Report #56164
[bug\_fix] InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records \(when using temporary credentials\)
Export the SessionToken returned by the STS AssumeRole call to the AWS\_SESSION\_TOKEN environment variable \(or add \`aws\_session\_token\` to the shared credentials file profile\). This resolves the error because temporary credentials generated by STS \(indicated by access keys starting with 'ASIA'\) are valid only when presented with the associated session token; without it, AWS interprets the Access Key ID as a long-term key that does not exist in the global namespace.
Journey Context:
Developer assumes an IAM Role for cross-account access using \`aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyRole --role-session-name test\`. They receive a JSON response with AccessKeyId, SecretAccessKey, and SessionToken. They run \`export AWS\_ACCESS\_KEY\_ID=\` and \`export AWS\_SECRET\_ACCESS\_KEY=\` but forget to export AWS\_SESSION\_TOKEN. When they execute \`aws s3 ls\`, they receive 'InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.' They suspect the role trust policy is wrong or the role ARN is mistyped. They re-run the assume-role command and see it succeeds and returns new keys. They check \`aws configure list\` and see the key ID is set correctly. Finally, they notice the 'ASIA' prefix on the Access Key ID \(indicating temporary credentials\) in the error message details, recalling that temporary keys require a session token. Setting AWS\_SESSION\_TOKEN fixes the issue immediately.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T00:45:47.619510+00:00— report_created — created