error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-east-1'

[ghost]

This issue was originally opened by @barath1406 as hashicorp/terraform#26001. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Wrote a simple terraform script for EC2 Instance creation via assume role from provider file. Below are provider config content,

Provider File: provider "aws" { region = "eu-west-1" access_key = "Access key value" secret_key = "secret key value" endpoints { sts = "https://sts.eu-west-1.amazonaws.com" } assume_role { role_arn = "role_name value" session_name = "role_session_name" } }

Version Details: terraform-0.12.29 terraform-provider-aws_v2.70.0_x4 terraform-provider-aws_v3.0.0_x5 terraform-provider-consul_v2.8.0_x4 terraform-provider-external_v1.2.0_x4 terraform-provider-null_v2.1.2_x4 terraform-provider-template_v2.1.2_x4

Provided Access and secret keys has privilege for STS assume role. During terraform plan we are getting below error, and it is stating "us-east-1" region and getting failed. But nowhere in the configuration we are pointing to "us-east-1". Could you please help me out here.

Error logs: Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage.

---

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-east-1'. status code: 403, request id: xxxxxxxxxxxxx-xxxxxxxxxxxxxx-xxxxxxxxxxxxxx

on provider.tf line 1, in provider "aws": 1: provider "aws" {

NOTE: We have manually generated the keys from the assume role and exported it to the environment variables, and AWS CLI commands are working fine, but however we are facing issue with the terraform plan.

[ewbankkit]

@barath1406 Thanks for raising this issue. Can you try setting the AWS_STS_REGIONAL_ENDPOINTS environment variable to the value regional? https://docs.aws.amazon.com/credref/latest/refdocs/setting-global-sts_regional_endpoints.html

[PavelPolyakov]

I have the same issue, setting AWS_STS_REGIONAL_ENDPOINTS didn't help, here are the logs:

---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts.eu-central-1.amazonaws.com
User-Agent: aws-sdk-go/1.31.9 (go1.14.9; darwin; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.13.3
Content-Length: 43
Authorization: AWS4-HMAC-SHA256 Credential=xxx/20200928/eu-central-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, Signature=xxx
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20200928T130509Z
X-Amz-Security-Token: FwoGZXIvYXdzEMv//////////xxx==
Accept-Encoding: gzip

Action=GetCallerIdentity&Version=2011-06-15
-----------------------------------------------------
2020/09/28 15:05:10 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 297
Content-Type: text/xml
Date: Mon, 28 Sep 2020 13:05:09 GMT
X-Amzn-Requestid: 2b70498f-3ffc-41b0-b048-1e5d41f34014

upd. 1 In my case it was because I placed access_key and secret_key wrongly. When I run:

AWS_ACCESS_KEY_ID=xxx AWS_SECRET_ACCESS_KEY=xxx terraform init

it worked out fine.

upd. 2 Most likely it was because of the stale .terraform directory, anyone who meets this issue, try first to rm -rf .terraform and then terraform init

[ewbankkit]

See here for discussion on solutions.

[xRegner]

aws configure , worked for me, once you type it, you going to be prompted for: terra@xtian 👺 > aws configure AWS Access Key ID [****************2TYQ]: AWS Secret Access Key [****************/n+q]: Default region name [us-east-1]: Default output format [json]: and terrafom plan again it should work

[RajendraVenkata]

I am also getting the same issue

Rajendra

[ryanisnan]

@RajendraVenkata This issue is because your system date/time is wrong.

[sunrooff]

@RajendraVenkata This issue is because your system date/time is wrong.

it helped me, thanks. I changed time setting - automatically set up time

[iamgini]

@RajendraVenkata This issue is because your system date/time is wrong.

saved my day.. didn't notice that !!! :D

[engr-usman]

To resolve this issue, you just need to delete "rm -rf .terraform" and "rm -rf .terraform.lock.hcl" and then run this command "terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx""

[arjungoel]

The right set of commands should be:

rm -r .terraform rm -r .terraform.lock.hcl

and then run this command to configure backend terraform init -backend-config=access_key="xxxxxxxxxxxx" -backend-config=secret_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

After that you can run terraform plan to preview whether the configuration made is right or not and if it works correctly then run terraform apply

[fransf-wtax]

In my case, after rotating my AWS key, I had updated the [default] profile in ~/.aws/credentials, but not the profile I was using in my Terraform script, referred to by the profile parameter in the provider "aws" section. Once I did that, everything worked fine.

The solutions suggested by @engr-usman and @arjungoel didn't work for me.

[arjungoel]

Hey @fransf-wtax, did you configure the credentials again using aws configure before trying that out as the solution I provided above worked for me in first go.

[fransf-wtax]

@arjungoel All aws configure does is update ~/.aws/credentials. So I think the terraform init step is redundant, at least it was for me, since Terraform takes the credentials from ~/.aws/credentials anyway.

