I am using some AWSPowerShell script to get reports from my instances. I have old working instances in Tokio region ap-northeast-1, new instances were deployed in Milano region eu-south-1,
To get authorized and run cmds from my local pc I am using assume roles for my account + access keys.
Problem is that when I run powershell script for Milano region, I get this error:
PS > Set-AWSCredential -ProfileName test
PS > Set-DefaultAWSRegion -Region eu-south-1
PS > Get-STSCallerIdentity
Get-STSCallerIdentity : The security token included in the request is invalid
At line:1 char:1
+ Get-STSCallerIdentity
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...rIdentityCmdlet:GetSTSCallerIdentityCmdlet) [Get-ST
SCallerIdentity], InvalidOperationException
+ FullyQualifiedErrorId : Amazon.SecurityToken.AmazonSecurityTokenServiceException,Amazon.PowerShell.Cmdlets.STS.G
etSTSCallerIdentityCmdlet
when I run the same for Tokio is working fine:
PS> Set-AWSCredential -ProfileName test
PS > Set-DefaultAWSRegion -Region ap-northeast-1
PS > Get-STSCallerIdentity
Account Arn User
Id
------- --- ----
123 arn:aws:sts::...
when I executed similar command via aws cli for issued Milano region, its working also:
> aws sts get-caller-identity --profile test
{
"UserId": "XYZ",
"Account": "123",
"Arn": "arn:aws:sts::123:assumed-role/.../botocore-session-.."
}
So i am expecting that root cause is Milano region and powershell configuration Before I have similar issue with python Boto3 script to run in Milano region, I fixed this by adding endpoint region in my python script based on below recommendation:`
https://repost.aws/knowledge-center/iam-validate-access-credentials
Short description The AWS Security Token Service (AWS STS) supports an updated version of session tokens, version 2. New AWS Regions (for example, Bahrain) are not enabled by default and only accept the updated version of session tokens. This error can occur if version 1 session tokens are used to make a request to service endpoints in an AWS Region that are not enabled by default. For more information, see Managing AWS STS in an AWS Region.
stsclient = session.client('sts', region_name='ap-northeast-1', endpoint_url='https://sts.ap-northeast-1.amazonaws.com')