[amazon-web-services] The AWS Access Key Id does not exist in our records

I created a new Access Key and configured that in the AWS CLI with aws configure. It created the .ini file in ~/.aws/config. When I run aws s3 ls it gives:

A client error (InvalidAccessKeyId) occurred when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.

AmazonS3FullAccess policy is also attached to the user. How to fix this?

This question is related to amazon-web-services amazon-s3 aws-cli

The answer is


Looks like ~/.aws/credentials was not created. Try creating it manually with this content:

[default]
aws_access_key_id = sdfesdwedwedwrdf
aws_secret_access_key = wedfwedwerf3erfweaefdaefafefqaewfqewfqw

(on my test box, if I run aws command without having credentials file, the error is Unable to locate credentials. You can configure credentials by running "aws configure".) Can you try running these two commands from the same shell you are trying to run aws:

$ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

and then try aws command.


If you have an AWS Educate account and you get this problem:

An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records".

The solution is here:

  1. Go to your C:/ drive and search for .aws folder inside your main folder in windows.

  2. Inside that folder you get the "credentials" file and open it with notepad.

  3. Paste the whole key credential from AWS account to the same notepad and save it.

  4. Now you are ready to use you AWS Educate account.


It might be happening that you have the old keys exported via env variables (bash_profile) and since the env variables have higher precedence over credential files it is giving the error "the access key id does not exists".

Remove the old keys from the bash_profile and you would be good to go.

Happened with me once earlier when I forgot I have credentials in bash_profile and gave me headache for quite some time :)


You may need to set the AWS_DEFAULT_REGION environment variable.


It looks like some values have been already set for the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

If it is like that, you could see some values when executing the below commands.

echo $AWS_SECRET_ACCESS_KEY
echo $AWS_ACCESS_KEY_ID

You need to reset these variables, if you are using aws configure

To reset, execute below commands.

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY

None of the up-voted answers work for me. Finally I pass the credentials inside the python script, using the client API.

import boto3
client = boto3.client(
's3',
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN)

Please notice that the aws_session_token argument is optional. Not recommended for public work, but make life easier for simple trial.


another thing that can cause this, even if everything is set up correctly, is running the command from a Makefile. for example, I had a rule:

awssetup:
        aws configure
        aws s3 sync s3://mybucket.whatever .

when I ran make awssetup I got the error: fatal error: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The AWS Access Key Id you provided does not exist in our records.. but running it from the command line worked.


I had the same problem in windows and using the module aws-sdk of javascript. I have changed my IAM credentials and the problem persisted even if i give the new credentials through the method update like this

s3.config.update({
    accessKeyId: 'ACCESS_KEY_ID',
    secretAccessKey: 'SECRET_ACCESS_KEY',
    region: 'REGION',
});

After a while i found that the module aws-sdk had created a file inside the folder User on windows with this path

C:\Users\User\.aws\credentials

. The credentials inside this file take precedence over the other data passed through the method update.

The solution for me was to write here

C:\Users\User\.aws\credentials

the new credentials and not with the method s3.config.update


I made the mistake of setting my variables with quotation marks like this:

AWS_ACCESS_KEY_ID="..."

For me, I was relying on IAM EC2 roles to give access to our machines to specific resources.

I didn't even know there was a credentials file at ~/.aws/credentials, until I rotated/removed some of our accessKeys at the IAM console to tighten our security, and that suddenly made one of the scripts stop working on a single machine.

Deleting that credentials file fixed it for me.


Assuming you already checked Access Key ID and Secret... you might want to check file team-provider-info.json which can be found under amplify/ folder

"awscloudformation": {
      "AuthRoleName": "<role identifier>",
      "UnauthRoleArn": "arn:aws:iam::<specific to your account and role>",
      "AuthRoleArn": "arn:aws:iam::<specific to your account and role>",
      "Region": "us-east-1",
      "DeploymentBucketName": "<role identifier>",
      "UnauthRoleName": "<role identifier>",
      "StackName": "amplify-test-dev",
      "StackId": "arn:aws:cloudformation:<stack identifier>",
      "AmplifyAppId": "<id>"
    }

IAM role being referred here should be active in IAM console.


