I cd into the directory where all the pem/key files are and run the following:
aws iam upload-server-certificate
--server-certificate-name certificate_name
--certificate-body file://webservercertificate.pem
--private-key file://server.key
--certificate-chain file://certificate_chain_file.pem
I get the following error:
A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.
I have 1 'user' in 'users'. That user has been assigned the following permissions:
IAMFullAccess IAMReadOnlyAccess IAMUserSSHKeys
I've downloaded the credentials for this user and put them into my user variables
AWS_ACCESS_KEY ****
AWS_SECRET_KEY ****
I have 1 role on my elastic beanstalk aws-elasticbeanstalk-ec2-role
This question is related to
amazon-web-services
amazon-iam
aws-cli
The answer is
Try to go to the security credentials on your account page: Click on your name in the top right corner -> My security credentials
Then generate access keys over there and use those access keys in your credentials file (aws configure)
If you have been given a Session Token also, then you need to manually set it after configure:
aws configure set aws_session_token "<<your session token>>"
I had to specify the AWS profile to use --profile default explicitly to get rid of this error while running AWS CLI commands. I could not understand though that why it did not pick up this profile automatically as there was only [dafault] profile present in my aws config and credentials file.
I hope this helps.
Cheers, Kunal
In my situation, the problem was due to running powershell as an admin, so it was looking for the aws credentials in the root of my admin user. There's probably a better way to resolve this, but what worked quickly for me was recreating my .aws folder in the root of my admin user.
This can also happen when you disabled MFA. There will be an old long term entry in the AWS credentials.
Edit the file manually with editor of choice, here using vi (please backup before):
vi ~/.aws/credentials
Then remove the [default-long-term] section. As result in a minimal setup there should be one section [default] left with the actual credentials.
[default-long-term]
aws_access_key_id = ...
aws_secret_access_key = ...
aws_mfa_device = ...
If you're using the CLI with MFA, you have to set the session token in addition to setting the access and secret keys. Please refer to this article: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
Try to export the correct profile i.e. $ export AWS_PROFILE="default"
If you only have a default profile make sure the keys are correct and rerun aws configure
I had the same error but was caused by a different issue.
The credentials were changed on AWS but I was still using a cached MFA session token for the config profile.
There is a cache file for each profile under ~/.aws/cli/cache/ containing the session token.
Remove the cache file, reissue the command and enter a new MFA token and its good to go.
If switching from using temporary IAM role credentials to using IAM user credentials, don't forget to ensure AWS_SESSION_TOKEN, which is only used for temporary credentials, no longer has a value:
unset AWS_SESSION_TOKEN # unset the environment variable
I had similar issue when I was deploying my django application over elastic Beanstalk and what I found is when I was trying various methods somehow one eb-cli profile got created in config file in ~/.aws/ folder so once I got rid of that everything worked fine!!.
This is weird, but in my case whenever I wanted to retype the access id and the key by typing aws configure.
Adding the id access end up always with a mess in the access id entry in the file located ~/.aws/credentials(see the picture) 
I have removed this mess and left only the access id. And the error resolved.
This happened to me when using java sdk. The problem was for me was i wasnt using the session token from assumed role.
Working code example ( in kotlin )
val identityUserPoolProviderClient = AWSCognitoIdentityProviderClientBuilder
.standard()
.withCredentials(AWSStaticCredentialsProvider(BasicSessionCredentials("accessKeyId", ""secretAccessKey, "sessionToken")))
.build()
In my case, there were two different 'AWS_SECRET_ACCESS_KEY' and 'AWS_ACCESS_KEY_ID' values set one through the Windows environment variable and one through the command line.
So, update these two and the default_region using a command line
> aws configure
Press enter and follow the steps to fill the correct
AWS_ACESS_KEY_ID AWS_SECRET_ACCESS_KEY and AWS_DEFAULT_REGION
> aws sts get-caller-identity
should return the new set credentials
I thought you could avoid it by just passing the --no-sign-request param, like so:
aws --region us-west-2 --no-sign-request --endpoint-url=http://192.168.99.100:4572 \
s3 mb s3://mytestbucket
I had the same error, even after re-running aws configure, and inputting a new AWS_ACESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
What fixed it for me was to delete my ~/.aws/credentials file and re-run aws configure.
It seems that my ~/.aws/credentials file had an additional value: aws_session_token which was causing the error. After deleting and re-creating the ~/.aws/configure using the command aws configure, there is now only values for aws_access_key_id and aws_secret_access_key.
I was able to use AWS cli fully authenticated, so for me the issue was within terraform for sure. I tried all the steps above with no success. A reboot fixed it for me, there must be some a cache somewhere in terraform that was causing this issue.
You are somehow using wrong AWS Credentials (AccessKey and SecretKey) of AWS Account. So make sure they are correct else you need to create new and use them - in that case may be @Prakash answer is good for you
- Click on your username in the top nav, My Security Credentials
- Click on Access Key Tab, Create New, copy the key and secret.
- From the terminal run
$ aws configureand use the new key and secret. Run the command again:
serverless invoke local --function create --path mocks/create-event.json
Source: Stackoverflow.com