0

I'm trying to create a new IAM role and attach the S3 Read only Access policy but when I'm running the below code. I'm getting the following error: An error occurred (InvalidClientTokenId) when calling the CreateRole operation: The security token included in the request is invalid.

I have set up the correct aws access key and security key in the configuration file but still I'm not able to get through this error.

Code for creating the IAM role.

try:
    print('1.1 Creating a new IAM Role')
    dwhRole = iam.create_role(
        Path='/',
        RoleName=DWH_IAM_ROLE_NAME,
        Description='Allows Redshift clusters to call AWS services on your behalf.',
        AssumeRolePolicyDocument=json.dumps({
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "Service": "redshift.amazonaws.com"
                  },
                  "Action": "sts:AssumeRole"
                }
              ]
            }),
    )

except Exception as e:
    print(e)

# TODO: Attach Policy
print('1.2 Attaching Policy')
iam.attach_role_policy(RoleName=DWH_IAM_ROLE_NAME,
                       PolicyArn="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
                      )['ResponseMetadata']['HTTPStatusCode']

# TODO: Get and print the IAM role ARN
print('1.3 Get the IAM role ARN')
roleArn = iam.get_role(RoleName=DWH_IAM_ROLE_NAME)['Role']['Arn']

print(roleArn)

DWH_IAM_ROLE_NAME is a variable which is defined the configuration file as well.

Asad
  • 23
  • 5
  • Do you have MFA enabled on your account? – Arpit Jain Jan 07 '23 at 18:50
  • yes, I have just enabled it. – Asad Jan 08 '23 at 14:41
  • Try to unset your AWS env variables and get a new session token by running the sts command `aws sts get-session-token`. – Arpit Jain Jan 08 '23 at 15:05
  • But do I have to put the session token as well while creating the iam role? I'm stuck very badly. Do you have any resources which I can follow? – Asad Jan 08 '23 at 18:05
  • There are many questions similar to yours. Please check the answer to those questions. For eg: https://stackoverflow.com/questions/47034903/an-error-occurred-invalidclienttokenid-when-calling-the-assumerole-operation , https://stackoverflow.com/questions/34582318/how-can-i-resolve-the-error-the-security-token-included-in-the-request-is-inval , https://stackoverflow.com/questions/40198127/aws-cli-get-error-the-security-token-included-in-the-request-is-invalid – Arpit Jain Jan 08 '23 at 18:13
  • `unset AWS_ACCESS_KEY_ID;unset AWS_SECRET_ACCESS_KEY;unset AWS_SESSION_TOKEN; aws sts get-session-token;` – Arpit Jain Jan 08 '23 at 18:17
  • Then run `aws configure` to reset the id, key and token value – Arpit Jain Jan 08 '23 at 18:19
  • did this solve your issue? – Arpit Jain Jan 09 '23 at 13:47
  • Thanks for the help Arpit, I unset the env variables and generated new ones and set those in a new profile. Then I created the IAM user and I was able to do so. Appreciate your help. – Asad Jan 10 '23 at 14:52

1 Answers1

1

First, unset the below env variables:-

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

Get a new session token and save it or copy it to your clipboard:-

aws sts get-session-token

Run the below command and it is ask for SECRET KEY, ID, TOKEN

aws configure

Finally, re-run your script.

Arpit Jain
  • 1,599
  • 9
  • 23