error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-east-1'

[ghost]

This issue was originally opened by @barath1406 as hashicorp/terraform#26001. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Wrote a simple terraform script for EC2 Instance creation via assume role from provider file. Below are provider config content,

Provider File:
provider "aws" {
region = "eu-west-1"
access_key = "Access key value"
secret_key = "secret key value"
endpoints {
sts = "https://sts.eu-west-1.amazonaws.com"
}
assume_role {
role_arn = "role_name value"
session_name = "role_session_name"
}
}

Version Details:
terraform-0.12.29
terraform-provider-aws_v2.70.0_x4
terraform-provider-aws_v3.0.0_x5
terraform-provider-consul_v2.8.0_x4
terraform-provider-external_v1.2.0_x4
terraform-provider-null_v2.1.2_x4
terraform-provider-template_v2.1.2_x4

Provided Access and secret keys has privilege for STS assume role. During terraform plan we are getting below error, and it is stating "us-east-1" region and getting failed. But nowhere in the configuration we are pointing to "us-east-1". Could you please help me out here.

Error logs:
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

---

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-east-1'.
status code: 403, request id: xxxxxxxxxxxxx-xxxxxxxxxxxxxx-xxxxxxxxxxxxxx

on provider.tf line 1, in provider "aws":
1: provider "aws" {

NOTE: We have manually generated the keys from the assume role and exported it to the environment variables, and AWS CLI commands are working fine, but however we are facing issue with the terraform plan.

[ewbankkit]

@barath1406 Thanks for raising this issue.
Can you try setting the AWS_STS_REGIONAL_ENDPOINTS environment variable to the value regional?
https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-sts_regional_endpoints.html

[PavelPolyakov]

I have the same issue, setting AWS_STS_REGIONAL_ENDPOINTS didn't help, here are the logs:

---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts.eu-central-1.amazonaws.com
User-Agent: aws-sdk-go/1.31.9 (go1.14.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.13.3
Content-Length: 43
Authorization: AWS4-HMAC-SHA256 Credential=xxx/20200928/eu-central-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=xxx
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20200928T130509Z
X-Amz-Security-Token: FwoGZXIvYXdzEMv//////////xxx==
Accept-Encoding: gzip

Action=GetCallerIdentity&Version=2011-06-15
-----------------------------------------------------
2020/09/28 15:05:10 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 297
Content-Type: text/xml
Date: Mon, 28 Sep 2020 13:05:09 GMT
X-Amzn-Requestid: 2b70498f-3ffc-41b0-b048-1e5d41f34014

upd. 1
In my case it was because I placed access_key and secret_key wrongly. When I run:

AWS_ACCESS_KEY_ID=xxx AWS_SECRET_ACCESS_KEY=xxx terraform init

it worked out fine.

upd. 2
Most likely it was because of the stale .terraform directory, anyone who meets this issue, try first to rm -rf .terraform and then terraform init

[ewbankkit]

See here for discussion on solutions.

[xRegner]

aws configure , worked for me, once you type it, you going to be prompted for:
terra@xtian 👺 > aws configure AWS Access Key ID [****************2TYQ]: AWS Secret Access Key [****************/n+q]: Default region name [us-east-1]: Default output format [json]:
and terrafom plan again it should work

[RajendraVenkata]

I am also getting the same issue

Rajendra

[ryanisnan]

@RajendraVenkata This issue is because your system date/time is wrong.