[engr-usman]

@fransf-wtax if you using aws vault or any other utility to login on aws cli then first you should logout and relogin then perform all of the above steps.

[ph1sch]

In my test environment I was using the root users access and secret access key which did not work. After creating a dedicated user the error did not occur anymore.

In detail I did the following steps:

• Created a user called terraform here
• Created a new group Administrators with attached permissions AdministratorAccess by following the wizard
• Copied access key and secret access key to ~/.aws/credentials

  [default]
  aws_access_key_id=xxx
  aws_secret_access_key=xxx

• Created ~/.aws/config

  [default]
  region=us-west-2
  output=json

• Deleted .terraform.d in my home folder as well as .terraform and .terraform.lock.hcl in my projects folder
• Executed aws configure and terraform init in my projects folder

After that terraform plan and terraform apply worked for me. Hope it helps someone.

[burizz]

@RajendraVenkata This issue is because your system date/time is wrong.

Was the same issue for me as well, since it was a remote VM I didn't even pay attention to the timezone and was troubleshooting AWS credentials, although the time was off by seconds, making it consistent fixed the problem.

[keomaborges]

I just faced this issue and the solution was simple. I'm using Terraform in Dokcer, and the AWS_DEFAULT_REGION envvar was missing. So my init is like:

docker run \
  -v "${PWD}:/workspace" \
  -w /workspace \
  -e AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY \
  -e AWS_SESSION_TOKEN \
  -e AWS_DEFAULT_REGION \
  hashicorp/terraform:1.1.7 init \
    -backend-config="region=ap-southeast-2" \
    -backend-config="bucket=mybuckett" \
    -backend-config="key=path/to/my.tfstate" \
    -backend-config="dynamodb_table=my_dynamo_table" \
    -backend-config="encrypt=true"

[Helen-Chukwukelu]

I am currently facing this issue @ryanisnan and @ginigangadharan, please how did you change the time? I used sudo date then typed the correct date and time but I got error as "command not found". Kindly send the command to use. Thank you

[iamgini]

@Helen-Chukwukelu I have adjusted the date/time and zone correctly

[Helen-Chukwukelu]

@ginigangadharan I am finding it hard adjusting the time. Can you help with a command to do that? I am using aws CLI. Thank you

[iamgini]

Which OS are you referring to?

On Sun, 1 May 2022 at 4:53 PM, Helen-Chukwukelu @.***> wrote:

@ginigangadharan https://github.com/ginigangadharan I am finding it hard adjusting the time. Can you help with a command to do that? I am using aws CLI. Thank you

— Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-aws/issues/14873#issuecomment-1114174453, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCDINIYYCGQF6VPV2Y6KNLVHZBAFANCNFSM4QNDTIDQ . You are receiving this because you were mentioned.Message ID: @.***>

--

Gineesh

linkedin.com/in/gineesh

[Helen-Chukwukelu]

@ginigangadharan I am using Centos 7. Below is the error is get

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: b7bcd89f-8502-434a-964b-4ee16a2b78cb, api error SignatureDoesNotMatch: Signature not yet current: 20220504T114431Z is still later than 20220504T040106Z (20220504T034606Z + 15 min.) │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on main.tf line 2, in provider "aws": │ 2: provider "aws" { │

[Helen-Chukwukelu]

I really need help as this issue has persisted for days. Thank you

---

This is me coming back to edit .......I resolved the issue by simply adjusting my PC time. The below image shows the setting

[engr-usman]

Sometime if session disconnected or expired we have the sts:GetCallerIdentity error. Secondly check the IAM access keys status is active or inactive.

Try following method as well, it works for me: To resolve this issue, you just need to delete "rm -rf .terraform" and "rm -rf .terraform.lock.hcl" and then run this command "terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx""

[NimrodHunter]

I tried terraform init -backend-config="access_key=xxxxxxxxxxxxxxxxxxxx" -backend-config="secret_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" but still not working. :/

[satishtamilan]

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: IncompleteSignature: 'SNMPGLC' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=AKIA SNMPGLC LNH MDGH/20220605/us-east-1/sts/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=a0e3f6c7fa5ceafcb9d9fd0c081dd79c730b5588176f1b977ff747603d3883f4'. status code: 400, request id: 1b0b385c-157a-4f93-8387-cef0efdaeb95 with provider["registry.terraform.io/hashicorp/aws"] on main.tf line 23, in provider "aws":

I am getting this error while running this tutorial https://learn.hashicorp.com/tutorials/terraform/github-actions

Not sure why and I configured all the credentials as mentioned by hasicorp.

[Krishdevo]

@RajendraVenkata This issue is because your system date/time is wrong.

Worked for me. Thanks!

[ricardofunke]

I have this issue only for me-south-1 region, while us regions works fine.

