InvalidClientTokenID error when running Terraform Plan/Apply

Question

I'm setting up a HA cluster in AWS using Terraform and user data. My main.tf looks like this:

provider "aws" {
access_key = "access_key"
secret_key = "secret_key"
}

resource "aws_instance" "etcd" {
ami = "${var.ami}" // coreOS 17508
instance_type = "${var.instance_type}"
key_name = "${var.key_name}"
key_path = "${var.key_path}"
count = "${var.count}"
region = "${var.aws_region}"
user_data = "${file("cloud-config.yml")}"

subnet_id = "${aws_subnet.k8s.id}"
private_ip = "${cidrhost("10.43.0.0/16", 10 + count.index)}"
associate_public_ip_address = true

vpc_security_group_ids = ["${aws_security_group.terraform_swarm.id}"]

tags {
name = "coreOS-master"
}
}

However, when I run terraform plan I get the following error provider.aws: InvalidClientTokenId: The security token included in the request is invalid. status code: 403, request id: 45099d1a-4d6a-11e8-891c-df22e6789996

I've looked around some suggestions were to clear out my ~/.aws/credentials file or update it with the new aws IAM credentials. I'm pretty lost on how to fix this error.

Answer 1

This is usually caused by some certain characters (\ @ !, etc) in the credentials. It can be fixed by re-generating credentials your aws access code and secret key.

Answer 2

This is a general error that can be cause by a few reasons.

Some examples:

1) Invalid credentials passed as environment variables or in ~/.aws/credentials.

Solution: Remove old profiles / credentials and clean all your environment vars:

for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done

2) When your aws_secret_access_key contains characters like the plus-sign + or multiple forward-slash /. See more in here.
Solution: Delete credentials and generate new ones.

3) When you try to execute Terraform inside a region which must be explicitly enabled (and wasn't).
(In my case it was me-south-1 (Bahrain) - See more in here).
Solution: Enable region or move to an enabled one.

4) In cases where you work with 3rd party tools like Vault and don't supply valid AWS credentials to communicate with - See more in here.

All will lead to a failure of aws sts:GetCallerIdentity API.