[sunrooff]

@RajendraVenkata This issue is because your system date/time is wrong.

it helped me, thanks.
I changed time setting - automatically set up time

[iamgini]

@RajendraVenkata This issue is because your system date/time is wrong.

saved my day.. didn't notice that !!! :D

[engr-usman]

To resolve this issue, you just need to delete "rm -rf .terraform" and "rm -rf .terraform.lock.hcl" and then run this command "terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx""

[arjungoel]

The right set of commands should be:

rm -r .terraform
rm -r .terraform.lock.hcl

and then run this command to configure backend
terraform init -backend-config=access_key="xxxxxxxxxxxx" -backend-config=secret_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

After that you can run terraform plan to preview whether the configuration made is right or not and if it works correctly then run terraform apply

[fransf-wtax]

In my case, after rotating my AWS key, I had updated the [default] profile in ~/.aws/credentials, but not the profile I was using in my Terraform script, referred to by the profile parameter in the provider "aws" section. Once I did that, everything worked fine.

The solutions suggested by @engr-usman and @arjungoel didn't work for me.

[arjungoel]

Hey @fransf-wtax, did you configure the credentials again using aws configure before trying that out as the solution I provided above worked for me in first go.

[fransf-wtax]

@arjungoel All aws configure does is update ~/.aws/credentials. So I think the terraform init step is redundant, at least it was for me, since Terraform takes the credentials from ~/.aws/credentials anyway.

[engr-usman]

@fransf-wtax if you using aws vault or any other utility to login on aws cli then first you should logout and relogin then perform all of the above steps.

[ph1sch]

In my test environment I was using the root users access and secret access key which did not work. After creating a dedicated user the error did not occur anymore.

In detail I did the following steps:

• Created a user called terraform here
• Created a new group Administrators with attached permissions AdministratorAccess by following the wizard
• Copied access key and secret access key to ~/.aws/credentials

[default]
aws_access_key_id=xxx
aws_secret_access_key=xxx

• Created ~/.aws/config

[default]
region=us-west-2
output=json

• Deleted .terraform.d in my home folder as well as .terraform and .terraform.lock.hcl in my projects folder
• Executed aws configure and terraform init in my projects folder

After that terraform plan and terraform apply worked for me. Hope it helps someone.

[boris-yakimov]

@RajendraVenkata This issue is because your system date/time is wrong.

Was the same issue for me as well, since it was a remote VM I didn't even pay attention to the timezone and was troubleshooting AWS credentials, although the time was off by seconds, making it consistent fixed the problem.

[keomaborges]

I just faced this issue and the solution was simple. I'm using Terraform in Dokcer, and the AWS_DEFAULT_REGION envvar was missing. So my init is like:

docker run \
  -v "${PWD}:/workspace" \
  -w /workspace \
  -e AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY \
  -e AWS_SESSION_TOKEN \
  -e AWS_DEFAULT_REGION \
  hashicorp/terraform:1.1.7 init \
    -backend-config="region=ap-southeast-2" \
    -backend-config="bucket=mybuckett" \
    -backend-config="key=path/to/my.tfstate" \
    -backend-config="dynamodb_table=my_dynamo_table" \
    -backend-config="encrypt=true"

[Helen-Chukwukelu]

I am currently facing this issue @ryanisnan and @ginigangadharan, please how did you change the time? I used sudo date then typed the correct date and time but I got error as "command not found". Kindly send the command to use. Thank you

[iamgini]

@Helen-Chukwukelu I have adjusted the date/time and zone correctly

[Helen-Chukwukelu]

@ginigangadharan I am finding it hard adjusting the time. Can you help with a command to do that? I am using aws CLI. Thank you

[iamgini]

Which OS are you referring to?

On Sun, 1 May 2022 at 4:53 PM, Helen-Chukwukelu ***@***.***> wrote: @ginigangadharan <https://github.com/ginigangadharan> I am finding it hard adjusting the time. Can you help with a command to do that? I am using aws CLI. Thank you — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCDINIYYCGQF6VPV2Y6KNLVHZBAFANCNFSM4QNDTIDQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Gineesh linkedin.com/in/gineesh

[Helen-Chukwukelu]

@ginigangadharan I am using Centos 7. Below is the error is get

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: b7bcd89f-8502-434a-964b-4ee16a2b78cb, api error SignatureDoesNotMatch: Signature not yet current: 20220504T114431Z is still later than 20220504T040106Z (20220504T034606Z + 15 min.)
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 2, in provider "aws":
│ 2: provider "aws" {
│

[Helen-Chukwukelu]

I really need help as this issue has persisted for days. Thank you

---

This is me coming back to edit .......I resolved the issue by simply adjusting my PC time. The below image shows the setting

[engr-usman]

Sometime if session disconnected or expired we have the sts:GetCallerIdentity error. Secondly check the IAM access keys status is active or inactive.