• I already checked the date/time, my system uses NTP so I don't think this is the problem here
• I already tried removing .terraform and .terraform.lock.hcl and running "terraform init" again, not solved

My default region in the .aws/config file is us-west-2, but I set the me-south-1 for the "region" property in the aws "provider" in my main.cf file

I've found a suggestion to make the setting bellow in my AWS settings, but it doesn't seem to solve this issue either: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens

[JuukoHenry12]

asshole

[Teeworks1]

Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 400, RequestID: 73390445-95df-48e8-b897-1e06913a4946, api error IncompleteSignature: '/20220809/us-east-1/sts/aws4_request' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=SAKIA5GT5RFZMSQI2BR6V /20220809/us-east-1/sts/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=a0011c33fdf04a7739ed5ed4421c3ea2ba6ad3f3365cde8d07e7c5c319ed5d3e'.

[Teeworks1]

Hi all pls i get the above error when i execute my terraform plan command. what could be the possible cause ?

[engr-usman]

@Teeworks1 check your system date and time. Secondly remove/delete .terraform directory and then initialize the terraform again with "terraform init" command.

[haithai91]

My problem is the AWS Account missing some permission related to EC Instances. I tried to update permission for my account and I can run apply the command to create the EC instance normally 💯

[Erastus420]

@RajendraVenkata This issue is because your system date/time is wrong.

this has really help me because I had a similar issue. thanks man

[drcImpacta]

I've used "aws configure" and defined the region name. It's worked smooth for me after tried all suggestions and tips above.

[dellabeneta]

@RajendraVenkata This issue is because your system date/time is wrong.

LOVE YOU SOO MUCHHHH. my system was on time. but it was not set "automatically"

[egyakofi]

terraform init

I tried this and it didn't work for me.

[TomHowarth]

I have the exact same problem. I have deleted .terraform and .terraform.lock.hcl I have deleted and recreated my ~/.aws#config details, I have verified and even reset my wsl time.

nothing has worked.

this is the error I am receviing :

│ Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: b8a5bf97-8a8c-4806-8e90-2f767863f5e4, api error SignatureDoesNotMatch: Credential should be scoped to a valid region. │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on main.tf line 3, in provider "aws": │ 3: provider "aws" {

[TomHowarth]

I have found out my error, it appears that I cannot spell I had a spelling mistake in my tfvars file on the region/location

[Pennredl]

I really need help as this issue has persisted for days. Thank you

This is me coming back to edit .......I resolved the issue by simply adjusting my PC time. The below image shows the setting

[Pennredl]

this saved my day

[ravindra61520]

terraform plan

same with me

[gladysgodwin]

none of the above worked for me.. somebody please help....

╷ │ Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, net/http: invalid header field value for "Authorization" │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on main.tf line 11, in provider "aws": │ 11: provider "aws" {

[aadiupa]

I wasn't providing the region in correct format, was passing ap-south=1 (typo) instead of ap-south-1, might help someone someday.

[felix-lessoer]

For me it happened because the region I wanted to deploy in was not activated for my account. Had to do this first manually.

[joey1089]

Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403 Similar error , followed the advice here but nothing seems to work for my error . This pertains to terraform cloud aws setup. Solution: run echo "export AWS_REGION=us-east-1" | tee -a ~/.bash_profile export AWS_REGION=us-east-1 and run below cmd to check if its set aws sts get-caller-identity for more refer this article : https://aws-quickstart.github.io/workshop-terraform-modules/40_setup_cloud9_ide/41_setup_creds_in_c9.html#:~:text=AWS%20Terraform%20Workshop%20%3E%20Setup%20AWS%20Cloud9%20%3E,that%20you%20downloaded%20in%20the%20Getting%20Started%20Section.

[EjiroLaurelD]

│ Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 4b810be6-6aa5-4c03-a96c-f76ac6595318, api error SignatureDoesNotMatch: Signature expired: 20230126T150724Z is now earlier than 20230126T151006Z (20230126T152506Z - 15 min.)

I am getting this error, I have tried everything written here but nothing works. Please help

[joey1089]

try run this cmd and see if the aws is set properly. aws sts get-caller-identity

[EjiroLaurelD]

the command is returning this error An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired: 20230126T155124Z is now earlier than 20230126T155404Z (20230126T160904Z - 15 min.)

Update: this command worked for me sudo date -s "$(wget -qSO- --max-redirect=0 google.com 2>&1 | grep Date: | cut -d' ' -f5-8)Z"

[k123-v]

I am using vault for my creds in my local machine but i am facing issue as well provider "vault" { address = "http://localhost:8200" }

resource "vault_aws_secret_backend" "aws_keys" { path = "awscloud" }

_Error: configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: 5d1aaf50-55d9-4f3e-bc88-e297500b43f8, api error InvalidClientTokenId: The security token included in the request is invalid. │ │ with provider["registry.terraform.io/hashicorp/aws"], │ on main.tf line 11, in provider "aws": │ 11: provider "aws" { │_

Any pointers will be really helpful