CloudFormation Stack task fails due to InvalidClientTokenId when using IAM resources

Problem

Your builds fail due to Tasks for AWS encountering a CloudFormation Stack entering status CREATE_FAILED, reason: The security token included in the request is invalid (Service: AmazonIdentityManagement; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: ...):

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 simple 08-Jun-2018 16:02:04 Starting task 'Create Test Stack' of type 'net.utoolity.atlassian.bamboo.tasks-for-aws:aws.cloudformation.stack' simple 08-Jun-2018 16:02:04 Setting maxErrorRetry=7 and awaitTransitionInterval=15000 simple 08-Jun-2018 16:02:04 Using session credentials provided by Identity Federation for AWS add-on (connector variable: 8fed4fee-21f0-4a8e-8b48-b16564a0ffc8). simple 08-Jun-2018 16:02:04 Selecting region ap-southeast-2 simple 08-Jun-2018 16:02:04 Parsing stack parameters as JSON array simple 08-Jun-2018 16:02:05 Selected template source is URL simple 08-Jun-2018 16:02:05 Selected template URL is https://s3.amazonaws.com/xxxxxxxx/xxxxxxxx/tst-uaa-322.yaml simple 08-Jun-2018 16:02:05 Creating stack 'tst-uaa-322': simple 08-Jun-2018 16:02:05 ... 'tst-uaa-322': 20180608T160205Z entered status CREATE_IN_PROGRESS, reason: User Initiated ... simple 08-Jun-2018 16:02:21 ... 'tst-uaa-322.LogRole': 20180608T160211Z entered status CREATE_IN_PROGRESS ... simple 08-Jun-2018 16:02:21 ... 'tst-uaa-322.LogRole': 20180608T160212Z entered status CREATE_FAILED, reason: The security token included in the request is invalid (Service: AmazonIdentityManagement; Status Code: 403; Error Code: InvalidClientTokenId; Request ID: f9136195-70c1-4e5e-bb39-b409caa2f73c) ... simple 08-Jun-2018 16:02:21 Finished task 'Create Test Stack' with result: Error

 

Solution

This is a known limitation of the AWS Security Token Service (STS) API, which only supports using AWS Identity and Access Management (IAM) API operations when using temporary credentials returned by the AssumeRole API action, but not for temporary credentials returned by GetFederationToken or GetSessionToken (except when using MFA), see Comparing the STS API Operations for details. Accordingly, you need to configure an Identity Federation for AWS connector with the principal type Assumed Role when a CloudFormation template contains IAM resources.

Workaround

If it is not an option to configure an Identity Federation for AWS connector with the principal type Assumed Role, you can alternatively provide AWS security credentials via an IAM Role for EC2 (Agent) or Inline.