InvalidClientTokenId

AWS IAMAuthentication ErrorHigh PriorityLast updated: June 29, 2026Tested on:AWS CLI v2Amazon S3June 2026

This error occurs when the AWS Access Key ID provided in the request is invalid, inactive, or unrecognized by AWS.

InvalidClientTokenId Quick Fix⏱️ Est. Fix Time: 2 minutes

Usually happens because:

  • Typo or truncation inside credentials access key string
  • Access Key state has been set to Inactive or deleted inside IAM console
  • Attempting to query different AWS partitions using incompatible keys

🔍 Quick Checklist:

What is InvalidClientTokenId?

An 'InvalidClientTokenId' error indicates an authentication failure. The AWS gateway cannot map the provided Access Key ID to any active IAM user or role account. This occurs when copy-pasting wrong strings, referencing deactivated credentials, using tokens belonging to a deleted IAM profile, or calling wrong partitions (e.g. AWS China or AWS GovCloud) with standard partition keys.

Common Causes

  • Typo in Access Key ID: The 'aws_access_key_id' parameter in the credentials file contains a spelling error or missing characters.
  • Deactivated IAM Access Key: The administrator has marked the Access Key status as 'Inactive' or deleted it inside the IAM Console.
  • Partition Mismatch: Using AWS Commercial partition keys to authenticate against AWS GovCloud (us-gov) or AWS China (cn-north-1) endpoints.
CauseFrequency
Typo or copy-paste truncation error in AWS_ACCESS_KEY_ID⭐⭐⭐⭐⭐
Inactive or deleted Access Key status in IAM console⭐⭐⭐⭐
Accessing wrong AWS partition (GovCloud / China) with standard keys⭐⭐⭐

Common Mistakes

  • Deactivating an access key in the IAM Console but forgetting to replace it inside client apps, triggering InvalidClientTokenId failures.
  • Accidentally pasting leading or trailing spaces within Access Key ID values.

How to Fix

1Double-check Access Key string: Inspect the '~/.aws/credentials' file and verify key lengths and characters.
2Validate key state in IAM Console: Ensure the key is active. Generate a new Access Key if the old one was deleted.
3Verify active environment variables: Clear hardcoded shell overrides that might mask config file values.

AWS Operations & Verification

Configure the standard AWS credentials file mapping active access keys.

Credentials File Config Example
[default]
# Ensure key characters are not truncated (standard access keys start with AKIA or ASIA)
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Platform Specific Fixes

Verify environment variable overrides inside Linux shell contexts.

Linux Config
# 1. Inspect environment variables values
env | grep AWS

# 2. Check credentials file format
cat ~/.aws/credentials

Best Practices

  • Adopt IAM Roles for EC2/ECS workloads instead of static Access Keys to bypass credentials decay issues.
  • Set alerts for Access Keys rotations routines to manage credentials systematically.

Frequently Asked Questions (FAQ)

Q: What is an InvalidClientTokenId error?

This is an authentication error. It means the AWS Access Key ID you are using is either misspelled, inactive, deleted, or does not exist in the AWS account you are hitting.

Q: How does this differ from SignatureDoesNotMatch?

InvalidClientTokenId means AWS does not recognize the Access Key ID at all. SignatureDoesNotMatch means AWS recognizes the Access Key ID, but the Secret Access Key (or session token) used to sign the request is incorrect.

Q: Why do I get this error when using GovCloud?

AWS GovCloud is an isolated partition. Standard AWS commercial keys do not work in the GovCloud partition. You must use specific GovCloud IAM credentials and configure your client to point to GovCloud endpoints.

Q: How do I verify which credentials the CLI is currently using?

Run: 'aws configure list'. This prints a table showing where the CLI is loading the Access Key and Secret Key from (e.g., environment variables, config files, or IAM role metadata).

Still having this problem?

Didn't solve your problem?

SuggestRequest Error