AWS

InvalidClientTokenId - Invalid Client Token ID

Getting an **InvalidClientTokenId** error means your AWS security token (Access Key ID) is invalid or doesn't exist—the token might have been deleted, rotated, or belongs to a different AWS account. This client-side error (4xx) happens when AWS validates request tokens. Most common when IAM access keys are deleted or rotated, but also appears when credentials are misconfigured, tokens are expired, credentials files are corrupted, or you're using credentials from the wrong AWS account.

#Common Causes

  • Identity: Access Key ID doesn't exist in AWS. Access key was deleted from IAM user. Access key belongs to different AWS account. Token expired or deactivated.
  • Network: Credentials file corrupted. Environment variables not set correctly. AWS CLI configuration file has wrong token.
  • Limits: Typo in access key ID. Token format invalid (should be 20 chars, alphanumeric). Token rotated but old token still in use.

Solutions

  1. 1Step 1: Diagnose - Check your current credentials: aws sts get-caller-identity. If InvalidClientTokenId, credentials are wrong. Verify which credentials are being used: aws configure list.
  2. 2Step 2: Diagnose - List IAM user access keys: aws iam list-access-keys --user-name USER_NAME. Check if key exists and is active. Verify key ID matches your credentials.
  3. 3Step 3: Diagnose - Check credentials file: cat ~/.aws/credentials. Verify [default] or [profile] section has correct AccessKeyId. Check environment variables: echo $AWS_ACCESS_KEY_ID.
  4. 4Step 4: Fix - Regenerate access key if deleted: aws iam create-access-key --user-name USER_NAME. Update credentials: aws configure set aws_access_key_id NEW_KEY_ID.
  5. 5Step 5: Fix - Verify credentials work: aws sts get-caller-identity. Should return account ID, user ARN, and user ID. If still fails, check IAM user exists: aws iam get-user --user-name USER_NAME.

</>Code Examples

Diagnose InvalidClientTokenId: Check Credentials
1#!/bin/bash
2# Check current credentials being used
3echo "=== Current AWS Configuration ==="
4aws configure list
5
6# Check environment variables
7echo "\n=== Environment Variables ==="
8echo "AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-(not set)}"
9echo "AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:+(set)} ${AWS_SECRET_ACCESS_KEY:+[hidden]}"
10echo "AWS_PROFILE: ${AWS_PROFILE:-(not set)}"
11
12# Test credentials
13echo "\n=== Testing Credentials ==="
14aws sts get-caller-identity 2>&1
15if [ $? -eq 0 ]; then
16  echo "✓ Credentials valid"
17  aws sts get-caller-identity --output table
18else
19  echo "✗ Invalid credentials (InvalidClientTokenId)"
20  echo "Check your credentials file: ~/.aws/credentials"
21fi
22
23# Check credentials file
24echo "\n=== Credentials File ==="
25if [ -f ~/.aws/credentials ]; then
26  echo "Credentials file exists"
27  grep -A 2 "[default]" ~/.aws/credentials 2>/dev/null || echo "No [default] profile"
28else
29  echo "Credentials file not found at ~/.aws/credentials"
30fi
List and Verify IAM User Access Keys
1#!/bin/bash
2# Get current user name
3USER_NAME=$(aws sts get-caller-identity --query Arn --output text 2>/dev/null | cut -d'/' -f2)
4if [ -z "${USER_NAME}" ]; then
5  echo "Cannot determine user name (credentials invalid)"
6  echo "Please provide user name manually:"
7  read -p "User name: " USER_NAME
8fi
9
10echo "Current user: ${USER_NAME}"
11
12# List access keys for user
13echo "\n=== Access Keys for User ==="
14aws iam list-access-keys --user-name ${USER_NAME} \
15  --query 'AccessKeyMetadata[*].[AccessKeyId,Status,CreateDate]' \
16  --output table 2>&1
17
18# Check if specific access key exists
19ACCESS_KEY_ID="AKIAXXXXX"  # Replace with your key ID
20echo "\n=== Checking Access Key: ${ACCESS_KEY_ID} ==="
21aws iam list-access-keys --user-name ${USER_NAME} \
22  --query "AccessKeyMetadata[?AccessKeyId=='${ACCESS_KEY_ID}']" \
23  --output table 2>&1
Fix InvalidClientTokenId: Update Credentials
1#!/bin/bash
2# Method 1: Update credentials using AWS CLI
3echo "=== Updating AWS Credentials ==="
4NEW_ACCESS_KEY_ID="AKIAXXXXX"  # Replace with your new key
5NEW_SECRET_ACCESS_KEY="xxxxx"  # Replace with your new secret
6
7aws configure set aws_access_key_id ${NEW_ACCESS_KEY_ID}
8aws configure set aws_secret_access_key ${NEW_SECRET_ACCESS_KEY}
9aws configure set region us-east-1  # Set your preferred region
10
11# Verify new credentials
12echo "\n=== Verifying New Credentials ==="
13aws sts get-caller-identity --output table
14
15# Method 2: Update credentials file directly
16echo "\n=== Manual Credentials File Update ==="
17echo "Edit ~/.aws/credentials and update:"
18echo "[default]"
19echo "aws_access_key_id = ${NEW_ACCESS_KEY_ID}"
20echo "aws_secret_access_key = ${NEW_SECRET_ACCESS_KEY}"
21echo ""
22echo "Or use environment variables:"
23echo "export AWS_ACCESS_KEY_ID=${NEW_ACCESS_KEY_ID}"
24echo "export AWS_SECRET_ACCESS_KEY=${NEW_SECRET_ACCESS_KEY}"
25echo "export AWS_DEFAULT_REGION=us-east-1"

Related Errors

InvalidAccessKeyIdSignatureDoesNotMatch

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

InvalidClientTokenId - Invalid Client Token ID | AWS Error Reference | Error Code Reference