[note] AWS encounters InvalidToken or InvalidClientTokenId

Note: This page is an AI-generated (gpt-5-mini-2025-08-07) translation from Traditional Chinese and may contain minor inaccuracies.

📌 Introduction

When using the AWS CLI, if the MFA-generated AWS_SESSION_TOKEN expires, it can cause InvalidToken or InvalidClientTokenId errors

🚀 Quick Start

Issue description

The Token ID and Secret are correct, but operations fail to authenticate (InvalidToken)

Running aws s3 ls shows the following error

An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid.

Running aws sts get-session-token to generate a token shows the following error

An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid

Solution

This issue occurs when an AWS_SESSION_TOKEN was previously used and has likely expired, causing authentication to fail. You should first unset the following environment variables

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN

🔁 Recap

• Session tokens obtained via AWS MFA become unusable after expiration
• You need to remove AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN from environment variables

🔗 References

• An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid. aws s3 ls
• aws cli get error “The security token included in the request is invalid”