InvalidClientTokenId error aws when trying to get caller identity - amazon-web-services

hi I am unable to run this command aws sts get-caller-identity.
when I do sudo nano ~/.aws/credentials I can only locate this
[default]
aws_access_key_id = my_id
aws_secret_access_key = my_secret_id
and after doing successful steps of command aws configure when I am doing aws sts get-caller-identity I am getting this error
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
any reason which could cause this ?

Sometimes this kind of issues are caused by another credential configuration.
Environment variables credential configuration takes prority over credentials config file.
So in case there are present the environment variables "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY" or "AWS_SESSION_TOKEN" these could generate issues if it were missconfigured or have been expired.
Try checking the env vars associated to AWS Credentials and removing them using the 'unset' command in linux.
Additionally, to remove env vars permanently you need to remove the lines related on configuration files like:
/etc/environment
/etc/profile
~/.profile
~/.bashrc
Reference:
Configuration settings and precedence

I had my default region disabled by default (eu-south-1), so I had to enable it via the Web console at first, then it worked.

Related

How to remove assumed IAM role from local

I have an assumed role which I assumed using aws sts assume-role CLI command.
I want to "unassume" this role and switch back to my aws credentials configured in my local system.
How do I acheive this?
I have tried doing so by going to the console and clicking the "Revoke Active Sessions" button, but that doesn't seem to be working. I tried rm -r ~/.aws/cli/cache too but in vain. Please help
There's a few things you can do:
You can unset the AWS environment variables in your terminal:
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
You can reconfigure your aws configuration:
aws configure
However, you'll need to make sure there are no environment variables set for your AWS credentials. By default, the AWS CLI looks at your environment variables, then your config file, then your credentials file for credentials to use in CLI commands.

Unable to authenticate my AWS credentials for ECR

I have installed the latest versions of the aws-cli-2 and docker, as well as ran "aws configure" and entered my access key and secret key. I have also verified the aws.config is correct and showing the right region and output format. My credentials in AWS are admin. I keep getting the following error:
'''Unable to locate credentials. You can configure credentials by running "aws configure".
Error: Cannot perform an interactive login from a non TTY device'''
Even though I have already ran 'aws configure.' I am running the commands prefixed with 'sudo' as well. Any thoughts?! Thank you for your time!
The aws configure command was being run as the local user, whereas the ecr command was being run as sudo.
If you run commands as sudo it will not have access to your local users config, it will instead default to the root users.
Instead ensure all commands are run as the same user.
If you want to use the aws credentials file from the default location you can also specify the location via the AWS_CONFIG_FILE environment variable.

Every aws command fails with different errors without --profile flag

Disclaimer: I do have variable AWS_PROFILE set to default and echo $AWS_PROFILE does return default.
However though, my simple aws commands are failing if I do not pass --profile flag with it.
For example,
if I do aws2 s3 ls, then it fails with error : An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.
when I do, aws2 ec2 describe-instances, it fails with error An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials
even though message is different, the underlying problem is same. If I do aws2 s3 ls --profile default then it works fine, same with aws2 ec2 describe-instances command.
I have no idea how to not need the --profile flag even though I do have AWS_PROFILE set.
my credentials file look like following:
[default]
aws_access_key_id = AKIA****
aws_secret_access_key = VpR***
My config file looks like following:
[default]
region = us-west-1
output = json
I have set following two enviroment variables:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Also, Ihave echoed their values back and made sure that the values are same exact as in credentials file.
any ideas?
Use unset AWS_PROFILE to remove profile plag.
Run aws configure to update the credential
Make sure your machine time is correct.
The profile referenced by AWS_PROFILE is invalid or expired. Your default profile is valid. That is why you see the error behavior. Check all credentials via cat ~/.aws/configure and remove or correct any that are invalid.

