AWS JS SDK suddenly throws "The Access Key ID or security token is invalid."

Question

Has anyone also noticed a change in behavior of the AWS JS SDK recently?

Because I have a CI pipeline in Github Actions, in which a Local DynamoDB is started and written to the DyanmoDB using this docClient setup:

const docClient = new AWS.DynamoDB.DocumentClient({
  region: 'localhost',
  endpoint: 'http://localhost:8000',
  accessKeyId: 'DEFAULTACCESSKEY',
  secretAccessKey: 'DEFAULTSECRETKEY',
  convertEmptyValues: true,
});

This also worked wonderfully until now, only since today at noon this fails with this error.

I have not changed anything in the source code, I have only run the CI job again.

 UnrecognizedClientException: The Access Key ID or security token is invalid.
281
      at Request.extractError (node_modules/aws-sdk/lib/protocol/json.js:80:27)
282
      at Request.callListeners (node_modules/aws-sdk/lib/sequential_executor.js:106:20)
283
      at Request.emit (node_modules/aws-sdk/lib/sequential_executor.js:78:10)
284
      at Request.emit (node_modules/aws-sdk/lib/request.js:686:14)

I could not find anything in the aws-sdk package (2.1409.0) released today that could indicate this.

Answer 1

tldr

If you're using these NPM packages, make the following replacements:

• dynamodb-localhost -> aws-dynamodb-local
• serverless-dynamodb-local -> serverless-dynamodb

Details

If you're using dynamodb-localhost or serverless-dynamodb-local, you'll have hit this error recently as newer versions of AWS DynamoDB Local (since 2023-06-28 or version 1.23.0) have changed how they validate access keys. These packages automatically download the latest version, so it may have upgraded without you realising - leading to things apparently failing without warning.

Unfortunately, these packages don't appear to be maintained, with no new releases to NPM in over 2 years.

You can use aws-dynamodb-local and serverless-dynamodb, maintained forks, instead. (Disclaimer: I am a contributor to this fork). It is a drop-in replacement for this package, and is updated to fix this bug.

Migrating takes about 2 minutes, with a full guide in the README. Of course, it's all still open-source and MIT licensed. Ownership of this new package sits with a registered charity, that is committed to maintaining the package into the future and is open to contributions from the community.

Answer 2

Since the latest release there has been an enforcement on access keys which can be used:

DynamoDB local version 2.0.0 and greater AWS_ACCESS_KEY_ID can contain the only letters (A–Z, a–z) and numbers (0–9).

Furthermore, if you're using an external package such as serverless-dynamodb-local you can upgrade to the most recent version, as they have all been modified to handle this change in DynamoDB Local

https://repost.aws/articles/ARc4hEkF9CRgOrw8kSMe6CwQ/troubleshooting-the-access-key-id-or-security-token-is-invalid-error-after-upgrading-dynamodb-local-to-version-2-0-or-greater

Answer 3

Most probably it might be a cache issue so try the below commands.

rm ~/.aws/cli/cache/*
rm ~/.aws/boto/cache/*

Don't worry deleting the cache doesn't create an issue. It will recreate it.

Also check if your account is active by logging into the IAM account you are using or just try to see list of buckets or anything you that you can see.

Also check if you are on the right region because if you are not a right region sometimes you might see this.