Quick Answer
# Test your credentials
aws sts get-caller-identity
# If that fails, reconfigure
aws configure
# Or export correct credentials
export AWS_ACCESS_KEY_ID="your-key"
export AWS_SECRET_ACCESS_KEY="your-secret"
The Error
Error: configuring Terraform AWS Provider: validating provider credentials:
retrieving caller identity from STS: operation error STS: GetCallerIdentity,
https response error StatusCode: 403, api error InvalidClientTokenId:
The security token included in the request is invalid.
What Causes This
- Wrong credentials — typo in access key or secret key
- Expired temporary credentials — STS assume-role tokens expire (1-12 hours)
- Wrong AWS profile — using the default profile when you need a named one
- Deleted/deactivated key — IAM access key was rotated or disabled
- Region mismatch for STS — some regions need regional STS endpoints
- Environment variable override — stale
AWS_ACCESS_KEY_IDin shell
Solution 1: Verify Your Credentials
# Check which identity Terraform will use
aws sts get-caller-identity
Expected output:
{
"UserId": "AIDAEXAMPLE",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/terraform"
}
If this fails, your credentials are wrong.
Solution 2: Check Where Credentials Come From
Terraform checks credentials in this order:
provider "aws"block in.tffiles (don’t put secrets here)- Environment variables:
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - Shared credentials file:
~/.aws/credentials - EC2 instance profile / ECS task role
- SSO session
# Check environment variables
echo $AWS_ACCESS_KEY_ID
echo $AWS_PROFILE
# Check credentials file
cat ~/.aws/credentials
# Check which profile is active
aws configure list
Fix: Wrong Profile
# Use a specific profile
export AWS_PROFILE=terraform-prod
# Or in provider config
provider "aws" {
region = "us-east-1"
profile = "terraform-prod"
}
Solution 3: Refresh Expired Credentials
# If using SSO
aws sso login --profile my-profile
# If using assume-role
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/TerraformRole \
--role-session-name terraform-session
# If using MFA
aws sts get-session-token \
--serial-number arn:aws:iam::123456789012:mfa/myuser \
--token-code 123456
Solution 4: Check IAM Key Status
# List access keys for your user
aws iam list-access-keys --user-name terraform
# Check if the key is Active
aws iam list-access-keys --user-name terraform \
--query 'AccessKeyMetadata[].{KeyId:AccessKeyId,Status:Status}'
If status is Inactive, activate it or create a new key:
aws iam update-access-key --user-name terraform \
--access-key-id AKIAEXAMPLE --status Active
Solution 5: Regional STS Endpoint
Some AWS regions require the regional STS endpoint:
provider "aws" {
region = "ap-southeast-1"
sts_region = "ap-southeast-1" # Use regional STS endpoint
}
Solution 6: Debug Logging
export TF_LOG=DEBUG
terraform plan 2>&1 | grep -i "credential\|token\|auth\|sts"
Credential Setup Checklist
| Check | Command |
|---|---|
| Identity works | aws sts get-caller-identity |
| Correct profile | aws configure list |
| Key is active | aws iam list-access-keys |
| No stale env vars | echo $AWS_ACCESS_KEY_ID |
| Region matches | aws configure get region |
Hands-On Courses
- Terraform for Beginners on CopyPasteLearn
- Terraform By Example — practical code examples
Conclusion
InvalidClientTokenId means your AWS credentials are wrong, expired, or inactive. Test with aws sts get-caller-identity first. Check environment variables, AWS profile, and key status. For SSO users, run aws sso login. For assume-role, refresh the session token.