UnrecognizedClientException error when authenticating on aws-cli

When I pull a clean Alphine Linux Docker image, install aws-cli on it and try to authenticate myself with aws ecr get-authorization-token --region eu-central-1 I keep getting the following error:
An error occurred (UnrecognizedClientException) when calling the
GetAuthorizationToken operation: The security token included in the
request is invalid.
I've already checked the timezone which seem to be okay, and the command works properly on my local machine.
These are the commands I run to set up aws-cli:
apk add --update python python-dev py-pip
pip install awscli --upgrade
export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Is there something obvious I'm missing?
You don't have permission to access those resources until you get permission to aws-cli, for that you can use the below steps.
Log into your AWS account, click on your account name, select my security credentials, click on access keys and download the credentials
Open your PowerShell as administrator and follow the commands.
$ aws configure
$ AWS Access Key ID [****************E5TA]=xxxxxxxxxx
$ AWS Secret Access Key [****************7gNT]=xxxxxxxxxxxxxx
It was an access issue after all! Turns out that if you create a new IAM user with full admin access it can't by default access the ECR registry you created using a different account. Using the IAM credentials from that other account resolved the issue.
In my case, my ~/.aws/credentials file had an old aws_session_token that was not updated by the aws configure CLI command. Once I opened the file with vi ~/.aws/credentials and deleted the aws_session_token entry, I no longer encountered the UnrecognizedClientException. I'm guessing that the AWS CLI first gives priority to the aws_session_token over the aws access key id and aws secret access key when running AWS CLI commands, if aws_session_token is present in the ~/.aws/credentials file.
Create a new account with AmazonEC2ContainerRegistryFullAccess permission.
Add this account to the .credentials file like this:
[ecr-user]
aws_access_key_id = XXX
aws_secret_access_key = XXX
Then next use following command:
aws ecr get-login-password --profile ecr-user
What worked for me is:
on the first part of pipe add the param --profile < your-profile-name >
and after that in every ECR command you need to provide that parameter.
My issue was caused by the fact that I had inactivated my access key in the AWS IAM Management Console earlier as part of an exercise I was doing. Once I reactivated it, the problem was resolved.
(Make sure you're in the right AWS region, too.)
I had same error message however I was using session based AWS access . The solution is to add all the keys given by AWS including session token.
aws_access_key_id="your-key-id"
aws_secret_access_key="your-secret-access-key"
aws_session_token="your-session-token"
add it into ~/.aws/credentials for profile you are using .
After a couple of hours , this is my conclusion :
If you want to use AWS_PROFILE makes sure that the rest of AWS env vars are unset (NOT empty only ... MUST be UNSET).
profile=$AWS_PROFILE
unset $(printenv |grep AWS_ | cut -f1 -d"=");
export AWS_PROFILE=${profile};
Then :
# with aws cli >= 1.x
$(aws ecr get-login --no-include-email --region ${aws_region})
# with aws cli >= 2.x
registry=${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com
aws ecr get-login-password --region ${aws_region} | docker login --username AWS --password-stdin ${registry}
Resolved issue after following below:
Go to AWS IAM Management Console
Generate credential in section "Access keys (access key ID and secret access key)"
Run command aws configure and set same downloaded credentials in Cdrive-User-directory.aws\credentials
It wasn't working for me. Out of sheer desperation, I copied the lines starting with export and posted them in the terminal and pressed enter.
Thereafter I wrote aws configure and filled in the details from https://MYCOMPANY.awsapps.com/start#/ >> Account >> Clicked "Command line or programmatic access".
Default region name: eu-north-1
Default output format: text
And then the login succeeded. Don't ask my why.
open the file ~/.aws/credentials (or c:\Users\{user}\.aws\credentials on Windows)
It might look something like the following:
[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
aws_session_token = XXXXX
Update the aws_access_key_id and aws_secret_access_key with new values and remove the aws_session_token. You can also update aws_access_key_id and aws_secret_access_key via the aws configure command, but this doesn't remove the session token.
Try running echo $varname to see if the environment variables are set correctly:
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY
echo $AWS_DEFAULT_REGION
If they are incorrectly set, run unset varname:
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
In my case, the region I wanted to use was not enabled. Addressed by enabling it at Account > AWS Regions -> enable (and wait patiently for some minutes).
An update, --profile must be added, I solve this.

How to configure CloudWatch Logs Agent to ignore the /root/.aws/credentials file?

After the awslogs-agent-setup.py completes the CloudWatchLogs Agent runs as root user. It finds it credentials under /root/.aws/credentials.
On the machines other services are already using the /root/.aws/credentials and those credentials should not be shared.
There is a /var/awslogs/etc/aws.conf file and a first idea was to add the aws_access_key_id and aws_secret_access_key to this file and then run sudo service awslogs restart.
Unfortunately this did not do the trick. It still finds the /root/.aws/credentials first.
This won't solve the problem of applications accessing all the credentials in the file, you CAN set application-specific credentials in that file, so that the application can have it's own identity and credentials. It looks like the log agent can use credentials from an [AmazonCloudWatchAgent] section.
Source: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-cloudwatch-agent-configuration-file-wizard.html