Home > OS >  Invalid security token when specifying other another region
Invalid security token when specifying other another region

Time:12-31

I am using an assumed role, all environment variables has been set (AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN, AWS_SECRET_ACCESS_KEY, and AWS_ACCESS_KEY_ID)

When I call aws sts get-caller-identity on my default region (ap-southeast-1) it doesn't have a problem

$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-1
{
    "UserId": "XXXXXYYYYYZZZZZZ:botocore-session-1234567",
    "Account": "111122223333",
    "Arn": "arn:aws:sts::111122223333:assumed-role/somerolename/botocore-session-2222333344"
}

But when I change it to the region that I am trying to work on (ap-southeast-3), an error happens

$ awsudo -u somerolename aws sts get-caller-identity --region ap-southeast-3
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid

How do I resolve this?, I have tried other regions as well, but it seems only ap-southeast-1 works

CodePudding user response:

I think you are facing this issue, because ap-southeast-3 region is not enabled for your account. You can check if it is enabled by running the following command:

aws ec2 describe-regions --region-names ap-southeast-3

If your region is not enabled, you will get the following response:

{
    "Regions": [
        {
            "Endpoint": "ec2.ap-southeast-3.amazonaws.com",
            "RegionName": "ap-southeast-3",
            "OptInStatus": "not-opted-in"
        }
    ]
}

In order to enable it, you just have to follow the instructions from the AWS docs:

To enable a Region

  • Sign in to the AWS Management Console.
  • In the upper right corner of the console, choose your account name or number and then choose My Account.
  • In the AWS Regions section, next to the name of the Region that you want to enable, choose Enable.
  • In the dialog box, review the informational text and choose Enable Region.
  • Wait until the Region is ready to use.

Please note, enabling a region may take some time. As far as I've experienced, this time is fairly short. You should get an email as soon as the region is enabled.

CodePudding user response:

Ok, so apparently I had to make Global endpoints to be valid in all regions for STS

More on that is discussed in this docs here in the "Managing global endpoint session tokens" section

Page link:https//www.codepudding.com/os/246033.html

Prev:What are "Waits" in the AWS RDS performance insights dashboard?
Next:Is it not possible to save a file in S3 bucket instead of choose a folder?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding