AWSAssumeRoleError[1012]: AWS assume role error - An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.

[ArcherFX1]

Issue search

• I have searched the existing issues and this bug has not been reported yet

Which component is affected?

Prowler UI

Cloud Provider (if applicable)

No response

Steps to Reproduce

I followed the instructions to set up assumed roles in AWS using the CloudFormation script. Everything goes fine on the AWS side, but when I continue on Prowler, I get ...

AWSAssumeRoleError[1012]: AWS assume role error - An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.

I am running this locally in Docker. This was working, and I had several AWS accounts onboarded. I have to remove the Prowler role from my main account, and when I tried to add it back in from scratch, it failed. I can, however, use an account ID and Secrets, and it works. I want to use the AssumeRoles.

Any suggestions

Expected behavior

Run cloudformaion in AWS then add the arn to prowler to onboard AWS account.

Actual Result with Screenshots or Logs

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

Debian workstation using Docker

OS used

Debian 13

Prowler version

5.23

Python version

Python 3.13.5

Pip version

pip 25.1.1

Context

No response

[jfagoagas]

Hi @ArcherFX1, thanks for reporting this.

How did you configure the authentication for the AWS provider? Either using the "SDK default" or via "Access/Secret Key"?

[ArcherFX1]

I am trying to use "SDK default" but that is not working. When I use "Access/Secret key" that does work. I do have several AWS accounts that I want to add to Prowler.

[jfagoagas]

I am trying to use "SDK default" but that is not working. When I use "Access/Secret key" that does work. I do have several AWS accounts that I want to add to Prowler.

To use "SDK Default" you have to configure AWS environment variables in the API and workers to be able to assume the role. I'm updating the docs as I can't find any reference, apologies.

[ArcherFX1]

I am trying to use "SDK default" but that is not working. When I use "Access/Secret key" that does work. I do have several AWS accounts that I want to add to Prowler.

To use "SDK Default" you have to configure AWS environment variables in the API and workers to be able to assume the role. I'm updating the docs as I can't find any reference, apologies.

Thanks. I appreciate it.

[jfagoagas]

@ArcherFX1 let me know if the following documentation update help you to configure that type of authentication:

1. Step 10 in https://prowler-improve-sdk-default-iam-role-docs.mintlify.app/user-guide/providers/aws/getting-started-aws#assume-role-recommended
2. https://prowler-improve-sdk-default-iam-role-docs.mintlify.app/user-guide/providers/aws/authentication#configuring-aws-sdk-default-for-self-hosted-prowler-app

[ArcherFX1]

Do I need to change the AccountID to my own or leave it

[jfagoagas]

Do I need to change the AccountID to my own or leave it

You have to change it for yours.

That account is Prowler Cloud's, when using "Assume Role from Prowler Cloud".

[ArcherFX1]

OK, that is what I did. I added the AWS keys in the .env. Am I suppose to create a Prowler user with Keys? Thats what I did and added it the .env and restarted the docker. I still get the error.