aws-vault icon indicating copy to clipboard operation
aws-vault copied to clipboard

Published 20 hours ago verified publisher icon 99designs

Why is my InvalidClientTokenId not valid?

Open MilenkoMarkovic opened this issue 2 years ago • 1 comments

I am on Ubuntu 20.04.

aws-vault list
markovich                markovich                sts.GetSessionToken:6m26s

I got this error

docker-compose -f deploy/docker-compose.yml run --rm terraform init

Initializing the backend...

Error: error using credentials to get account ID: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid
	status code: 403, request id: 82cc8cc1-441b-4d0b-8b51-4474af3fb0f4

I checked

miki@mikijebbc:~/recipe-app-api-devops$ echo $AWS_VAULT
markovich
miki@mikijebbc:~/recipe-app-api-devops$ echo $AWS_ACCESS_KEY_ID
**********goodaccesskey****
miki@mikijebbc:~/recipe-app-api-devops$ echo $AWS_SECRET_ACCESS_KEY
**********goodsecretkey****

Why do I get error? Should I check my markovich permissions?

MilenkoMarkovic avatar Apr 04 '22 09:04 MilenkoMarkovic

Hi,

To me it seems you need to pass the environment variables, set by aws-vault, into the docker container, since you are using docker-compose.

I assume you run commands like aws-vault list on your host machine and not within the docker container. This works, because aws-vault is configured on your host.

In your docker container, however, the AWS environment, created by aws-vault, is not defined. Try to add environment configuration to your service, in docker-compose.yml file:

# not tested, just pseudo-configuration.
...
environment:
  - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
  - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
  - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
  - AWS_SECURE_TOKEN=${AWS_SECURE_TOKEN}

The above environment variables should be sufficient. You can always check whichAWS_ related environment variables aws-vault creates by doing:

aws-vault ... -- env | grep -i aws_

Be aware, that the result of the above command contains your key id and secret key.

And of course, this requires to change your docker-compose call to:

aws-vault ... -- docker-compose -f deploy/docker-compose.yml run --rm terraform init

Maybe this helps.

Also, on another note, you might want to check the AWS_REGION you are connecting to.

normoes avatar Apr 13 '22 11:04 normoes

Try delete password in keyring, in Ubuntu it should see in seahorse(awsvault)

After delete it and re-create using aws-vault add <profile>

nidgetgod avatar Sep 22 '22 02:09 nidgetgod

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar Mar 21 '23 10:03 github-actions[bot]