Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?

3 minute read

I assumed an AWS Identity and Access Management (IAM) role and my API call returned an error similar to the following: "An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."

Short description

The AWS Security Token Service (AWS STS) supports an updated version of session tokens, version 2. New AWS Regions (for example, Bahrain) are not enabled by default and only accept the updated version of session tokens. This error can occur if version 1 session tokens are used to make a request to service endpoints in an AWS Region that are not enabled by default. For more information, see Managing AWS STS in an AWS Region.

Resolution

Session tokens obtained from Regional AWS STS endpoint are of version 2 and valid in all AWS Regions. As a best practice, it is recommended to use Regional STS endpoints. Using an endpoint that is geographically closer to your application reduces latency and provides better response times.

Use one of the following methods to resolve this issue.

Obtain tokens from a Regional endpoint

The following example command uses AWS SDK for Python (Boto3).

Note:

Replace your-region, AccountID, and RoleName as per your environment.
Setting the endpoint_url is required to configure the STS client for the Regional endpoint.

# Replace existing code to create STS client with the following
sts_client = boto3.client('sts', region_name='your-region', endpoint_url='https://sts.your-region.amazonaws.com')

Include region and endpoint url options in the existing bash script/command to use regional endpoints.

aws sts assume-role --role-arn arn:aws:iam::AccountID:role/RoleName --role-session-name RoleName --region your-region --endpoint-url https://sts.your-region.amazonaws.com

Change Region compatibility of session tokens for global endpoint

By default, the AWS STS calls to the global endpoint issues session tokens which are of version 1. Version 1 tokens are only valid in AWS Regions that are enabled by default. However, you can also configure the STS global endpoint to issue tokens in version 2 that can be used in all AWS Regions.

For instructions, see change the Region compatibility of session tokens for the global endpoint.

Important: Version 2 tokens include more characters than version 1. This might affect the existing systems where you temporarily store tokens.

Related information

AWS Security Token Service (STS) now supports enabling the global STS endpoint to issue session tokens compatible with all AWS Regions

Regions and endpoints

Topics

Security, Identity, & Compliance

Relevant content

How to use AWS STS service?
rePost-User-6029039
asked a year ago
AWS STS Temporary Credentials S3 Access Denied PutObject
C9n7r
asked 4 years ago
Greengrass Token Exchange Service not providing credentials to component
Phil Begg
asked a year ago
ec2tagger: Unable to describe ec2 tags for initial retrieval: AuthFailure: AWS was not able to validate the provided access credentials / cloudwatch log agent, vpc endpoints
AWS-User-4033111
asked 2 years ago
STS temporary credentials: "Access Key Id you provided does not exist"
BrightSoul
asked 4 years ago
I'm using the AWS CLI, an AWS SDK, or an application to access my Amazon S3 bucket, but I'm getting the error "The AWS Access Key Id you provided does not exist in our records." Why?
AWS OFFICIALUpdated 3 years ago
Why do I receive errors when I run AWS CLI commands?
AWS OFFICIALUpdated 6 months ago
How can I troubleshoot the AWS STS error “the security token included in the request is expired” when using the AWS CLI to assume an IAM role?
AWS OFFICIALUpdated 2 years ago
Why did my AWS DMS task validation fail, or why isn't the validation progressing?
AWS OFFICIALUpdated 7 months ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published a month ago