EC2 API Error validating access credential

Question

I installed the ec2 api following the amazon guide. I setted up the access id and secret as environment variable.

Here it is my profile:

export AWS_ACCESS_KEY=XXXXX

export AWS_SECRET_KEY=XXXXXX

export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64/jre

export EC2_HOME=/usr/local/ec2/ec2-api-tools-1.7.1.0

export PATH=$PATH:$EC2_HOME/bin

Everythings looks configured as asked, but i can't connect to aws.

Here the output of the command ec2-describe-regions in verbose mode:

Client.AuthFailure: AWS was not able to validate the provided access credentials
ubuntu@ip:~$ ec2dre -v
Setting User-Agent to [ec2-api-tools 1.7.1.0]
2014-07-14 19:10:34,898 [main] DEBUG org.apache.http.wire  - >> "POST / HTTP/1.1[\r][\n]"
2014-07-14 19:10:34,912 [main] DEBUG org.apache.http.wire  - >> "Host: ec2.amazonaws.com[\r][\n]"
2014-07-14 19:10:34,912 [main] DEBUG org.apache.http.wire  - >> "X-Amz-Date: 20140714T191033Z[\r][\n]"
2014-07-14 19:10:34,913 [main] DEBUG org.apache.http.wire  - >> "Authorization: AWS4-HMAC-SHA256 Credential=AKIAIT64V5MH2HHF5QZQ/20140714/us-east-1/ec2/aws4_request, SignedHeaders=host;user-agent;x-amz-date, Signature=06920c7d37a24d8244feb630d87310238886294d3ae2ab40f68a362a799d9a62[\r][\n]"
2014-07-14 19:10:34,913 [main] DEBUG org.apache.http.wire  - >> "User-Agent: ec2-api-tools 1.7.1.0, aws-sdk-java/unknown-version Linux/3.2.0-36-virtual OpenJDK_64-Bit_Server_VM/24.51-b03[\r][\n]"
2014-07-14 19:10:34,913 [main] DEBUG org.apache.http.wire  - >> "Content-Type: application/x-www-form-urlencoded; charset=utf-8[\r][\n]"
2014-07-14 19:10:34,913 [main] DEBUG org.apache.http.wire  - >> "Content-Length: 41[\r][\n]"
2014-07-14 19:10:34,913 [main] DEBUG org.apache.http.wire  - >> "Connection: Keep-Alive[\r][\n]"
2014-07-14 19:10:34,913 [main] DEBUG org.apache.http.wire  - >> "[\r][\n]"
2014-07-14 19:10:34,914 [main] DEBUG org.apache.http.wire  - >> "Action=DescribeRegions&Version=2014-06-15"
2014-07-14 19:10:34,984 [main] DEBUG org.apache.http.wire  - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2014-07-14 19:10:35,002 [main] DEBUG org.apache.http.wire  - << "Transfer-Encoding: chunked[\r][\n]"
2014-07-14 19:10:35,003 [main] DEBUG org.apache.http.wire  - << "Date: Mon, 14 Jul 2014 19:18:34 GMT[\r][\n]"
2014-07-14 19:10:35,003 [main] DEBUG org.apache.http.wire  - << "Server: AmazonEC2[\r][\n]"
2014-07-14 19:10:35,010 [main] DEBUG org.apache.http.wire  - << "[\r][\n]"
2014-07-14 19:10:35,225 [main] DEBUG org.apache.http.wire  - << "fe[\r][\n]"
2014-07-14 19:10:35,225 [main] DEBUG org.apache.http.wire  - << "<?xml version="1.0" encoding="UTF-8"?>[\n]"
2014-07-14 19:10:35,225 [main] DEBUG org.apache.http.wire  - << "<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>cd2b128b-3d70-425b-a8a7-4856fd9a6b99</RequestID></Response>"
2014-07-14 19:10:35,278 [main] DEBUG org.apache.http.wire  - << "[\r][\n]"
2014-07-14 19:10:35,279 [main] DEBUG org.apache.http.wire  - << "0[\r][\n]"
2014-07-14 19:10:35,279 [main] DEBUG org.apache.http.wire  - << "[\r][\n]"
Client.AuthFailure: AWS was not able to validate the provided access credentials
Request ID: cd2b128b-3d70-425b-a8a7-4856fd9a6b99

@alfasin There is no code involved I just execute ec2dre for checking the environment. I updated in the message my profile env variables. What do you mean by "with >500" — Kerby82, Jul 14 '14 at 19:29
nm the 500, which environment is it? `root` ? which user connects to AWS ? — Nir Alfasi, Jul 14 '14 at 19:43
I'm connecting with a normal user with id and gid 1000. I also tried with root and I got the same error. — Kerby82, Jul 14 '14 at 19:50
I used the same credential from a mac and they works, but on ubuntu doesn't — Kerby82, Jul 14 '14 at 20:42
Try to run the command with the switches `--aws-access-key` and `--aws-secret-key` (and specify the keys explicitly) — Nir Alfasi, Jul 14 '14 at 20:56
did and it's not working, tried the same command on a Mac with the same credential and it's working. I don't know how to debug in a deeper way. — Kerby82, Jul 14 '14 at 22:08
Did you go through the [**instructions**](http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/set-up-ec2-cli-linux.html#set-up-ec2-cli-tools-on-amazon-linux) and configured JAVA_HOME properly ? — Nir Alfasi, Jul 15 '14 at 01:26
Yes I do. Java is correctly installed otherwise I wouldn't had such a kind of authentication error. — Kerby82, Jul 15 '14 at 19:38

score 100 · Accepted Answer · answered Mar 12 '15 at 16:30

100

Check that the server clock is synchronized.

