1

I am trying to create an aws instance through terraform. Despite generating multiple users with different key pairs, all of them seem to return a InvalidClientTokenID error when I try to terraform plan. Below are the options I've tried based on the research I've done:

  • AWS cli configure to save my credentials there
  • "aws sts get-caller-identity" to confirm that the credentials are valid
  • Exported the credentials to my local env
  • Pointed the instance.tf file to my /.aws credentials file through "shared_credentials_files"
  • Generated multiple access keys until I got secret keys with no special symbols

This is my code:

provider "aws" {
  # access_key = "redacted"
  # secret_key = "redacted"
  shared_credentials_files = "/home/nocnoc/.aws/credentials"
  region     = "eu-central-1"
}

resource "aws_instance" "example" {
  ami           = "ami-0965bd5ba4d59211c"
  instance_type = "t3.micro"
}

This is the error message:

$terraform apply 

╷
│ Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 2ea13d91-630c-40dc-84eb-72b26222aecb, api error InvalidClientTokenId: The security token included in the request is invalid.
│ 
│   with provider["registry.terraform.io/hashicorp/aws"],
│   on instance.tf line 1, in provider "aws":
│    1: provider "aws" {
│

Are there any other options that I have not yet considered? I have MFA set up on my AWS account, but so did my tutor and the course didn't mention anything regarding adding a special field into the terraform file regarding that

nocnoc
  • 337
  • 2
  • 12
  • MFA only applies to web access, not API access, so that's no the issue. I suggest testing your credentials with the AWS CLI tool first, to verify you have working API keys before trying to use them in Terraform. – Mark B Nov 02 '22 at 17:07
  • @MarkB I have tried "aws sts get-caller-identity" in order to verify my creds and it behaved as expected. Are there any other commands I can try to test my creds? – nocnoc Nov 02 '22 at 17:14

1 Answers1

0

I had exactly the same issue, valid credentials and aws sts get-caller-identity worked.

The problem was that the ap-east-1 region that my aws provider used was disabled for my account - AWS started adding new regions as disabled since March 2019.

The fix is to enable the region (Console: top right "Global", scroll down "Manage Regions") and wait a few minutes for the update to take place.

The standard regions like eu-central-1 for OP should be activated by default though, so the error must be a different one.

Confusingly the error message is exactly the same though, so I've answered in case more people like me find this post.

Onno Rouast
  • 662
  • 5
  • 14