Try following method as well, it works for me:
To resolve this issue, you just need to delete "rm -rf .terraform" and "rm -rf .terraform.lock.hcl" and then run this command "terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx""

[Pennredl]

I really need help as this issue has persisted for days. Thank you

This is me coming back to edit .......I resolved the issue by simply adjusting my PC time. The below image shows the setting

[Pennredl]

this saved my day

[ravindra61520]

terraform plan

same with me

[gladysgodwin]

none of the above worked for me.. somebody please help....

╷
│ Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, net/http: invalid header field value for "Authorization"
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 11, in provider "aws":
│ 11: provider "aws" {

[aadiupa]

I wasn't providing the region in correct format, was passing ap-south=1 (typo) instead of ap-south-1, might help someone someday.

[felix-lessoer]

For me it happened because the region I wanted to deploy in was not activated for my account. Had to do this first manually.

[joey1089]

Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403
Similar error , followed the advice here but nothing seems to work for my error . This pertains to terraform cloud aws setup.
Solution:
run
echo "export AWS_REGION=us-east-1" | tee -a ~/.bash_profile
export AWS_REGION=us-east-1
and run below cmd to check if its set
aws sts get-caller-identity
for more refer this article : https://aws-quickstart.github.io/workshop-terraform-modules/40_setup_cloud9_ide/41_setup_creds_in_c9.html#:~:text=AWS%20Terraform%20Workshop%20%3E%20Setup%20AWS%20Cloud9%20%3E,that%20you%20downloaded%20in%20the%20Getting%20Started%20Section.

[EjiroLaurelD]

│ Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 4b810be6-6aa5-4c03-a96c-f76ac6595318, api error SignatureDoesNotMatch: Signature expired: 20230126T150724Z is now earlier than 20230126T151006Z (20230126T152506Z - 15 min.)

I am getting this error, I have tried everything written here but nothing works.
Please help

[joey1089]

try run this cmd and see if the aws is set properly.
aws sts get-caller-identity

[EjiroLaurelD]

the command is returning this error
An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired: 20230126T155124Z is now earlier than 20230126T155404Z (20230126T160904Z - 15 min.)

Update: this command worked for me
sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

[k123-v]

I am using vault for my creds in my local machine but i am facing issue as well
provider "vault" {
address = "http://localhost:8200"
}

resource "vault_aws_secret_backend" "aws_keys" {
path = "awscloud"
}

Error:
configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response
error StatusCode: 403, RequestID: 5d1aaf50-55d9-4f3e-bc88-e297500b43f8, api error InvalidClientTokenId: The security token included in the request is invalid.
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 11, in provider "aws":
│ 11: provider "aws" {
│

Any pointers will be really helpful

[EjiroLaurelD]

I am using vault for my creds in my local machine but i am facing issue as well
provider "vault" {
address = "http://localhost:8200"
}

resource "vault_aws_secret_backend" "aws_keys" {
path = "awscloud"
}

Error:
configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response
error StatusCode: 403, RequestID: 5d1aaf50-55d9-4f3e-bc88-e297500b43f8, api error InvalidClientTokenId: The security token included in the request is invalid.
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 11, in provider "aws":
│ 11: provider "aws" {
│

Any pointers will be really helpful

Check your security credentials, access key and secret access key

[Erastus420]

