InvalidAccessKeyId when using instance profile for S3 upload #635
Comments
|
Today, I experienced this exact behavior during repeated sequential S3 downloads using instance roles. I'm wondering if this behavior is related to the IAM instance role functionality of autorotating the keys. SDK and tool implementations have to be able to handle the transient authentication failure and retry with the new credentials pulled down from instance metadata when the rotation occurs. It is possible that our failures were a result of unlucky timing related to the automatic key rotation. |
|
Working on this as part of boto/botocore#251... |
|
This should be fixed in the next release of the CLI (& botocore). |
|
I'm having the exact same problem... But this was fixed right? I have an instance with the newest AMI possible and fully updated. The aws s3 sync starts fine and after some time I get this message "The AWS Access Key Id you provided does not exist in our records." |
|
Can you guys reopen this one? |
|
I was having this exact issue earlier today. The issue for me was that the credentials I was using were for my AWS account, not my IAM user. |
|
I've been using IAM role with no problem so far and today I'm getting this error when uploading to S3 from lambda: |
|
@SooLee - Thank you for reporting this error. It would help if you could post the exact CLI command here so I can investigate. It would also help if you could post the sanitized output after using the --debug flag. It appears to be an issue with the credentials in use as the CLI is echoing an error returning from the service. Can you recheck your Access Key and Secret Key configuration? As mentioned in #1946, "quick way to figure out what credentials are being used is by running: |
justnance
added
the
response-requested
* fix: Functional tests must run on localhost to work in Windows (aws#552) * fix: spacing typo in Log statement in start-lambda (aws#559) * docs: Fix syntax highlighting in README.md (aws#561) * docs: Change jest to mocha in Nodejs init README (aws#564) * docs: Fix @mhart link in README (aws#562) * docs(README): removed cloudtrail, added SNS to generate-event (aws#569) * docs: Update repo name references (aws#577) * feat(debugging): Fixing issues around debugging Golang functions. (aws#565) * fix(init): Improve current init samples around docs and fixes (aws#558) * docs(README): Update launch config to SAM CLI from SAM Local (aws#587) * docs(README): Update sample code for calling Local Lambda Invoke (aws#584) * refactor(init): renamed handler for camel case, moved callback call up (aws#586) * chore: aws-lambda-java-core 1.1.0 -> 1.2.0 for java sam init (aws#578) * feat(validate): Add profile and region options (aws#582) Currently, `sam validate` requires AWS Creds (due to the SAM Translator). This commits adds the ability to pass in the credientials through a profile that is configured through `aws configure`. * docs(README): Update README prerequisites to include awscli (aws#596) * fix(start-lambda): Remove Content-Type Header check (aws#594) * docs: Disambiguation "Amazon Kinesis" (aws#599) * docs: Adding instructions for how to add pyenv to your PATH for Windows (aws#600) * docs: Update README with small grammar fix (aws#601) * fix: Update link in NodeJS package.json (aws#603) * docs: Creating instructions for Windows users to install sam (aws#605) * docs: Adding a note directing Windows users to use pipenv (aws#606) * fix: Fix stringifying λ environment variables when using Python2 (aws#579) * feat(generate-event): Added support for 50+ events (aws#612) * feat(invoke): Add region parameter to all invoke related commands (aws#608) * docs: Breaking up README into separate files to make it easier to read (aws#607) * chore: Update JVM size params to match docker-lambda (aws#615) * feat(invoke): Invoke Function Without Parameters through --no-event (aws#604) * docs: Update advanced_usage.rst with clarification on --env-vars usage (aws#610) * docs: Remove an extra word in the sam packaging command (aws#618) * UX: Improves event names to reflect Lambda Event Sources (aws#619) * docs: Fix git clone typo in installation docs (aws#630) * docs(README): Callout go1.x runtime support (aws#631) * docs(installation): Update sam --version command (aws#634) * chore(0.6.0): SAM CLI Version bump (aws#635)
I am seeing this error when uploading a large number of files to S3 from an EC2 instance, using an instance role for authentication.
upload failed: ./image.part.130 to s3:///agent-ami/image.part.130
A client error (InvalidAccessKeyId) occurred when calling the CompleteMultipartUpload operation: The AWS Access Key Id you provided does not exist in our records.
I do this operation quite a lot and don't normally see this problem. I have seen it twice today.
I wonder if there is a race condition when the role's credentials are rotated.
I am using the latest version of awscli from PyPI.
The text was updated successfully, but these errors were encountered: