Terraform AWS provider "InvalidClientTokenId" / "RequestExpired" in CI
AWS rejected the signed request: InvalidClientTokenId means the access key or session token is not valid (often an expired STS session), and RequestExpired means the request signature is outside the allowed time window, usually from clock skew.
What this error means
terraform apply fails with "InvalidClientTokenId: The security token included in the request is invalid" or "RequestExpired: Request has expired."
Error: error configuring Terraform AWS Provider: ... api error
InvalidClientTokenId: The security token included in the request is invalid.
Error: ... api error RequestExpired: Request has expired.Common causes
An expired or wrong STS session token
A short-lived assumed-role session expired mid-run, or the wrong token was injected, so AWS treats the credential as invalid.
Runner clock skew expires the signed request
SigV4 signatures embed a timestamp; if the runner clock drifts beyond the allowed window the request is reported as expired.
How to fix it
Refresh credentials with a longer session
- Re-acquire credentials immediately before the Terraform step.
- Increase the assumed-role session duration if long applies time out.
- Confirm the token reaches the step (no stale cached env).
aws sts get-caller-identity # confirm the active session is validFix runner clock skew for RequestExpired
Ensure the runner clock is synchronized; a drifting clock makes every signed request expire.
date -u # compare against true UTC; sync NTP if it driftsHow to prevent it
- Acquire credentials right before the Terraform step, not early.
- Set a session duration that covers long applies.
- Keep runner clocks synchronized to avoid signature expiry.