Still having an InvalidClientTokenId after investigations


I’m having an InvalidClientTokenId error while trying to use vault generated sts credentials: AWS - Secrets Engines | Vault by HashiCorp

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: f4084bd0-6acd-4900-90e2-ff4022afed6c, api error InvalidClientTokenId: The security token included in the request is invalid


│ with provider[""].eu_south_1,

│ on line 135, in provider "aws":

│ 135: provider "aws" {

I’m using multiple aws providers for cross-region VPC peerings, so that’s why I have this setup on my file:

provider "aws" {
  alias  = "eu_central_1"
  region = "eu-central-1"
provider "aws" {
  alias  = "eu_west_1"
  region = "eu-west-1"
provider "aws" {
  alias  = "eu_west_2"
  region = "eu-west-2"
provider "aws" {
  alias  = "eu_south_1"
  region = "eu-south-1"
provider "aws" {
  alias  = "eu_north_1"
  region = "eu-north-1"

I never had any problem with this setup using “regular” AWS authentication (standard IAM user and access key / secret key based credentials) and I saw that a lot of people have the same kind of issue using vault / assume role authentication, but I wasn’t able to solve it despite what I found over the internet:

  • eu-south-1 is activated on my AWS account

  • the vault user as well as the assumed role both have admin access

  • it doesn’t work even if AWS generated credentials don’t have special characters

  • credentials are correctly passed to terraform (I checked in debug mode and the AWS access key is correct)

I’m generating the credentials the following way:

AWS_LEASE=$(vault write aws/sts/deploy ttl=900s -format=json)

export AWS_ACCESS_KEY_ID="$(echo $AWS_LEASE | jq -r '.data.access_key')"

export AWS_SECRET_ACCESS_KEY="$(echo $AWS_LEASE | jq -r '.data.secret_key')"

export AWS_SESSION_TOKEN="$(echo $AWS_LEASE | jq -r '.data.security_token')"

export AWS_DEFAULT_REGION=eu-west-2

export AWS_REGION=eu-west-2

then basically doing a terraform init and terraform plan leads to this issue :frowning:

Any idea ?

Finally found the solution: region was enabled, but I had to set the “Region compatibility of session tokens” to “Valid in all AWS Regions” by using the method explained here: Managing AWS STS in an AWS Region - AWS Identity and Access Management