Hi

…

On Fri, 27 Jan 2023, 03:35 Ejiroghene Laurel Dafe, ***@***.***> wrote: I am using vault for my creds in my local machine but i am facing issue as well provider "vault" { address = "http://localhost:8200" } resource "vault_aws_secret_backend" "aws_keys" { path = "awscloud" } *Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 5d1aaf50-55d9-4f3e-bc88-e297500b43f8, api error InvalidClientTokenId: The security token included in the request is invalid. │ │ with provider["registry.terraform.io/hashicorp/aws <http://registry.terraform.io/hashicorp/aws>"], │ on main.tf <http://main.tf> line 11, in provider "aws": │ 11: provider "aws" { │* Any pointers will be really helpful Check your security credentials, access key and secret access key — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A2PSOY2C5O5U45EQH5GL2GDWUM667ANCNFSM4QNDTIDQ> . You are receiving this because you commented.Message ID: ***@***.***>

[k123-v]

Hi @EjiroLaurelD / @Erastus420 i have checked and changed creds to new(access key and secret key not sure of security credentials which you said . FYI: i am working on my windows machine

[EjiroLaurelD]

Hi @EjiroLaurelD / @Erastus420 i have checked and changed creds to new(access key and secret key not sure of security credentials which you said . FYI: i am working on my windows machine

the error is complaining about your security token, create a new vault token and try again

[egyakofi]

I have the same issue and have changed my security token a hundred times but it still doesn't work for me.

…

On Fri, Jan 27, 2023 at 7:20 AM Ejiroghene Laurel Dafe < ***@***.***> wrote: Hi @EjiroLaurelD <https://github.com/EjiroLaurelD> / @Erastus420 <https://github.com/Erastus420> i have checked and changed creds to new(access key and secret key not sure of security credentials which you said . FYI: i am working on my windows machine the error is complaining about your security token, create a new vault token and try again — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEBIH2KNTVCMVXK37LEM6HTWUPRTJANCNFSM4QNDTIDQ> . You are receiving this because you commented.Message ID: ***@***.***>

-- Kofi Ken

[EjiroLaurelD]

Hi @EjiroLaurelD / @Erastus420 i have checked and changed creds to new(access key and secret key not sure of security credentials which you said . FYI: i am working on my windows machine

the error is complaining about your security token, create a new vault token and try again

If that doesn't work, confirm if you have environment variables set, it takes precedence over what you have in vault.

[EjiroLaurelD]

Hi @EjiroLaurelD / @Erastus420 i have checked and changed creds to new(access key and secret key not sure of security credentials which you said . FYI: i am working on my windows machine

the error is complaining about your security token, create a new vault token and try again

If that doesn't work, confirm if you have environment variables set, it takes precedence over what you have in vault.
egyakofi

[gladysgodwin]

Try using terraform cloud to store your access and secret keys. After that you won't need to include any keys on your terraform script

…

On Fri, 27 Jan 2023, 18:19 Ejiroghene Laurel Dafe, ***@***.***> wrote: Hi @EjiroLaurelD <https://github.com/EjiroLaurelD> / @Erastus420 <https://github.com/Erastus420> i have checked and changed creds to new(access key and secret key not sure of security credentials which you said . FYI: i am working on my windows machine the error is complaining about your security token, create a new vault token and try again If that doesn't work, confirm if you have environment variables set, it takes precedence over what you have in vault. — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AXVM7CFTEDPSKDC3DFGHRPLWUP7RFANCNFSM4QNDTIDQ> . You are receiving this because you commented.Message ID: ***@***.***>

[vineethsankre]

Hey I got similar error, please help. I used the configuration from Terraform repository:

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error
STS: GetCallerIdentity, exceeded maximum number of attempts, 9, https response error StatusCode: 0, RequestID: , request send failed, Post "https://sts.var.aws_region.amazonaws.com/": dial tcp: lookup sts.var.aws_region.amazonaws.com: no such host
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 1, in provider "aws":
│ 1: provider "aws" {

