AWS Session Token not working

[cdorros]

Experiencing an issue in which AWS Session Token (STS) works using the aws cli but not via Terraform.

This works:

$ AWS_ACCESS_KEY_ID='mykey' AWS_SECRET_ACCESS_KEY='mysecretkey' AWS_SESSION_TOKEN='mysessiontoken' aws ec2 describe-instances

This doesn't:

$ AWS_ACCESS_KEY_ID='mykey' AWS_SECRET_ACCESS_KEY='mysecretkey' AWS_SESSION_TOKEN='mysessiontoken' terraform plan
Error refreshing state: 1 error(s) occurred:

* 1 error(s) occurred:

* InvalidClientTokenId: The security token included in the request is invalid
    status code: 403, request id: [xxxxxxx]

I've verified it isn't pulling creds from any other variables (like tfvars or ~/.aws), and that the account/region matches. I've also tried exporting the env vars first instead of inline.

$ terraform version
Terraform v0.6.3

$ aws --version
aws-cli/1.8.3 Python/2.7.6 Linux/3.13.0-62-generic

[pearcec]

I had a similar issue. When I dropped the quotes it worked. Which shouldn't be IMO, but that was the case. Try that to see if it fixes it.

[sherabi]

I tried with quotes, without quotes and single quotes. Still doesn't work. Using 0.6.6

[sherabi]

Use AWS_SECURITY_TOKEN and NOT AWS_SESSION_TOKEN

[artburkart]

I am experiencing the same bug. Terraform reads my terraform.tfvars file on my mac, but not on an ubuntu ec2 instance. I have to manually feed the values into my command.

This doesn't work on ubuntu ec2 instance:
terraform plan
terraform plan -var-file="terraform.tfvars"

This does work:
AWS_ACCESS_KEY_ID=<aws_access_key_id/> AWS_SECRET_ACCESS_KEY=<aws_secret_access_key/> terraform plan

All of the above works on my osx box.

Versions:

$ terraform -v
Terraform v0.6.3

Your version of Terraform is out of date! The latest version
is 0.6.6. You can update by downloading from www.terraform.io

$ aws --version
aws-cli/1.2.9 Python/3.4.0 Linux/3.13.0-48-generic

[artburkart]

If there is a bit of code someone could point me to, I'd me more than happy to attempt a PR. This bug is kind of a bummer.

[sherabi]

Ok so after trying a lot here is the conclusion I have reached...
If you are using tokens do not rely on your tfvars file, instead export all the environment variables without quotes as such....

export AWS_ACCESS_KEY_ID=SOMETHING-WITHOUT-QUOTES
export AWS_SECRET_ACCESS_KEY=SOMETHING-ELSE-WITHOUT-QUOTES
export AWS_SESSION_TOKEN=LONG-TOKEN-WITHOUT-QUOTES

This seems to work on Macs and Linux with terraform any version.

[phinze]

Going to merge this back down with #2693 - we'll get this looked at soon.

[gtmtech]

In case anybody comes across this, and has a similar situation to me, I find the above language very very confusing, and specifically:

A "session token" is that given out by STS in response to an AssumeRole() call. It can be used within Terraform by defining AWS_SESSION_TOKEN environment variable beforehand:

export AWS_SESSION_TOKEN=<TOKENDATA>

or better still... defining aws_session_token within $HOME/.aws/credentials, using an aws configure line like:

aws configure --profile=someprofilename set aws_session_token <TOKENDATA>

The boto framework seems to use an incorrect terminology (in case anyone is using that in conjunction with terraform like me, and calls it an aws_security_token instead). This can exist in $HOME/.aws/credentials as aws_security_token, but you cannot set it using aws configure as above, because it is not an AWS approved variable-name. Boto seems to be basically wrong in this case (or maybe out of date). You can get it working with the boto framework by setting AWS_SECURITY_TOKEN

export AWS_SECURITY_TOKEN=$( aws configure --profile=someprofilename get aws_session_token )

(yes I really did mean to set AWS_SECURITY_TOKEN to the value of aws_session_token, thats the massive confusion from the boto framework.

And just to confuse matters, Terraform implements its own AWS_SECURITY_TOKEN, which is something else entirely - it is the MFA token you might present if your user login requires an MFA token.

I hope this clears up the naming around these variables for someone else. I found it all very confusing..

[catsby]

Thank you for the clarification here @gtmtech , hopefully #4254 provides some fixes here too

[MrAtheist]

I'm having the exact same problem in 0.6.9. But funny that it wasnt a problem in 0.6.8 or 0.6.7. Anyone else experience this? I'm exporting the following and somehow the new release broke it...

export AWS_SECRET_ACCESS_KEY=hello
export AWS_ACCESS_KEY_ID=itsme
export AWS_SESSION_TOKEN=IwaswonderingifafteralltheseyearsYou'dliketomeettogoovereverything
export TF_VAR_secret_key=$AWS_SECRET_ACCESS_KEY
export TF_VAR_access_key=$AWS_ACCESS_KEY_ID

All i get back is the InvalidClientTokenId error. Any clue?

[jonathanallen]

At some point a feature was added that makes the IAM GetUser call to test for valid credentials. If you are calling terraform with dynamic credentials generated by IAM GetSessionToken, those credentials cannot be used to make IAM calls unless you are using MFA. The AWS docs say: "Cannot call IAM APIs unless MFA information is included with the request."

CLI call confirms it:

$ aws iam get-user

A client error (InvalidClientTokenId) occurred when calling the GetUser operation: The security token included in the request is invalid

It would be nice to be able to session tokens if you weren't using terraform to manage AWS IAM resources. I am guessing the appropriate way to address this would be to use AssumeRole and use those credentials.

[bvinayak]

Hi,

It worked for me when i triggered "aws configure" and setting all the values again.

[hpganesh1]

it did not work when i saved the creds directly in the config file. But when i set it through the cli using aws configure it started working.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.