[ERROR] The security token included in the request is invalid

question

#1

Can’t run jets server/console and run migrations.

  1. I installed dynamodb-local docker and run it locally

https://hub.docker.com/r/amazon/dynamodb-local/

  1. Configured aws keys by aws configure with

AWS Access Key ID: “fakeMyKeyId”
AWS Secret Access Key: "fakeSecretAccessKe

Now, when I try to run server/console or run migration I get this

jets dynamodb:migrate dynamodb/migrate/20200204210035-create_instructions_migration.rb
Traceback (most recent call last):
	20: from /home/ap/.rbenv/versions/2.7.0/bin/jets:23:in `<main>'
	19: from /home/ap/.rbenv/versions/2.7.0/bin/jets:23:in `load'
	18: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/exe/jets:14:in `<top (required)>'
	17: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/cli.rb:5:in `start'
	16: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/cli.rb:25:in `start'
	15: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/cli.rb:46:in `boot_jets'
	14: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/core.rb:18:in `boot'
	13: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/booter.rb:21:in `boot!'
	12: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/application.rb:24:in `configs!'
	11: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/application.rb:178:in `set_iam_policy'
	10: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/application/defaults.rb:11:in `default_iam_policy'
	 9: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/memoist-0.16.2/lib/memoist.rb:169:in `account'
	 8: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/jets-2.3.12/lib/jets/aws_info.rb:57:in `account'
	 7: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/aws-sdk-sts/client.rb:1640:in `get_caller_identity'
	 6: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/seahorse/client/request.rb:70:in `send_request'
	 5: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/seahorse/client/plugins/response_target.rb:23:in `call'
	 4: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/aws-sdk-core/plugins/response_paging.rb:10:in `call'
	 3: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/aws-sdk-core/plugins/param_converter.rb:24:in `call'
	 2: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in `call'
	 1: from /home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'
/home/ap/.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/aws-sdk-core-3.89.1/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call': The security token included in the request is invalid. (Aws::STS::Errors::InvalidClientTokenId)

#2

At the same time if I just run:

aws dynamodb list-tables --endpoint-url http://localhost:8000

It connects successfully:

{
    "TableNames": []
}

#3

Another thing - I switched off my network and tried run command

jets dynamodb:generate create_posts

And voila

/home/ap/.rbenv/versions/2.4.9/lib/ruby/2.4.0/net/http.rb:906:in `rescue in block in connect'

Failed to open TCP connection to sts.amazonaws.com:443
...

Why it tries to connect to sts.amazonaws.com:443 ?

config/dynamodb.yml

development:
  table_namespace: <%= Jets.config.table_namespace %>
  endpoint: http://localhost:8000

test:
  endpoint: http://localhost:8000
  table_namespace: <%= Jets.config.table_namespace %>

production:
  table_namespace: <%= Jets.config.table_namespace %>

#4

I’m using Ubuntu. Here’s my step by step flow for better understanding:

STEP 1

  • NO dynamodb local running
  • NO aws credentials set
$ jets dynamodb:migrate ./dynamodb/migrate/20200206124223-create_posts_migration.rb
=>
INFO: You're missing AWS credentials. Only local services are currently available
Running database migrations
...
You have configured your app to use DynamoDB local, but it is not running.
Please start DynamoDB local.
Example: brew cask install dynamodb-local && dynamodb-local (RuntimeError)

STEP 2

  • dynamodb local IS running
  • NO aws credentials set
$ jets dynamodb:migrate ./dynamodb/migrate/20200206124223-create_posts_migration.rb
=>
INFO: You're missing AWS credentials. Only local services are currently available
Running database migrations
...
Unable to sign request without credentials set (Aws::Errors::MissingCredentialsError)

STEP 3

  • dynamodb local IS running
  • aws credentials ARE set
    aws_access_key_id = FakeAccessKeyID
    aws_secret_access_key = FakeSecretAccessKEY
    
$ jets dynamodb:migrate ./dynamodb/migrate/20200206124223-create_posts_migration.rb
=>
The security token included in the request is invalid. (Aws::STS::Errors::InvalidClientTokenId)

STEP 4

  • the same as in Step 3 but internet connection is switched off
$ jets dynamodb:migrate ./dynamodb/migrate/20200206124223-create_posts_migration.rb
=>
INFO: No internet connection available. Only local services are currently available
Running database migrations
Calling create_table with params:
{:table_name=>"jets-test-dev-posts",
 :key_schema=>[{:attribute_name=>"id", :key_type=>"HASH"}],
 :attribute_definitions=>[{:attribute_name=>"id", :attribute_type=>"S"}],
 :provisioned_throughput=>{:read_capacity_units=>5, :write_capacity_units=>5}}
DynamoDB Table: posts Status: ACTIVE

So after this I can run with server/console/migration with no internet connection only.


#5

Finally, I’ve made a temporary fix.

I added this to config/application.rb

if ENV['DYNAMODB_LOCAL']
  Dynomite::Item.db = Aws::DynamoDB::Client.new(
    access_key_id: 'FakeAccessKeyID',
    secret_access_key: 'FakeSecretAccessKEY',
    endpoint: 'http://localhost:8000'
  )
end

Now I can connect to local DynamoDB.

Please pay attention to this code:

No AWS keys are passed here.
What do you think?


#6

Actually it works this way if AWS credentials are not set in ~/.aws/credentials