AWS

S3InvalidAccessKeyId - S3 Invalid Access Key ID

Hitting an **S3InvalidAccessKeyId** error means your AWS access key ID doesn't exist or is invalid—the access key might have been deleted, rotated, or belongs to a different AWS account. This client-side error (4xx) happens when AWS validates S3 request credentials. Most common when access keys are deleted or rotated, but also appears when access key IDs are incorrect, credentials files are misconfigured, wrong AWS account credentials are used, or old keys are still in use after rotation.

#Common Causes

  • Identity: Access key ID doesn't exist in AWS. Access key was deleted from IAM user. Access key belongs to different AWS account.
  • Network: Credentials file misconfigured. Environment variables not set correctly. AWS CLI configuration has wrong key.
  • Limits: Access key ID is incorrect. Access key rotated but old key still in use. Typo in access key ID. Wrong AWS account credentials.

Solutions

  1. 1Step 1: Diagnose - Check current credentials: aws sts get-caller-identity. If S3InvalidAccessKeyId, credentials are wrong. Verify which credentials are being used: aws configure list.
  2. 2Step 2: Diagnose - List IAM user access keys: aws iam list-access-keys --user-name USER_NAME. Check if key exists and is active. Verify key ID matches your credentials.
  3. 3Step 3: Diagnose - Check credentials file: cat ~/.aws/credentials. Verify [default] or [profile] section has correct AccessKeyId. Check environment variables: echo $AWS_ACCESS_KEY_ID.
  4. 4Step 4: Fix - Regenerate access key if deleted: aws iam create-access-key --user-name USER_NAME. Update credentials: aws configure set aws_access_key_id NEW_KEY_ID.
  5. 5Step 5: Fix - Verify credentials work: aws s3 ls. Should list your buckets. If still fails, check IAM user exists: aws iam get-user --user-name USER_NAME.

</>Code Examples

Check Current S3 Credentials and Access Keys
1#!/bin/bash
2echo "=== Checking Current Credentials ==="
3aws sts get-caller-identity 2>&1
4
5if [ $? -ne 0 ]; then
6  echo "✗ Invalid credentials (S3InvalidAccessKeyId)"
7  echo "\n=== Checking Credentials Configuration ==="
8  aws configure list
9else
10  echo "✓ Credentials valid"
11  echo "\n=== Testing S3 Access ==="
12  aws s3 ls 2>&1 | head -5
13fi
14
15# List access keys for current user
16echo "\n=== Listing Access Keys ==="
17USER_NAME=$(aws sts get-caller-identity --query Arn --output text 2>/dev/null | cut -d'/' -f2)
18if [ ! -z "${USER_NAME}" ]; then
19  aws iam list-access-keys --user-name ${USER_NAME} \
20    --query 'AccessKeyMetadata[*].[AccessKeyId,Status,CreateDate]' \
21    --output table
22else
23  echo "Cannot determine user name (credentials invalid)"
24fi
Regenerate Access Key and Update Credentials
1#!/bin/bash
2USER_NAME="my-user"  # Replace with your IAM user name
3
4echo "=== Creating New Access Key ==="
5NEW_KEY=$(aws iam create-access-key --user-name ${USER_NAME} \
6  --query 'AccessKey.[AccessKeyId,SecretAccessKey]' \
7  --output text 2>/dev/null)
8
9if [ $? -eq 0 ]; then
10  NEW_ACCESS_KEY_ID=$(echo ${NEW_KEY} | cut -f1)
11  NEW_SECRET_ACCESS_KEY=$(echo ${NEW_KEY} | cut -f2)
12  
13  echo "✓ New access key created"
14  echo "Access Key ID: ${NEW_ACCESS_KEY_ID}"
15  
16  # Update credentials
17  echo "\n=== Updating Credentials ==="
18  aws configure set aws_access_key_id ${NEW_ACCESS_KEY_ID}
19  aws configure set aws_secret_access_key ${NEW_SECRET_ACCESS_KEY}
20  
21  # Verify new credentials
22  echo "\n=== Verifying New Credentials ==="
23  aws s3 ls 2>&1 | head -3
24  
25  if [ $? -eq 0 ]; then
26    echo "✓ New credentials work"
27    echo "\n=== Delete Old Access Key ==="
28    echo "List old keys: aws iam list-access-keys --user-name ${USER_NAME}"
29    echo "Delete old key: aws iam delete-access-key --user-name ${USER_NAME} --access-key-id OLD_KEY_ID"
30  else
31    echo "✗ New credentials still invalid"
32  fi
33else
34  echo "✗ Failed to create access key"
35  echo "Check IAM permissions and user name"
36fi
Check Credentials File and Environment Variables
1#!/bin/bash
2echo "=== Checking Credentials File ==="
3if [ -f ~/.aws/credentials ]; then
4  echo "Credentials file exists"
5  echo "\n=== Default Profile ==="
6  grep -A 2 "[default]" ~/.aws/credentials 2>/dev/null || echo "No [default] profile"
7  
8  echo "\n=== All Profiles ==="
9  grep "[" ~/.aws/credentials | head -5
10else
11  echo "✗ Credentials file not found at ~/.aws/credentials"
12fi
13
14echo "\n=== Environment Variables ==="
15echo "AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-(not set)}"
16echo "AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:+(set)} ${AWS_SECRET_ACCESS_KEY:+[hidden]}"
17echo "AWS_PROFILE: ${AWS_PROFILE:-(not set)}"
18
19echo "\n=== Current Configuration ==="
20aws configure list

Related Errors

InvalidAccessKeyIdInvalidClientTokenId

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

S3InvalidAccessKeyId - S3 Invalid Access Key ID | AWS Error Reference | Error Code Reference