UnrecognizedClientException error when authenticating on aws-cli

Question

When I pull a clean Alphine Linux Docker image, install aws-cli on it and try to authenticate myself with aws ecr get-authorization-token --region eu-central-1 I keep getting the following error:

An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

I've already checked the timezone which seem to be okay, and the command works properly on my local machine.

These are the commands I run to set up aws-cli: apk add --update python python-dev py-pip pip install awscli --upgrade export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Is there something obvious I'm missing?

Answer 1

You don't have permission to access those resources until you get permission to aws-cli, for that you can use the below steps.

Log into your AWS account, click on your account name, select my security credentials, click on access keys and download the credentials

Open your PowerShell as administrator and follow the commands.

$ aws configure
$ AWS Access Key ID [****************E5TA]=xxxxxxxxxx
$ AWS Secret Access Key [****************7gNT]=xxxxxxxxxxxxxx

Answer 2

In my case, my ~/.aws/credentials file had an old aws_session_token that was not updated by the aws configure CLI command. Once I opened the file with vi ~/.aws/credentials and deleted the aws_session_token entry, I no longer encountered the UnrecognizedClientException. I'm guessing that the AWS CLI first gives priority to the aws_session_token over the aws access key id and aws secret access key when running AWS CLI commands, if aws_session_token is present in the ~/.aws/credentials file.

Answer 3

My issue was caused by the fact that I had inactivated my access key in the AWS IAM Management Console earlier as part of an exercise I was doing. Once I reactivated it, the problem was resolved.

(Make sure you're in the right AWS region, too.)

Answer 4

Create a new account with AmazonEC2ContainerRegistryFullAccess permission. Add this account to the .credentials file like this:

[ecr-user]
aws_access_key_id = XXX
aws_secret_access_key = XXX

Then next use following command:

aws ecr get-login-password --profile ecr-user

Answer 5

After a couple of hours , this is my conclusion :

If you want to use AWS_PROFILE makes sure that the rest of AWS env vars are unset (NOT empty only ... MUST be UNSET).

profile=$AWS_PROFILE
unset $(printenv |grep AWS_ | cut -f1 -d"=");
export AWS_PROFILE=${profile};

Then :

  # with aws cli >= 1.x
  $(aws ecr get-login --no-include-email --region ${aws_region})

  # with aws cli >= 2.x
  registry=${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com
  aws ecr get-login-password --region ${aws_region} | docker login --username AWS --password-stdin ${registry}

Answer 6

Resolved issue after following below:

1. Go to AWS IAM Management Console
2. Generate credential in section "Access keys (access key ID and secret access key)"
3. Run command aws configure and set same downloaded credentials in Cdrive-User-directory.aws\credentials

Answer 7

It wasn't working for me. Out of sheer desperation, I copied the lines starting with export and posted them in the terminal and pressed enter.

Thereafter I wrote aws configure and filled in the details from https://MYCOMPANY.awsapps.com/start#/ >> Account >> Clicked "Command line or programmatic access".

Default region name: eu-north-1
Default output format: text

And then the login succeeded. Don't ask my why.

Answer 8

I had same error message however I was using session based AWS access . The solution is to add all the keys given by AWS including session token.

aws_access_key_id="your-key-id"
aws_secret_access_key="your-secret-access-key"
aws_session_token="your-session-token"

add it into ~/.aws/credentials for profile you are using .

Answer 9

open the file ~/.aws/credentials (or c:\Users\{user}\.aws\credentials on Windows)

It might look something like the following:

[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
aws_session_token = XXXXX

Update the aws_access_key_id and aws_secret_access_key with new values and remove the aws_session_token. You can also update aws_access_key_id and aws_secret_access_key via the aws configure command, but this doesn't remove the session token.