Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?

Last updated: 2022-06-27

I assumed an AWS Identity and Access Management (IAM) role and my API call returned an error similar to the following:

"An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."

Short description

The AWS Security Token Service (AWS STS) supports an updated version of session tokens, version 2. New AWS Regions (for example, Bahrain) are not enabled by default and only accept the updated version of session tokens. This error can occur if version 1 session tokens are used to make a request to service endpoints in an AWS Region that are not enabled by default. For more information, see Managing AWS STS in an AWS Region.

Resolution

Session tokens obtained from Regional AWS STS endpoint are of version 2 and valid in all AWS Regions. As a best practice, it is recommended to use Regional STS endpoints. Using an endpoint that is geographically closer to your application reduces latency and provides better response times.

Use one of the following methods to resolve this issue.

Obtain tokens from a Regional endpoint

The following example command uses AWS SDK for Python (Boto3).

Note:

  • Replace your-region, AccountID, and RoleName as per your environment.
  • Setting the endpoint_url is required to configure the STS client for the Regional endpoint.
# Replace existing code to create STS client with the following
sts_client = boto3.client('sts', region_name='your-region', endpoint_url='https://sts.your-region.amazonaws.com')

Include region and endpoint url options in the existing bash script/command to use regional endpoints.

aws sts assume-role --role-arn arn:aws:iam::AccountID:role/RoleName --role-session-name RoleName --region your-region --endpoint-url https://sts.your-region.amazonaws.com

Change Region compatibility of session tokens for global endpoint

By default, the AWS STS calls to the global endpoint issues session tokens which are of version 1. Version 1 tokens are only valid in AWS Regions that are enabled by default. However, you can also configure the STS global endpoint to issue tokens in version 2 that can be used in all AWS Regions.

For instructions, see change the Region compatibility of session tokens for the global endpoint.

Important: Version 2 tokens include more characters than version 1. This might affect the existing systems where you temporarily store tokens.