Let's say you are using the Amazon Web Services (AWS) CLI, perhaps the aws s3api list-buckets command to list your S3 Buckets.
aws s3api list-buckets
And something like this is being returned.
An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.
This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
On a Linux system, almost always, the Access Key and Secret Key being used will be in the ~/.aws/credentials file.
~]$ cat ~/.aws/credentials
[default]
aws_secret_access_key = Xw3kZVaxTfvDKBMGf6R79Unf5LG4kdf9piuHfhn13
aws_access_key_id = 34VGB4HYOC2ABCO67BKD
[john.doe]
aws_secret_access_key = Xw3kZVaxTfvDKBMGf6R79Unf5LG4kdf9piuHfhn13
aws_access_key_id = 34VGB4HYOC2ABCO67BKD
[jane.doe]
aws_secret_access_key = fmG74A8cAXa96LWrWw1dkm565bgAtPvMy6yfjm2s
aws_access_key_id = 34CDSCNDE3E675K67BKD
If you do not use the --profile option, then the default profile will be used.
aws s3api list-buckets
If you use the --profile option, then the selected profile will be used.
aws s3api list-buckets --profile john.doe
It is important to recogize that the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables will take precedence over the ~/.aws/credentials file. The env or printenv commands can be used to determine if the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set and contain a value. If key/value pairs are returned, this means the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set.
~]$ env | grep AWS
AWS_ACCESS_KEY_ID=34VGB4HYOC2ABCO67BKD
AWS_SECRET_ACCESS_KEY=Xw3kZVaxTfvDKBMGf6R79Unf5LG4kdf9piuHfhn13
If the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set, export can be used to updated the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables for your current session.
export AWS_ACCESS_KEY_ID=ABCDEFG123456789ABDEFGS
export AWS_SECRET_ACCESS_KEY=asdfm098dsf09dsflm3lkjr09wflsdfsfga4rdfa
Or unset can be used to remove the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables for your current session.
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
When InvalidAccessKeyId is returned, this almost always means
- The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are invalid
- The aws_access_key_id and aws_secret_access_key in the ~/.aws/credentials files for the profile being used are invalid
The --debug option may be able to be used to see the Access Key being used in the request.
aws s3api list-buckets --debug
The output may contain something like this.
2024-04-16 20:02:04,515 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=PUT, url=https://my-bucket-abc123.s3.us-east-1.amazonaws.com, headers=
{
'User-Agent': b'aws-cli/2.12.3 Python/3.11.4 Linux/5.11.12-300.fc34.x86_64 exe/x86_64.fedora.34 prompt/off command/s3api.put-bucket-versioning',
'Content-MD5': b'abc123',
'X-Amz-Date': b'20240417T010204Z',
'X-Amz-Content-SHA256': b'abc123',
'Authorization': b'AWS4-HMAC-SHA256 Credential=34VGB4HYOC2ABCO67BKD/20240417/us-east-1/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date;x-amz-mfa, Signature=abc123',
'Content-Length': '153'
}>
2024-04-16 20:02:04,859 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?>\n<Error><Code>InvalidAccessKeyId</Code><Message>The AWS Access Key Id you provided does not exist in our records.</Message><AWSAccessKeyId>34VGB4HYOC2ABCO67BKD</AWSAccessKeyId><RequestId>F2DXVYRBW3MPNPMH</RequestId><HostId>abc123</HostId></Error>'
Did you find this article helpful?
If so, consider buying me a coffee over at 