How can I resolve the AWS STS AssumeRoleWithWebIdentity API call error "InvalidIdentityToken"?

Last updated: 2022-05-18

The AWS Security Token Service (AWS STS) API call AssumeRoleWithWebIdentity failed with an error similar to the following:

"An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation. Couldn't retrieve verification key from your identity provider."

Short description

This error can occur if:

  • The .well_known URL and jwks_uri of the identity provider (IdP) are inaccessible from the public internet.
  • A custom firewall is blocking the requests.
  • There is latency of more than 5 seconds in API requests from the IdP to reach the AWS STS endpoint.

Note: This error isn't logged in the AWS CloudTrail event history because it fails on the client side.

Resolution

1.    Verify that the .well_known URL and jwks_uri of the identity provider (IdP) are publicly accessible. This can be checked using your browser, Windows command, or Linux command.

Do one of the following:

Navigate to the following links in your browser to check access:

https://<base_server_url>/.well-known/openid-configuration 

https://<base_server_url>/.well-known/jwks.json

-or-

Run the following commands:

Windows:

wget https://<base_server_url>/.well-known/openid-configuration
wget https://<base_server_url>/.well-known/jwks.json

Linux:

curl https://<base_server_url>/.well-known/openid-configuration
curl https://<base_server_url>/.well-known/jwks.json

Note: Check for the "200" status code in the request response to confirm if the links are accessible.

2.    If the .well_known URL and jwks_uri of the IdP aren't accessible, check the firewall settings to confirm that the domains aren't on a deny list.

Depending on the current configuration of the firewall, the domains might need to be added to an allow list.

If the firewall settings are not accessible, use the browser with a device from a different network (for example, a phone). Check access from the browser using the instructions in step 1. If the web request succeeds, this means that the request is getting blocked by the firewall.

If the server making the AssumeRoleWithWebIdentity API call is an Amazon Elastic Compute Cloud (Amazon EC2) instance, make sure that the configuration settings are correct. For instructions, see Why can't I connect to a website that is hosted on my EC2 instance?

3.    Check the latency for the total operation.

The total latency for the operation includes:

  • Request/Response time from STS
  • Request/Response time from IdP

Minimize AWS STS latency

Use Regional endpoints instead of global endpoints for the AWS STS service. This verifies that the requests are routed to the geographically closest server to minimize latency. For more information, see Writing code to use AWS STS regions.

Note: For AWS SDKs, the requests destination endpoint is routed by the AWS Region parameter where the call is made within the sts_regional_endpoint configuration.

Evaluating IdP latency

The IdP is responsible for making requests to the STS endpoint. The IdP's outgoing packets must be analyzed within the IdP logs to check whether the request to the STS endpoint is taking too long.

Note: If the request from the IdP to the STS endpoint takes more than 5 seconds, then the request might time out and fail. You can contact your identity provider to request an increase for geographical availability to reduce latency for this API call.

4.    (Optional) Use exponential backoff.

Use exponential backoff for progressively longer waits between retries for error responses. The AssumeRoleWithWebIdentity API is dependent on retrieving information from the identity provider (IdP). Most IdP's have API limits to avoid throttling errors, and API calls might not get the required tokens back from the IdP. Implement a maximum delay interval and maximum number of retries. For more information, see Error retries and exponential backoff in AWS.


Did this article help?


Do you need billing or technical support?