AWS credentials are not valid : An error occurred (InvalidClientTokenId)

Help! (Home for newbies)
1
SYSTEM INFORMATION
OS type and version Rocky Linux 9.5
Virtualmin version 7.30.4 Pro

Following up on an old thread (Here), I got this partially resolved. Prior to this, I was unable to connect to AWS from either the command line, OR from Virtualmin. Aftrer working with a local friend, we confirmed my credentials worked from his server, so it was something in my environment. We removed AWS CLI v2, and installed an older version. Now, I can connect from the command line, but still can’t connect from Virtualmin.

From a Terminal:

root@www:~# aws --version
aws-cli/1.37.16 Python/3.9.21 Linux/5.14.0-503.23.1.el9_5.x86_64 botocore/1.36.16

root@www:~# aws route53 list-hosted-zones
HOSTEDZONES     7e001cc4-7f54-481f-a981-aea5174feac1    /hostedzone/Z04901512E3SUPSPGLR0A       aiskondns.net.  8
CONFIG  DNS services for Aiskon.net     False

but when I put the same keys into Virtualmin, I get the following:

Failed to save cloud DNS provider : AWS credentials are not valid : An error occurred (InvalidClientTokenId) when calling the ListHostedZones operation: The security token included in the request is invalid.

Any guidance on how to get my credentials working from within Virtualmin? They seem to work fine from the terminal / CLI.

EDIT: This is for DNS management, under Cloud DNS Providers.

2

@Jamie, do you remember fixing this issue?

3

How are you installing, are you using the package manager? Route53 and S3 works fine for me.
My version.

aws-cli/2.15.31 Python/3.9.21 Linux/5.14.0-503.23.1.el9_5.x86_64 source/x86_64.rocky.9 prompt/off```
4

Mine was a manual install by downloading the ZIP from AWS. I wasn’t aware there was a Package Manager option. What command should I use to install it?

Edit: I used the official AWS guide to install it, which does not use a Package Manager:

5

Your testing the memory now.
I just had a look at my config a the DNS cloud is not config, I may have removed it ( I can’t remember) as I just used it for testing. But I tried to add it back and I get your error. Maybe there is a bug.
I pretty sure the install was dnf install awscli

I’ll see if I can get this working again.

6

I just removed the manual install, and did “yum install awscli2”

I can still do commands from the terminal with success, but I still can’t get results from the Virtualmin UI.

I think at this point I need Jamie to chime in, as they’ve solved this already it looks like?

7

I was using the wrong Access key, added key and secret ok. (double check you not pasting a leading or ending white space) As far as I know virtualmin is using the awscli so I can’t understand why you would have this error.

and virtualmin was able to create a zone.

image
image1327×612 64.8 KB

and reflected at aws

image
image1622×408 44.1 KB

8

I don’t recall fixing this issue - to me it looks like the credentials are just incorrect?

9

I’m using the same credentials in the CLI environment, and they work there. I verified there’s no leading or trailing spaces in the UI.

10

So Virtualmin will setup AWS CLI credentials that can also be used when you SSH in.

Does the command aws route53 list-hosted-zones work OK?

If so, check the file /root/.aws/credentials and find the numeric profile ID for credentials Virtualmin added. Then try running aws --profile 1234566789 route53 list-hosted-zones

11

This is what I am seeing in my Credentials file:

root@www:~/.aws# cat credentials 
[akey_or_id]
aws_access_key_id = akey_or_id
aws_secret_access_key = (secret)
[default]
aws_access_key_id = AKIAT7JJVFPF4EQUQI5J
aws_secret_access_key = (the same secret)

As noted in my original post, “aws route53 list-hosted-zones” works without issue from the Terminal.

12

Did you add those using the “Virtualmin / Addresses and Networking ⇾ Cloud DNS Providers: Amazon Route 53” page? If not, give it a try and see how it goes.

Note that [akey_or_id] should be a timestamp like [17286401039020] when created via Virtualmin.

13

Yes, I did enter the values via that option in the UI.

It looks like the Virtualmin UI is not writing the correct values to the Credentials file, would be my read on this.

14

Is there a way to either 1) Tell Virtualmin to use the Default credentials / profile, or 2) Specify the profile name manually, so that it’s something I can manually enter into the Credentials file in the short term?

15

@Ilia - would you like me to open a Support Case for this?

16

I’m not sure. I’d suggest waiting for Jamie’s comment on this.

17

Is it actually the text akey_or_id, or are you using this instead of the actual access key?

18

Ok I see the bug that causes this! The fix is here : Use variable instead of constant · virtualmin/virtualmin-gpl@41f67c6 · GitHub

19

My file looks like this, maybe its the order. Oh i see you found the issue.

[172249348036689]
aws_access_key_id = AKIA5SFDCRHG74GFMVFI
aws_secret_access_key = [secret]
[default]
aws_access_key_id = AKIA5SFDCRHG74GFMVFI
aws_secret_access_key =[secret]
[akey_or_id]
aws_access_key_id = akey_or_id
aws_secret_access_key = [secret]

the config file looks like this

[172249348036689]
[default]
region = ap-souteast-2
[profile akey_or_id]
20

Try applying my patch, and then removing and re-adding the S3 account in Virtualmin.