Skip to content
Latchkey

Terraform AWS provider "InvalidClientTokenId" / "RequestExpired" in CI

AWS rejected the signed request: InvalidClientTokenId means the access key or session token is not valid (often an expired STS session), and RequestExpired means the request signature is outside the allowed time window, usually from clock skew.

What this error means

terraform apply fails with "InvalidClientTokenId: The security token included in the request is invalid" or "RequestExpired: Request has expired."

Terraform
Error: error configuring Terraform AWS Provider: ... api error
InvalidClientTokenId: The security token included in the request is invalid.

Error: ... api error RequestExpired: Request has expired.

Common causes

An expired or wrong STS session token

A short-lived assumed-role session expired mid-run, or the wrong token was injected, so AWS treats the credential as invalid.

Runner clock skew expires the signed request

SigV4 signatures embed a timestamp; if the runner clock drifts beyond the allowed window the request is reported as expired.

How to fix it

Refresh credentials with a longer session

  1. Re-acquire credentials immediately before the Terraform step.
  2. Increase the assumed-role session duration if long applies time out.
  3. Confirm the token reaches the step (no stale cached env).
Terminal
aws sts get-caller-identity   # confirm the active session is valid

Fix runner clock skew for RequestExpired

Ensure the runner clock is synchronized; a drifting clock makes every signed request expire.

Terminal
date -u   # compare against true UTC; sync NTP if it drifts

How to prevent it

  • Acquire credentials right before the Terraform step, not early.
  • Set a session duration that covers long applies.
  • Keep runner clocks synchronized to avoid signature expiry.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →