Why did I receive the IAM error "AWS was not able to validate the provided access credentials" in some AWS Regions?

Last updated: 2020-05-14

I assumed an AWS Identity and Access Management (IAM) role and my API call returned an error similar to the following:

"An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials."  

Short Description

The AWS Security Token Service (AWS STS) now supports an updated version format for session tokens. New AWS Regions not enabled by default (for example, Hong Kong and Bahrain) use the updated AWS STS format. The global AWS STS endpoint (sts.amazonaws.com) issues tokens in the previous format by default. This error can occur if a session token is trying to use the previous format with an AWS Region not enabled by default. For more information, see Managing AWS STS in an AWS Region.

Resolution

Tokens obtained from Regional endpoints use the new version format and are valid in all AWS Regions. It is a best practice to use Regional STS endpoints. This is because using an endpoint that is geographically closer to your application means that it can access STS services with lower latency and with better response times.

Use one of the following methods to resolve this issue.

Obtain tokens from a Regional endpoint

The following example command uses AWS SDK for Python (Boto3).

Note:

  • Replace your-region with your AWS Region.
  • Setting the endpoint_url is required to configure the STS client for the Regional endpoint.
# Replace existing code to create STS client with the following
sts_client = boto3.client('sts', region_name='your-region', endpoint_url='https://sts.REGION.amazonaws.com')

Change Region compatibility of session tokens for global endpoint

You can also configure the STS global endpoint to issue tokens using the updated format to allow token use in all AWS Regions.

For instructions, see change the Region compatibility of session tokens for the global endpoint.

Important: New tokens have more characters than previous versions. This might affect the existing systems where you temporarily store tokens.