aws cli get error "The security token included in the request is invalid"

Question

I did aws configure and test it worked before. But it didn't work today, I got the the error when tried to get hosted zone

 $ aws route53 list-hosted-zones

 An error occurred (InvalidClientTokenId) when calling the ListHostedZones operation: The security token included in the request is invalid.

I deleted ~/.aws and did aws configure again, but I still got the same error. Could you please help? Thanks!

Answer 1

After you enabled MFA, you will have to pass temporary credentials you received from executing
aws sts get-session-token on each future request.

With environment variables:

export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=YYY
export AWS_DEFAULT_REGION=us-east-2
export AWS_SESSION_TOKEN=ZZZ

With named profiles:

[mfa]
aws_access_key_id = XXX
aws_secret_access_key = YYY
aws_session_token = ZZZ

The An error occurred (InvalidClientTokenId) ... error might occur again and again if you forget to remove the previous temporary credentials.

So, if you're using environment variables don't forget to unset all variables before new execution of aws sts get-session-token:

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

If you're using named profiles - don't forget to update the profile under .aws/credentials.

Answer 2

Do you have MFA enabled on your account? You might have to run

aws sts get-session-token

Details for how to use MFA with the cli are documented here.