1

Simple AWS CLI commands like aws ec2 describe-images --region $REGION produce the error AWS was not able to validate the provided access credentials when REGION is one of af-south-1, ap-east-1, eu-south-1, or me-south-1.

This StackOverflow question says that newer regions only support Signature Version 4. How do I choose this in my AWS CLI (v. 2.4.15)? This says that that happens automatically, but clearly it does not.

Note that this occurs whether I have this ~/.aws/config file` or it is missing:

region = us-east-1
output = json
cli_pager=
Joshua Fox
  • 18,704
  • 23
  • 87
  • 147
  • Do you have a configured default/named profile on the machine where you triggered the aws cli command? – Allan Chua Feb 01 '22 at 09:41
  • `cat ~/.aws/config` shows just this (I also put this in the body): `[default] region = us-east-1 output = json cli_pager=` – Joshua Fox Feb 01 '22 at 09:44
  • Just tried testing it with at least 4 profiles in my side. It does work on my main region but not on `af-south-1` even after an AWS CLI upgrade – Allan Chua Feb 01 '22 at 10:11
  • Thank you. For me, deleting `~/.aws/config` makes no difference to this. – Joshua Fox Feb 01 '22 at 10:12
  • Wow! let me know how do you solve the issue bro. – Allan Chua Feb 01 '22 at 10:12
  • Hey bro, can you try the stuff in this link: https://bobcares.com/blog/aws-was-not-able-to-validate-the-provided-access-credentials-how-to-fix/ – Allan Chua Feb 01 '22 at 10:22
  • 1
    I am having trouble with that. It says "(a) Obtain tokens from a Regional endpoint(b) Change Region compatibility of session tokens for global endpoint" but I know now to do neither. It mentions setting the clock, but both commands fail on Mac. It mentions the `.boto` file but I have no such file. It also mentions the AWS config, but we already considered that. – Joshua Fox Feb 01 '22 at 14:04

1 Answers1

2

This error message is simply wrong: What it states was (in my case) not the source of the problem.

The answer is that the regions must be enabled

After you enable the region, you will see a message telling you to change settings for STS tokens under IAM Settings, enabling global tokens for all regions including these non-default regions.

Joshua Fox
  • 18,704
  • 23
  • 87
  • 147
  • And, per the AWS console page when first attempting to access a hitherto-disabled region: "When you enable access, AWS performs actions to prepare your account in that region, such as distributing your IAM resources to the region." which is perhaps why it presents as a credentials validation error. – jarmod Feb 01 '22 at 20:24
  • WOW that's super good to know – Allan Chua Feb 02 '22 at 02:49