AWS

InvalidAccessKeyId - Invalid Access Key ID

Getting an **InvalidAccessKeyId** error means your AWS Access Key ID doesn't exist in AWS—the key might have been deleted, it's misspelled, or it belongs to a different AWS account. This client-side error (4xx) happens when AWS can't find the access key in its records. Most common when access keys are deleted or rotated, but also appears when credentials are misconfigured, access keys are deactivated, or there's a typo in the key ID.

#Common Causes

  • Identity: Access key ID doesn't exist in AWS. Access key was deleted from IAM user. Access key belongs to different AWS account. Access key deactivated.
  • Network: Credentials file corrupted. Environment variables not set correctly. AWS CLI configuration file has wrong key.
  • Limits: Typo in access key ID. Key format invalid (should be 20 chars, alphanumeric). Key rotated but old key still in use.

Solutions

  1. 1Step 1: Diagnose - Check your current credentials: aws sts get-caller-identity. If InvalidAccessKeyId, credentials are wrong. Verify which credentials are being used: aws configure list.
  2. 2Step 2: Diagnose - List IAM user access keys: aws iam list-access-keys --user-name USER_NAME. Check if key exists and is active. Verify key ID matches your credentials.
  3. 3Step 3: Diagnose - Check credentials file: cat ~/.aws/credentials. Verify [default] or [profile] section has correct AccessKeyId. Check environment variables: echo $AWS_ACCESS_KEY_ID.
  4. 4Step 4: Fix - Regenerate access key if deleted: aws iam create-access-key --user-name USER_NAME. Update credentials: aws configure set aws_access_key_id NEW_KEY_ID.
  5. 5Step 5: Fix - Verify credentials work: aws sts get-caller-identity. Should return account ID, user ARN, and user ID. If still fails, check IAM user exists: aws iam get-user --user-name USER_NAME.

</>Code Examples

Diagnose InvalidAccessKeyId: Check Credentials
1#!/bin/bash
2# Check current credentials being used
3echo "=== Current AWS Configuration ==="
4aws configure list
5
6# Check environment variables
7echo "\n=== Environment Variables ==="
8echo "AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-(not set)}"
9echo "AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:+(set)} ${AWS_SECRET_ACCESS_KEY:+[hidden]}"
10echo "AWS_PROFILE: ${AWS_PROFILE:-(not set)}"
11
12# Test credentials
13echo "\n=== Testing Credentials ==="
14aws sts get-caller-identity 2>&1
15if [ $? -eq 0 ]; then
16  echo "✓ Credentials valid"
17  aws sts get-caller-identity --output table
18else
19  echo "✗ Invalid credentials (InvalidAccessKeyId)"
20  echo "Check your credentials file: ~/.aws/credentials"
21fi
22
23# Check credentials file
24echo "\n=== Credentials File ==="
25if [ -f ~/.aws/credentials ]; then
26  echo "Credentials file exists"
27  grep -A 2 "[default]" ~/.aws/credentials 2>/dev/null || echo "No [default] profile"
28else
29  echo "Credentials file not found at ~/.aws/credentials"
30fi
List and Verify IAM User Access Keys
1#!/bin/bash
2# Get current user name
3USER_NAME=$(aws sts get-caller-identity --query Arn --output text | cut -d'/' -f2)
4echo "Current user: ${USER_NAME}"
5
6# List access keys for user
7echo "\n=== Access Keys for User ==="
8aws iam list-access-keys --user-name ${USER_NAME} \
9  --query 'AccessKeyMetadata[*].[AccessKeyId,Status,CreateDate]' \
10  --output table
11
12# Check if specific access key exists
13ACCESS_KEY_ID="AKIAXXXXX"  # Replace with your key ID
14echo "\n=== Checking Access Key: ${ACCESS_KEY_ID} ==="
15aws iam list-access-keys --user-name ${USER_NAME} \
16  --query "AccessKeyMetadata[?AccessKeyId=='${ACCESS_KEY_ID}']" \
17  --output table
18
19# Create new access key if needed
20echo "\n=== Creating New Access Key ==="
21echo "WARNING: This will create a new access key. Save the secret key immediately!"
22read -p "Create new access key? (y/N): " -n 1 -r
23echo
24if [[ $REPLY =~ ^[Yy]$ ]]; then
25  aws iam create-access-key --user-name ${USER_NAME} \
26    --query 'AccessKey.[AccessKeyId,SecretAccessKey]' \
27    --output table
28  echo "\nIMPORTANT: Save the SecretAccessKey - it won't be shown again!"
29fi
Fix InvalidAccessKeyId: Update Credentials
1#!/bin/bash
2# Method 1: Update credentials using AWS CLI
3echo "=== Updating AWS Credentials ==="
4NEW_ACCESS_KEY_ID="AKIAXXXXX"  # Replace with your new key
5NEW_SECRET_ACCESS_KEY="xxxxx"  # Replace with your new secret
6
7aws configure set aws_access_key_id ${NEW_ACCESS_KEY_ID}
8aws configure set aws_secret_access_key ${NEW_SECRET_ACCESS_KEY}
9aws configure set region us-east-1  # Set your preferred region
10
11# Verify new credentials
12echo "\n=== Verifying New Credentials ==="
13aws sts get-caller-identity --output table
14
15# Method 2: Update credentials file directly
16echo "\n=== Manual Credentials File Update ==="
17echo "Edit ~/.aws/credentials and update:"
18echo "[default]"
19echo "aws_access_key_id = ${NEW_ACCESS_KEY_ID}"
20echo "aws_secret_access_key = ${NEW_SECRET_ACCESS_KEY}"
21echo ""
22echo "Or use environment variables:"
23echo "export AWS_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}"
24echo "export AWS_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}"
25echo "export AWS_DEFAULT_REGION=us-east-1"

Related Errors

SignatureDoesNotMatchInvalidClientTokenId

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

InvalidAccessKeyId - Invalid Access Key ID | AWS Error Reference | Error Code Reference