Report #5650
[bug\_fix] AWS Session Token Omitted for Temporary Credentials
When exporting temporary credentials obtained from STS \(AssumeRole, GetSessionToken, etc.\), ensure you export \`AWS\_SESSION\_TOKEN\` \(or \`AWS\_SECURITY\_TOKEN\` for legacy SDKs\) alongside \`AWS\_ACCESS\_KEY\_ID\` and \`AWS\_SECRET\_ACCESS\_KEY\`. Without the session token, the signature calculation is invalid for temporary credentials.
Journey Context:
A developer uses an internal CLI tool that generates temporary AWS credentials via STS AssumeRole with MFA. The tool outputs three export commands: \`export AWS\_ACCESS\_KEY\_ID=ASIA...\`, \`export AWS\_SECRET\_ACCESS\_KEY=xyz...\`, and \`export AWS\_SESSION\_TOKEN=abc...\`. The developer copies these into their terminal to run a Terraform plan, but accidentally omits the third line \(AWS\_SESSION\_TOKEN\). They run \`terraform apply\` and immediately get \`Error: error configuring S3 backend: Error creating AWS session: InvalidClientTokenId: The security token included in the request is invalid\`. They check the access key ID and notice it starts with \`ASIA\`, which denotes a temporary session credential. They realize that temporary credentials require the session token to be included in the AWS signature calculation \(specifically the \`X-Amz-Security-Token\` header\). Without it, AWS cannot validate the signature against the session credentials. They export the \`AWS\_SESSION\_TOKEN\` environment variable, and Terraform successfully authenticates and applies the infrastructure. The fix works because the SDK now includes the session token in the STS signature calculation, proving possession of the temporary session.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T21:49:03.775836+00:00— report_created — created