Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

DynamoDB The security token included in the request is invalid UnrecognizedClientException

I have ~/.aws/credentials and config files and my code is below

clientConfiguration.setProxyHost("MYPROXY");
            clientConfiguration.setProxyPort(port);
            clientConfiguration.setProxyUsername("username");
            clientConfiguration.setProxyPassword("pw");
            clientConfiguration.setPreemptiveBasicProxyAuth(false);


            AmazonDynamoDBClient client = new AmazonDynamoDBClient(new ProfileCredentialsProvider("MY_PROFILE"),clientConfiguration);

         //client.withRegion(Regions.US_EAST_1);
         DynamoDBMapper mapper = new DynamoDBMapper(client);

         // Get a book - Id=101
         GetBook(mapper, 101);

I am getting below exception everytime.I can see session token in my credential file in ~/.aws/credentials

Error running the DynamoDBMapperQueryScanExample: com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: The security token included in the request is invalid. (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: S0NTUAHKE57VC68FM3CVBOFAKFVV4KQNSO5AEMVJF66Q9ASUAAJG)
    com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: The security token included in the request is invalid. (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: S0NTUAHKE57VC68FM3CVBOFAKFVV4KQNSO5AEMVJF66Q9ASUAAJG)

AWS SDK 1.11.24 java Credentials file

[TES1_AWS_STSdigital_Dev_Developer]
aws_access_key_id = XXXXX
aws_secret_access_key = AAAAA
aws_security_token = BBBBBBBB
token_expiration = 2016-08-08T16:34:48Z

[TEST2_AWS_TEST_Dev_ReadOnly]
aws_access_key_id = MMMMMM
aws_secret_access_key = NNNNNN
aws_security_token = OOOOOOO
token_expiration = 2016-08-08T16:34:48Z

[TEST3_AWS_STSdigital_Prod_ProdSupport]
aws_access_key_id = KKKKKKK
aws_secret_access_key = LLLLLLLLL
aws_security_token =FFFFFFFF
token_expiration = 2016-08-08T16:34:48Z

[TEST4_AWS_STSdigital_Prod_Monitoring]
aws_access_key_id = WWWWWW
aws_secret_access_key = SSSSSSSS
aws_security_token = VVVVVVVVV
token_expiration = 2016-08-08T16:34:48Z

config file in ~/.aws/config

[DEFAULT]
scope = urn:amazon:webservices

[saml_provider]
url = https://myprivatesssaccess
default_region = us-east-1

[profile TEST1_AWS_STSdigital_Dev_Developer]
saml_role = arn:aws:iam::44444444:role/TEST1_AWS_STSdigital_Dev_Developer
region = us-east-1

[profile TEST2_AWS_TEST_Dev_ReadOnly]
saml_role = arn:aws:iam::3333333:role/TEST2_AWS_TEST_Dev_ReadOnly
region = us-east-1

[profile TEST3_STSdigital_Prod_ProdSupport]
saml_role = arn:aws:iam::222222:role/TEST3_AWS_STSdigital_Prod_ProdSupport
region = us-east-1

[profile TEST4_AWS_STSdigital_Prod_Monitoring]
saml_role = arn:aws:iam::1111111:role/TEST4_AWS_STSdigital_Prod_Monitoring
region = us-east-1
like image 459
chiru Avatar asked Aug 06 '16 05:08

chiru


People also ask

How to fix the security token included in the request is invalid?

The error "the Security Token included in the Request in Invalid" can occur for multiple reasons: The user's credentials are inactive. Open the IAM console, click on the user, and in the Security Credentials tab, make sure the security credentials of the user are active.

How do I resolve the error the security token included in the request is expired?

You must refresh the credentials before they expire. Another reason for expiration is using the incorrect time. A consistent and accurate time reference is crucial for many server tasks and processes. If your instance's date and time aren't set correctly, the AWS credentials are rejected.

What is an invalid security token?

If you're trying to reset your password and you receive an error citing an “invalid token” or asking you for your token, it's likely that the link you clicked on to reset your password has expired. For security reasons, passwords are never sent out across the Internet.


2 Answers

Start with the simple things. Have you checked the permissions on the files? At least from Linux they need to be 600 or user read/write, group and world no access.

Have you checked the AWS side to verify that these credentials are associated with the account you are trying to use?

Can you run a simple command that uses the credentials? The CLI aws command from Amazon is a perfect place to start.

aws ec2 help

is good first check. Then try to access some information that is generally available, like the spot EC2 instance price history:

aws ec2 describe-spot-price-history --prod "Linux/UNIX" --start-time 2016-08-15

should give you thousands of lines of output. Then try to access some of your own account info:

aws ec2 describe-instances

At this point, you know everything is working from the CLI. The next step is to very Java connectivity, which should just work now if you run it from the same machine with the same home directory where ~/.aws/ is found.

I use DynamoDB access from Java every day. Once you clear a few hurdles it works great.

like image 136
Daniel Wisehart Avatar answered Sep 21 '22 20:09

Daniel Wisehart


I received this error when I had my region set to RegionEndpoint.APEast1 instead of RegionEndpoint.USEast1. My error, I accepted the first "East1" string I saw in intellisense.

like image 30
C.M. Avatar answered Sep 19 '22 20:09

C.M.