When users attempt to access the AWS Management Console by using a sign-in URL that specifies a SessionDuration parameter, they receive an error message similar to the following:

HTTP Status 400 - Invalid credentials parameter
Status Report

-        message: Invalid credentials parameter
-        description: The request sent by the client was syntactically incorrect

This error can occur under the following conditions:

  1. Invalid temporary security credentials are specified when generating the sign-in token specified for the SigninToken parameter of the URL that is used to access the AWS management console.
  2. You are assuming an IAM role from another IAM role. For example, your EC2 instance is using its IAM role to assume a second IAM role. When you are already authenticated using IAM role credentials and you call the AWS Security Token Service (AWS STS) AssumeRole API to get temporary security credentials for another role, you receive an HTTP Status 400 error if you attempt to specify a value for the SessionDuration HTTP parameter. In this scenario, it is still possible to call AssumeRole without specifying a value for SessionDuration, in which case the default session duration of 1 hour is used.

To create a sign-in URL for the AWS Management Console with a SessionDuration parameter, verify the following:

  1. Ensure that you obtain valid temporary security credentials for use when generating the sign-in token for the SigninToken parameter of the URL used to access the AWS management console. For more information about obtaining temporary security credentials, see Requesting Temporary Security Credentials, Using Temporary Security Credentials to Request Access to AWS Resources and Controlling Permissions for Temporary Security Credentials.
  2. Consider implementing identity federation with SAML 2.0 and follow the steps at Enabling SAML 2.0 Federated Users to Access the AWS Management Console to configure your identity provider to include a SAML assertion attribute called SessionDuration that specifies how long the console session is valid. Alternatively, you can generate a sign-in URL using the security credentials from the instance metadata of the original IAM role. For more information, see Retrieving Security Credentials from Instance Metadata.

IAM, federation, SessionDuration, HTTP Status 400, AssumeRole, Temporary security credentials, role, AWS STS

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-17