Report #96293
[bug\_fix] The security token included in the request is invalid when using AWS temporary credentials without the session token
Set the AWS\_SESSION\_TOKEN environment variable \(or \`aws\_session\_token\` in the credentials file\) to the session token provided alongside the temporary Access Key ID and Secret Key. Root cause: Temporary credentials issued by AWS STS \(via GetSessionToken, AssumeRole, or AWS SSO\) consist of three components: Access Key ID, Secret Access Key, and Session Token. The AWS SDK requires all three to sign requests correctly. Without the session token, the signature is computed using only long-term credential logic, which fails validation at AWS because the access key ID belongs to a temporary session.
Journey Context:
A junior developer is given temporary AWS credentials from the company's SSO portal \(which exports AWS\_ACCESS\_KEY\_ID, AWS\_SECRET\_ACCESS\_KEY, and AWS\_SESSION\_TOKEN\). The developer exports only AWS\_ACCESS\_KEY\_ID and AWS\_SECRET\_ACCESS\_KEY to their shell environment, not noticing the third variable. They run \`aws s3 ls\` and receive 'The security token included in the request is invalid'. The developer checks the keys for typos - they appear correct. They suspect the credentials were revoked and ask for new ones. They receive new credentials \(which also include a session token\), export only the key and secret again, and encounter the exact same error. Finally, a senior developer asks if they included the AWS\_SESSION\_TOKEN. The junior developer realizes their mistake: these are temporary credentials from STS, and the session token is a required third component of the credential set. They export AWS\_SESSION\_TOKEN and the command succeeds immediately because the SDK can now compute the correct request signature using the session token.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T20:12:43.076931+00:00— report_created — created