2

I am working using aws sam and when try to make sam deploy. I get this error:

Error: Failed to create managed resources: An error occurred (InvalidClientTokenId) when calling the CreateChangeSet operation: The security token included in the request is invalid.

I had already changed my credentials from .aws and changed them using the command aws configure. I also get the error when I try to access to anything online, like if I try to upload a file to a S3 bucket.

Error: botocore.exceptions.ClientError: An error occurred (UnrecognizedClientException) when calling the UpdateItem operation: The security token included in the request is invalid.

Any ideas?

Teddy Aryono
  • 350
  • 2
  • 10
Alexander Bodner
  • 21
  • 1
  • 1
  • 3

4 Answers4

4

I guess your credentials are OK but, check again if you are pointing to the right region. That was my problem indeed.

Camilo A. Hernández
  • 102
  • 1
  • 8
  • 1
    Yeah, I found my issue was the region for deployment didn't match the region specified in the credentials. Once the deployment region was changed to match credentials, it worked. The error "security token is invalid" doesn't make that obvious. – SweetFeet May 25 '22 at 20:11
  • 1
    Thanks. I selected the same region and it worked – K.Nehe Sep 23 '22 at 12:56
  • 1
    I had `AWS_REGION` set as an env var, and I was getting this error. Passing it specifically with the command resolved it: `sam validate --region ` Not sure why it doesn't honor the region set in the env-var. Perhaps to force the user to specify it so we don't screw stuff up. – Josh M. Oct 12 '22 at 14:33
3

You need to check if you have set the default credentials in your ~/.aws/credentials file if you have multiple and don't have a default specified in the shared credentials file plus you don't have anything set in your environment sam cli will fail with the above messages.

You use this this doc for setting them

samtoddler
  • 8,463
  • 2
  • 26
  • 21
  • I followed all the AWS doc, including the part that you told me, I should append that I am using windows. – Alexander Bodner Jan 03 '21 at 16:51
  • exporting the credentials in windows a different I described in [this post](https://stackoverflow.com/questions/65539028/credentialserror-missing-credentials-in-config-if-using-aws-config-file-set-a/65539270#65539270) – samtoddler Jan 03 '21 at 17:12
  • it shouldn't make a difference as the error that I get is a different one as in the post. I set up the credentials correctly, but I get that them are invalid. – Alexander Bodner Jan 03 '21 at 21:32
  • what I meant by sharing the post is try exporting them in the command line and see if they work, sometimes even due to a single char missing or it is picking something else from the environment makes the difference. you can try calling [get-caller-identiy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html) and see if this is picking up from the config, otherwise export them and do the test. If nothing works check the credentials in the console if they are valid or matching what you have on your system. – samtoddler Jan 03 '21 at 21:37
  • hi, when I try calling the get-caller_identity I get the same error of token included in the request is invalid. I tried configuring the credentials anyway possible and when I check while doing aws configure I get as a default the credentials that are ok, so I´m clueless. Any ideas? – Alexander Bodner Jan 07 '21 at 22:00
1

I added profile to the command and it did work.

sam deploy --guided --profile <your aws profile>
faceless5879
  • 11
  • 2
0

My particular resolution when I received the "token invalid in request" was:

  1. I tried using a different profile than default, updated the default to the profile I wanted to run with
  2. Start "sam init" with the default set as needed and don't make changes when going from init to build to deploy. Documentation states setting env var's for keys but have not tried it.
user1154422
  • 548
  • 8
  • 22