5

I'm implementing AWS ClientManager to obtain secret variables saved in AWS. I had initial implementation like below:

// Load the AWS SDK
var AWS = require('aws-sdk'),
    region = "us-west-2",
    secretName = "secretName",
    accessKeyId = myAccessKey,
    secretAccessKey = mySecretAccessKey,
    secret,
    decodedBinarySecret;

var client = new AWS.SecretsManager({
    region: region,
});

client.getSecretValue({SecretId: secretName}, function(err, data) {
    if (err) {
      console.log("Error Happened");
      console.log(err);
    }
    else {
        if ('SecretString' in data) {
            secret = data.SecretString;
        } else {
            let buff = new Buffer(data.SecretBinary, 'base64');
            decodedBinarySecret = buff.toString('ascii');
        }
    }
});

When I start the server it throws the following exception

{ UnrecognizedClientException: The security token included in the request is invalid. message: 'The security token included in the request is invalid.', code: 'UnrecognizedClientException', time: 2019-07-01T12:16:00.021Z, requestId: 'c7ed53c1-fb70-4012-aa9f-5a9a3195a043', statusCode: 400, retryable: false, retryDelay: 40.923844792180674 }

Mani
  • 2,391
  • 5
  • 37
  • 81
  • Were you able to figure out the issue? How you managed to resolve? – Rakesh_Kumar Jun 28 '20 at 16:19
  • @Rakesh_Kumar No, I am sure it has to do something with location settings in `aws console` – Mani Jul 14 '20 at 19:12
  • For me, the problem is that the credentials work when I run the function locally on my machine, but when I upload the same function with the same credentials to AWS, then I get this error – Nermin May 12 '23 at 06:37

2 Answers2

14

The "security token included in the request is invalid" error almost always means there is something wrong with your credentials. Either the accessKeyId or secretAccessKey (or both) are wrong.

You can try validating your credentials using the AWS cli using the STS get caller identity call before using them in your code.

JoeB
  • 1,503
  • 7
  • 9
  • 1
    While running the CLI `aws configure`, I wasn't able to set the token. I had to manually copy the token inside the `~/.aws/credentials` file from my application panel. – imrok Apr 11 '21 at 15:47
  • I ran into a similar problem, and found the article very helpful. https://bobbyhadz.com/blog/aws-cli-security-token-included-request-invalid In my case, for some reason after setting up aws-cdk, my stack environment uses [default] user, which in my case was inactive. – Libertatem Jan 20 '22 at 05:38
  • thanks - I had disabled my credentials, only after reading your answer did I remember – Hom Bahrani Feb 03 '23 at 11:03
4

You need to add the endpoint for that aws extract you token access defined with aws configure. Add this code join WHEN creating the table:

 --endpoint-url http://localhost:8000 //localhost in my case because I'm runing locally, but you can put there you domain or port server

AWS.config.update({
    region: "us-west-2",
    endpoint: "http://localhost:8000",
    accessKeyId: "your access id",
    secretAccessKey: "your acccess key"
});
shox
  • 677
  • 1
  • 5
  • 19
Desarrollalab
  • 337
  • 2
  • 5