Adding one more answer since all the above cases didn't work for me.

In AWS console, check your credentials(My Security Credentials) and see if you have entered the right credentials.

Thanks to this discussion: https://forums.aws.amazon.com/message.jspa?messageID=771815


If you get this error in an Amplify project, check that "awsConfigFilePath" is not configured in amplify/.config/local-aws-info.json

In my case I had to remove it, so my environment looked like the following:

{
  // **INCORRECT**
  // This will not use your profile in ~/.aws/credentials, but instead the
  // specified config file path
  // "dev": {
  //  "configLevel": "project",
  //  "useProfile": false,
  //  "awsConfigFilePath": "/Users/dev1/.amplify/awscloudformation/cEclTB7ddy"
  // },
  // **CORRECT**
  "dev": {
    "configLevel": "project",
    "useProfile": true,
    "profileName": "default",
  }
}

I tries below steps and it worked: 1. cd ~ 2. cd .aws 3. vi credentials 4. delete aws_access_key_id = aws_secret_access_key = by placing cursor on that line and pressing dd (vi command to delete line).

Delete both the line and check gain.


Maybe you need to active you api keys in the web console, I just saw that mine were inactive for some reason...


you can configure profiles in the bash_profile file using

<profile_name>
aws_access_key_id = <access_key>
aws_secret_access_key = <acces_key_secret>

if you are using multiple profiles. then use:

aws s3 ls --profile <profile_name>

To those of you who run aws s3 ls and getting this exception. Make sure You have permissions to all regions under the provided AWS Account. When running aws s3 ls you try to pull all the s3 buckets under the AWS Account. therefore, in case you don't have permissions to all regions, you'll get this exception - An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.

Follow Describing your Regions using the AWS CLI for more info.


Besides aws_access_key_id and aws_secret_access_key, I also added aws_session_token in credentials, it works for me


This could happen because there's an issue with your AWS Secret Access Key. After messing around with AWS Amplify, I ran into this issue. The quickest way is to create a new pair of AWS Access Key ID and AWS Secret Access Key and run aws configure again. I works for me. I hope this helps.


You may have configured AWS credentials correctly, but using these credentials, you may be connecting to some specific S3 endpoint (as was the case with me).

Instead of using:

aws s3 ls

try using:

aws --endpoint-url=https://<your_s3_endpoint_url> s3 ls

Hope this helps those facing the similar problem.


Examples related to amazon-web-services

How to specify credentials when connecting to boto3 S3? Is there a way to list all resources in AWS Access denied; you need (at least one of) the SUPER privilege(s) for this operation Job for mysqld.service failed See "systemctl status mysqld.service" What is difference between Lightsail and EC2? AWS S3 CLI - Could not connect to the endpoint URL boto3 client NoRegionError: You must specify a region error only sometimes How to write a file or data to an S3 object using boto3 Missing Authentication Token while accessing API Gateway? The AWS Access Key Id does not exist in our records

Examples related to amazon-s3

How to specify credentials when connecting to boto3 S3? AWS S3 CLI - Could not connect to the endpoint URL How to write a file or data to an S3 object using boto3 The AWS Access Key Id does not exist in our records AccessDenied for ListObjects for S3 bucket when permissions are s3:* Save Dataframe to csv directly to s3 Python Listing files in a specific "folder" of a AWS S3 bucket How to get response from S3 getObject in Node.js? Getting Access Denied when calling the PutObject operation with bucket-level permission Read file content from S3 bucket with boto3

Examples related to aws-cli

The AWS Access Key Id does not exist in our records AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate? AWS : The config profile (MyName) could not be found Error You must specify a region when running command aws ecs list-container-instances Downloading an entire S3 bucket?