[k123-v]

Still the same error I provided with new set of keys

…

On Wed, 8 Feb 2023, 13:25 vineeth2207, ***@***.***> wrote: Hey I got similar error, please help. I used the configuration from Terraform repository <https://developer.hashicorp.com/terraform/tutorials/configuration-language/variables> : Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, exceeded maximum number of attempts, 9, https response error StatusCode: 0, RequestID: , request send failed, Post " https://sts.var.aws_region.amazonaws.com/": dial tcp: lookup sts.var.aws_region.amazonaws.com: no such host │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on main.tf line 1, in provider "aws": │ 1: provider "aws" { — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARBKDNOOLTTMC3B6ZFHQTKDWWNGNJANCNFSM4QNDTIDQ> . You are receiving this because you commented.Message ID: ***@***.***>

[stevocoded]

Try this code below and terraform plan after that.

sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

[egyakofi]

I ran the above code and still got an error message.

…

On Wed, Feb 8, 2023 at 4:46 AM Saheed Anipupo ***@***.***> wrote: Try this code below and terraform plan after that. sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z" — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEBIH2OWIQTL4JHTERYO2UTWWOIRDANCNFSM4QNDTIDQ> . You are receiving this because you commented.Message ID: ***@***.***>

-- Kofi Ken

[stevocoded]

I ran the above code and still got an error message.
…
On Wed, Feb 8, 2023 at 4:46 AM Saheed Anipupo @.> wrote: Try this code below and terraform plan after that. sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z" — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEBIH2OWIQTL4JHTERYO2UTWWOIRDANCNFSM4QNDTIDQ . You are receiving this because you commented.Message ID: @.>
-- Kofi Ken

Follow the instructions in the comment below and run the code again before you run terraform plan

#14873 (comment)

[k123-v]

Mine is a windows PC installed vault on windows On Wed, Feb 8, 2023 at 11:07 PM Saheed Anipupo ***@***.***> wrote:

…

I ran the above code and still got an error message. … <#m_-8817181670819387881_> On Wed, Feb 8, 2023 at 4:46 AM Saheed Anipupo *@*.*> wrote: Try this code below and terraform plan after that. sudo date -s "$(wget -qSO- --max-redirect=0 google.com <http://google.com> 2>&1 | grep Date: | cut -d' ' -f5-8)Z" — Reply to this email directly, view it on GitHub <#14873 (comment) <#14873 (comment)>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEBIH2OWIQTL4JHTERYO2UTWWOIRDANCNFSM4QNDTIDQ <https://github.com/notifications/unsubscribe-auth/AEBIH2OWIQTL4JHTERYO2UTWWOIRDANCNFSM4QNDTIDQ> . You are receiving this because you commented.Message ID: @.*> -- Kofi Ken *Follow the instructions in the comment below and run the code again before you run terraform plan* #14873 (comment) <#14873 (comment)> — Reply to this email directly, view it on GitHub <#14873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARBKDNOFC7VRBUQ2ZMNNTE3WWPKULANCNFSM4QNDTIDQ> . You are receiving this because you commented.Message ID: ***@***.***>

-- Thanks and Regards Kowshik.G Mobile: 9176559383 Profile:LinkedIn:* Linked_profile <http://www.linkedin.com/in/kowshik-varma-g>*

[mukeshn1]

aws configure help me on this issue

[tlrakesh]

if aws configure or setting the time zone doesn't fix this issue then cross check your code.
If you have any variable references in your code, make sure to have them without quotes. Below is the example - Removing double quotes for provider region variable reference fixed the issue for me.

Configure the AWS Provider

provider "aws" {
region = "var.aws_region"
}

[nicolasps]

I have found out my error, it appears that I cannot spell I had a spelling mistake in my tfvars file on the region/location

you save my day @TomHowarth

[Eric-Kay]

This command worked for me..

sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

[divyanshhh09]

thanks man