  alias  = "eu_south_1"
  region = "eu-south-1"
}
provider "aws" {
  alias  = "eu_north_1"
  region = "eu-north-1"
}

I never had any problem with this setup using “regular” AWS authentication (standard IAM user and access key / secret key based credentials) and I saw that a lot of people have the same kind of issue using vault / assume role authentication, but I wasn’t able to solve it despite what I found over the internet:

eu-south-1 is activated on my AWS account
the vault user as well as the assumed role both have admin access
it doesn’t work even if AWS generated credentials don’t have special characters
credentials are correctly passed to terraform (I checked in debug mode and the AWS access key is correct)

I’m generating the credentials the following way:


AWS_LEASE=$(vault write aws/sts/deploy ttl=900s -format=json)

export AWS_ACCESS_KEY_ID="$(echo $AWS_LEASE | jq -r '.data.access_key')"

export AWS_SECRET_ACCESS_KEY="$(echo $AWS_LEASE | jq -r '.data.secret_key')"

export AWS_SESSION_TOKEN="$(echo $AWS_LEASE | jq -r '.data.security_token')"

export AWS_DEFAULT_REGION=eu-west-2

export AWS_REGION=eu-west-2

then basically doing a terraform init and terraform plan leads to this issue

Any idea ?

headyj · April 1, 2022, 11:32am

Finally found the solution: region was enabled, but I had to set the “Region compatibility of session tokens” to “Valid in all AWS Regions” by using the method explained here: Managing AWS STS in an AWS Region - AWS Identity and Access Management

char1iemack · May 16, 2023, 8:06am

Thank you for this!! Was breaking my head over this