If you see the error “The security token included in the request is invalid”, it means AWS is having trouble authenticating your identity. The information and instructions below will help you with this problem.
The Error “The security token included in the request is invalid”
This error happens to users of AWS CLI, the official command-line client of this cloud service. For instance, you can run into it when you use the get-caller-identity sub-command to get information about an IAM user:
$ aws sts get-caller-identity
An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid
The error message suggests there is something wrong with your ‘security token’. In this context, it means your temporary credentials are invalid.
Temporary Security Credentials In AWS
As with other services, AWS uses security credentials to verify your identity when you make API requests.
These details are also used to determine whether you have the necessary permission to carry out requests such as downloading an entire S3 bucket. In short, security credentials are how AWS authenticates and authorizes your requests.
In addition to permanent keys, AWS can also issue temporary credentials to trusted users so they can perform specific operations before the expiration time.
Compared to regular credentials, these security credentials are only short-term. Your IAM account may be able to use them for a few hours or even shorter. Outside this window, the temporary credentials expire, and AWS won’t recognize them or accept any request made with them.
One of the most popular applications of these short-lived credentials is when you want to bring additional protection to your API calls with multi-factor authentication. In this case, in order to get temporary credentials for your user, you will need to submit the correct MFA code as well.
The “The security token included in the request is invalid” means either you provided a wrong temporary security credential or your credential has expired. To make any new request with AWS CLI, you will need to obtain and use new security credentials.
Solution
First, you should remove your old temporary credentials from your AWS CLI configuration.
Delete the ‘aws_session_token’ line from your ‘credentials’ file. It is located at ~/.aws/credentials on Linux and macOS and %USERPROFILE%\.aws\credentials on Windows.
If you have set your credentials using environment variables, unset them too:
unset AWS_SESSION_TOKEN
Obtain temporary security credentials by using the Security Token Service (AWS STS) API. In particular, you will need to use the get-session-token subcommand.
aws sts get-session-token \
--duration-seconds 900 \
--serial-number YourMFADeviceSerialNumber \
--token-code YourSecretCode
Replace YourMFADeviceSerialNumber with the serial number of the virtual MFA device assigned to your user and YourSecretCode with the secret code the authenticator app generates when you make the request.
AWS CLI will give you an output like this:
{
"Credentials": {
"AccessKeyId": "ASIAXRRBOSPCXUSDRNPS",
"SecretAccessKey": "0esudmhyjBi/cnBKADMsfjUHodZnQHYXKtElVoPF",
"SessionToken": "IQo///////wEaCXVzLXdlc3QtMSJGMEQCIE9zDXKV1ww0YvBeJ8jXk6Uo1Doa6mjwzruZws7HAL/+U6MFKtk0DVTiTmb70H1ziQb+usKi675Ld40VJ1IP6N8Paw5AV7SUGLdEXeh4Cz3csplED8YeqiW1jS7wGwxS8geowYMjI=",
"Expiration": "2022-07-30T11:49:33+00:00"
}
}
This JSON text contains the access key, secret key, and temporary credential to your user.
You can now export this key to the environment variable AWS_SESSION_TOKEN before making API requests:
Linux and macsOS
export AWS_SESSION_TOKEN=example-session-token
Windows
set AWS_SESSION_TOKEN=example-session-token
Replace example-session-token with the property of the ‘SessionToken’ key in the JSON output. Your API calls should no longer complain about invalid security credentials:
$ aws sts get-caller-identity
{
"UserId": "AIDAXRRBOSPCSRFTRCWZN",
"Account": "518687462341",
"Arn": "arn:aws:iam::518687462341:user/LearnShareIT"
}
Summary
The error “The security token included in the request is invalid” occurs when you provide AWS with the wrong temporary credentials. Obtain a new one and send it to AWS to authorize your requests through AWS CLI.
Maybe you are interested:
- How To list all of the files of an S3 bucket with the AWS CLI
- List all Resources in an AWS Account
- S3 Action does not Apply to any Resources Error

My name is Robert. I have a degree in information technology and two years of expertise in software development. I’ve come to offer my understanding on programming languages. I hope you find my articles interesting.
Job: Developer
Name of the university: HUST
Major: IT
Programming Languages: Java, C#, C, Javascript, R, Typescript, ReactJs, Laravel, SQL, Python