0

I am using some AWSPowerShell script to get reports from my instances. I have old working instances in Tokio region ap-northeast-1, new instances were deployed in Milano region eu-south-1,

To get authorized and run cmds from my local pc I am using assume roles for my account + access keys.

Problem is that when I run powershell script for Milano region, I get this error:

PS > Set-AWSCredential -ProfileName test
PS > Set-DefaultAWSRegion -Region eu-south-1
PS > Get-STSCallerIdentity
Get-STSCallerIdentity : The security token included in the request is invalid
At line:1 char:1
+ Get-STSCallerIdentity
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...rIdentityCmdlet:GetSTSCallerIdentityCmdlet) [Get-ST
   SCallerIdentity], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.SecurityToken.AmazonSecurityTokenServiceException,Amazon.PowerShell.Cmdlets.STS.G
   etSTSCallerIdentityCmdlet

when I run the same for Tokio is working fine:

 PS> Set-AWSCredential -ProfileName test
PS > Set-DefaultAWSRegion -Region ap-northeast-1
PS > Get-STSCallerIdentity
 Account      Arn                                                                                                   User
                                                                                                                   Id
-------      ---                                                                                                   ----
123 arn:aws:sts::...

when I executed similar command via aws cli for issued Milano region, its working also:

> aws sts get-caller-identity --profile test

{

    "UserId": "XYZ",

    "Account": "123",

    "Arn": "arn:aws:sts::123:assumed-role/.../botocore-session-.."

}

So i am expecting that root cause is Milano region and powershell configuration Before I have similar issue with python Boto3 script to run in Milano region, I fixed this by adding endpoint region in my python script based on below recommendation:`

https://repost.aws/knowledge-center/iam-validate-access-credentials

Short description The AWS Security Token Service (AWS STS) supports an updated version of session tokens, version 2. New AWS Regions (for example, Bahrain) are not enabled by default and only accept the updated version of session tokens. This error can occur if version 1 session tokens are used to make a request to service endpoints in an AWS Region that are not enabled by default. For more information, see Managing AWS STS in an AWS Region.

stsclient = session.client('sts', region_name='ap-northeast-1', endpoint_url='https://sts.ap-northeast-1.amazonaws.com')

Improve this question

1 Answer 1

Reset to default
0

You can try to set this Powershell environment variable first :

$env:AWS_STS_REGIONAL_ENDPOINTS = 'regional'

and then with Version 2 token .ps1 script should work.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .