If you encounter the following error while using AWS Vault:
.aws aws-vault login sandbox aws-vault: error: login: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 6e01cf21-6063-4b5c-8e3b-13fd48e5c0f4, api error InvalidClientTokenId: The security token included in the request is invalid.
Follow these steps to resolve it.
Step 1: Remove the Existing Profile
Clear the credentials and sessions for the problematic profile.
.aws aws-vault remove sandbox Delete credentials for profile "sandbox"? (y|N) y Deleted credentials. .aws aws-vault clear Cleared 1 sessions.
Step 2: Add the Profile Again
Re-add the profile and provide valid AWS credentials (Access Key ID and Secret Access Key).
.aws aws-vault add sandbox Enter Access Key ID: ASIASKMSLQBTDWGU4OAE Enter Secret Access Key: **************************************** Added credentials to profile "sandbox" in vault.
Step 3: Validate the Credentials
Run the sts get-caller-identity command to confirm the account associated with the credentials.
.aws aws sts get-caller-identity --profile sandbox
Output:
{
"UserId": "AIDASKMNCISUXLKJDLFJ",
"Account": "00000000000",
"Arn": "arn:aws:iam::00000000000:user/azmidotmy"
}
Step 4: Reconfigure the Profile for SSO
Update the profile to use AWS SSO instead of static credentials.
.aws aws configure sso --profile sandbox Follow the prompts: SSO session name: sandbox SSO start URL: https://d-94857bbsde6.awsapps.com/start SSO region: us-east-1 SSO registration scopes: sso:account:access Authorize the request using the code provided. Select the account ID: 0000000000000 Choose the role: AWSAdministratorAccess Default region: us-east-1 Default output format: json To use this profile, specify the profile name using --profile, as shown: aws s3 ls --profile sandbox
Step 5: Verify the Profile Update
Run sts get-caller-identity again to ensure the profile now uses the updated SSO credentials.
.aws aws sts get-caller-identity --profile sandbox
Step 6: Remove Old Credentials
Clean up the AWS Vault entry for the profile.
.aws aws-vault remove sandbox Delete credentials for profile "sandbox"? (y|N) y Deleted credentials.
Step 7: Test Login
Log in using the updated SSO configuration:
.aws aws-vault login sandbox
Output:
Opening the SSO authorization page in your default browser (use Ctrl-C to abort) https://d-94857bbsde6.awsapps.com/start/#/device?user_code=SGFG-ZDCG
After successful authorization, you can now use the sandbox profile for AWS operations.
Summary: Resolving AWS Vault InvalidClientTokenId Error with SSO Configuration
This step-by-step guide helps you resolve the AWS Vault InvalidClientTokenId error by properly configuring your AWS profile to use Single Sign-On (SSO):
- Understand the Issue: The error occurs when AWS Vault tries to authenticate with invalid or outdated credentials, or when static IAM credentials are used instead of SSO.
- Remove Existing Credentials: Clear old credentials and sessions for the affected profile using
aws-vault removeandaws-vault clear. - Re-add the Profile: Use
aws-vault addto add fresh credentials (Access Key ID and Secret Access Key) for initial validation. - Validate Account: Run
aws sts get-caller-identityto confirm the account and IAM user associated with the profile. - Reconfigure Profile for AWS SSO: Replace static credentials with SSO configuration using
aws configure sso, selecting the appropriate AWS account, role, region, and output format. - Verify the Setup: Test the new configuration by logging in with
aws-vault login <profile-name>to ensure it works seamlessly.
Result: This process ensures that AWS Vault uses SSO for authentication, improving security and compatibility with modern AWS account setups.
This guide is optimized to help users troubleshooting AWS Vault errors and ensure your content meets search engine expectations for resolving AWS SSO configuration issues.
Context & Resources:
AWS Vault Documentation:
Link: https://github.com/99designs/aws-vault
Use this to guide readers to official AWS Vault documentation for deeper insights into its usage.
AWS SSO Documentation:
Link: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
This helps readers understand how AWS Single Sign-On works.
AWS STS Documentation:
Link: https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
A reference for the sts get-caller-identity command and other AWS STS operations.
AWS CLI User Guide:
Link: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
Official guide to configuring AWS CLI profiles with SSO.
AWS Security Best Practices:
Link: https://aws.amazon.com/architecture/security-identity-compliance/
Readers can learn more about securing their AWS accounts.