If the clock is delayed, can cause this error:

AWS was not able to validate the provided access credentials

answered Mar 12 '15 at 16:30

raittes

5,271
3
30
27

2

How did you got to this solution ? any way ! it worked :) Thx – Up_One Sep 10 '15 at 05:20
8

Amazon documents this behavior: "The EC2 CLI tools use your access keys as well as a time stamp to sign your requests. Ensure that your computer's date and time are set correctly. If they are not, the date in the signature may not match the date of the request, and AWS rejects the request." http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/set-up-ec2-cli-linux.html – iewebguy Nov 26 '15 at 23:56
`aws s3 ls`: _An error occurred (RequestTimeTooSkewed) when calling the ListBuckets operation: The difference between the request time and the current time is too large._ – kenorb Feb 05 '18 at 14:23

javabeangrinder · Answer 2 · 2014-08-21T13:45:47.937

19

I ran into this issue when my system clock was set falsely.

In my case the clock was running ahead by two hours.

Equally important is to put the commands in your .bashrc or similar file (.bash_aliases):

export AWS_ACCESS_KEY="XXXXXXXXXXXXXXXXX"
export AWS_SECRET_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

When there run source ~/.bashrc

The reason for the importance of this is that when running an ec2 command new shell instances are created that doesn't get the environment variables otherwise.

edited Aug 21 '14 at 13:45

answered Aug 21 '14 at 12:52

javabeangrinder

6,939
6
35
38

3

same for me, clock was 10min out, installed NTP to fix it – DaveB Sep 24 '14 at 14:41
Had this problem while running Fog inside a Docker container via Boot2Docker. [This question](http://stackoverflow.com/questions/22800624/will-docker-container-auto-sync-time-with-the-host-machine) helped me reset the time on my Boot2Docker VM. – jallen7usa Jan 30 '15 at 16:09
1

The export command in the .zshrc or .bashrc is very important. Unless you update it, the old key is exported. – look Apr 09 '15 at 22:36

kenorb · Answer 3 · 2018-02-05T15:16:48.103

Run aws s3 ls to confirm whether the error is related to time sync. You should get the error like:

An error occurred (RequestTimeTooSkewed) when calling the ListBuckets operation: The difference between the request time and the current time is too large.

If so, try to sync your datetime as suggested.

Example shell commands on Linux to do that:

# Install the ntpdate client for setting system time from NTP servers.
sudo apt-get --yes install ntpdate
sudo ntpdate 0.amazon.pool.ntp.org

Then re-try your aws command again.

If the timezone is still not correct, run: sudo dpkg-reconfigure tzdata to configure it, or by:

timedatectl list-timezones
timedatectl set-timezone 'Europe/London'

See also: Configure localtime. dpkg-reconfigure tzdata.

score 5 · Answer 4 · answered Jan 12 '16 at 13:47

AWS CLI was working fine for me but all of a sudden it started failing with the following error

A client error (AuthFailure) occurred when calling the DescribeTags operation: AWS was not able to validate the provided access credentials

Tried with a new set of credentials, however that did not help.

It worked only after stop-start was performed on the EC2 instance (reboot might have also worked). Hence, it appears to be an issue with the particular EC2 instance from where the aws cli was executed.

Doing a start stop worked for me too. Thanks. – Saurabh Kumar Jha Apr 22 '21 at 08:41 — Saurabh Kumar Jha, Apr 22 '21 at 08:41

score 4 · Answer 5 · answered Jun 18 '19 at 07:38

This can also be due to an issue depending on which region you're trying to reach. I have a script trying to assume roles in all regions and kept getting this in Hong Kong (ap-east-1). You have to first enable this region in order to access it. You'll get this error for the following regions if you don't have them enabled:

ap-east-1
cn-north-1
cn-northwest-1
us-gov-east-1
us-gov-west-1

Strangely, ap-northeast-3 also gives an error but it's error is OptInRequired.

score 3 · Answer 6 · answered Dec 20 '18 at 22:18

3

I had a similar issue. The clock on my local server was off. I corrected it with the following command.

sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

Then, aws worked.

answered Dec 20 '18 at 22:18

Prasanth Pennepalli

1,018
10
11

Pablo Cruz · Answer 7 · 2020-05-31T04:28:48.823

0

For CentOS

# install ntpdate
sudo yum install ntpdate

# install policy kit 
sudo yum install polkit

# start ntpd service
sudo systemctl start ntpd.service

sudo ntpdate 0.amazon.pool.ntp.org

You can also reconfigure aws credential again

aws configure

edited May 31 '20 at 04:28

answered May 31 '20 at 04:05

Pablo Cruz

91
1
6

EC2 API Error validating access credential

7 Answers7

Linked