cdk command returns InvalidClientTokenId: The security token included in the request is invalid.

[ironlyon1906]

❓ General Issue

The Question

Environment

• CDK CLI Version: 1.44.0
• Module Version:
• Node.js Version: 12.16.2
• OS: macOS 10.14 Mojave
• Language (Version): Java 11

Other information

[ironlyon1906]

The "cdk synth" command or any cdk command for that matter keeps returning: InvalidClientTokenId: The security token included in the request is invalid. I am running in a macOS term window. The CDK is just building a YAML template from the sample code, so I am not sure why it needs to authenticate anything at this point, its all local. I have an AWS account with a default profile setup in my ~/.aws/config and ~/.aws/credentials files. I have even tried setting my access_key and security_id env variables and still get this error. This seems to be a bug. Can someone assist?

[shivlaks]

@ironlyon1906 can you expand a little more on what the steps to reproduce the scenario you're running into?

i.e. what does the structure of your ~/.aws/config and ~/.aws/credentials files look like. Did you try using profiles? How did you try to set the env variables?

[ironlyon1906]

To my understanding, the CDK uses the AWS CLI under the covers. I am trying to run the sample app CDK app using java, all locally on my MacOS. Here is my AWS CLI version:

bash-3.2$ aws --version
aws-cli/1.11.164 Python/3.6.3 Darwin/18.7.0 botocore/1.7.22

When I run either of the below commands, they return:
bash-3.2$ cdk synth
The security token included in the request is invalid.
--or--
bash-3.2$ aws iam list-users
An error occurred (InvalidClientTokenId) when calling the ListUsers operation: The security token included in the request is invalid.

To answer your question: in my ~/.aws directory I have a config file and a credentials file
I have also tried to export the following env variables. But I still have the same error.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_DEFAULT_REGION

[shivlaks]

@ironlyon1906 can you run the cdk command with --v flag. have you tried the suggestions and setup suggested in #1656
I'm curious what your config and credentials file look like. I'm not able to reproduce in 1.44.0

my ~/.aws/credentials

[default]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>

my ~/.aws/config

[default]
region = us-east-1

[ironlyon1906]

Hi Shivlaks, I have solved the problem. I uninstalled AWS CLI ver 1.x and installed AWS CLI ver 2.x .
I then regenerated new keys and ran aws configure. After this , aws began working correctly and hence the cdk command began working as well. Thank you for taking the time to respond to my inquiry nonetheless!!

[shivlaks]

@ironlyon1906 glad to hear you're all set. I'm resolving this issue for now. Feel free to reopen if you have any unresolved questions or follow-up that you'd like to see from us!

[apoorvmote]

I had same error The security token included in the request is invalid.
I deleted my existing access key and secret key and generated new one. And the problem is fixed.

[lal-verma]

I was facing a similar issue. When I checked ~/.aws/credentials file I saw an additional statement referring to token "{someprefix}-token" with no value. I don't know what generated this entry. When I removed it (without touching aws_access_key_id, aws_secret_access_key), my cdk started working :).

I am using cdk version - 2.39.1 (build f188fac)

[gui-freire]

Hello, I am currently facing the same issue. I'm trying to run cdk deploy in a GitLab Runner docker instance, with a SSO profile configured. I ran the command aws configure list --profile <profile> which returned me the following:

Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile  <profile>           manual    --profile
access_key     ****************GRFD              sso    
secret_key     ****************zR3x              sso    
    region                eu-west-1      config-file    ~/.aws/config

However when the command is run in the pipeline it returns this:

[08:41:23] Determining if we're on an EC2 instance.
[08:41:23] Does not look like an EC2 instance.
[08:41:23] Toolkit stack: CDKToolkit
[08:41:23] Setting "CDK_DEFAULT_REGION" environment variable to eu-west-1
[08:41:23] Resolving default credentials
[08:41:23] Looking up default account ID from STS
[08:41:23] Notices refreshed
[08:41:23] Failed to store notices in the cache: Error: ENOENT: no such file or directory, open '/root/.cdk/cache/notices.json'
[08:41:23] Unable to determine the default AWS account (InvalidClientTokenId): The security token included in the request is invalid.

Eventually ending in a Error: Need to perform AWS calls for account <accountId>, but no credentials have been configured. Tried running the deploy with --profile <profile> but also with no success, this one with a different error: Unable to determine the default AWS account (ENOENT): ENOENT: no such file or directory, open '/root/.aws/credentials'
I'm currently using CDK version 2.141.0