An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid

I had the same problem. You may need to unset your AWS env variables before running the sts command:

unset AWS_SECRET_ACCESS_KEY
unset AWS_SECRET_KEY
unset AWS_SESSION_TOKEN

and then your command:

aws sts assume-role --role-arn <arn role i want to assume> --role-session-name dev --serial-number <my arn> --token-code <keyed in token code>

Here you'll get new credentials. Then run the exports again:

export AWS_ACCESS_KEY_ID=<access key>
export AWS_SECRET_ACCESS_KEY=<secret access key>
export AWS_SESSION_TOKEN=<session token>

I hope it helps!


You need to do an aws configure and set the AWS access key and secret key on the environment where you are running the STS command if its the first time you are running. The STS command verifies the identity using that data and checks if you have permissions to perform STS assume-role.

If you already have an existing access key and secret key configured, it could be possible that those have also been expired. So you might need to generate new keys for the user in IAM and configure it in the environment you are running.


Check your aws_access_key_id and aws_secret_access_key are correct in the ~/.aws/credentials file.

If they are then if the ~/.aws/credentials file contains a aws_session_token delete only that line in the file, save your changes and re-run your command.

Worked for me.


Old post, but might still be useful.

Can you try setting the following in the env and retry:

export AWS_ACCESS_KEY_ID='your access key id here';
export AWS_SECRET_KEY='your secret key here'