'Invalid security token' When creating a data_key/encrypting using KMS inside an EC2 instance

Hey, I’m trying to implement Client side field level encryption, I’m running MongoDB on a container inside my EC2 instance

I wrote a script that uses my EC2’s Programmatic access credentials and connects to the AWS KMS provider, but whenever I try to create a data key, or encrypt anything, I get an error:
EncryptionError: Error in KMS response 'The security token included in the request is invalid.'. HTTP status=400

I also tried setting the ACCESS_KEY, SECRET_KEY and SESSION_TOKEN to be environment variables and still got the error

The EC2 instance has full control over KMS,
Whenever using the normal boto3 ‘KMS’ client, I can manage to create a data_key, encrypt and decrypt data

I wanted to open a Jira Bug issue about this case but figured I might be doing something wrong

That’s the script that I used - https://pastebin.com/LGjD5bLU

I’d appreciate any help provided :slight_smile:

Hello @Gal_Gertzman!

CSFLE does not currently support temporary credentials for AWS. You can authenticate with an access key id and secret access key. But you cannot pass a session token through the KMS providers configuration.

2 Likes