Boto3 error: The AWS Access Key Id you provided does not exist in our records

Boto3 users BEWARE TL;DR If you are using temporary credentials to connect to AWS services through Boto3, you MUST include a current aws_session_token as a parameter to your boto3.session.Session instance. import os import boto3 session = boto3.Session( aws_access_key_id=os.environ["AWS_ACCESS_KEY_ID"], aws_secret_access_key=os.environ["AWS_SECRET_ACCESS_KEY"], aws_session_token=os.environ["AWS_SESSION_TOKEN"], ) # Test it on a service (yours may be different) s3 = session.resource('s3') # Print out bucket names for bucket in s3.buckets.all(): print(bucket.name) Explanation This is a crucial piece of information when you are testing credentials in Boto3: The error you receive may say this, ClientError: An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records. but may mean you are missing an aws_session_token if you are using temporary credentials (in my case, role-based credentials). According to AWS documentation, these are the parameters available to a boto3.session.Session object, however, there is no indication or clarification when it comes to this behavior in Boto3: Parameters aws_access_key_id (string) -- AWS access key ID aws_secret_access_key (string) -- AWS secret access key aws_session_token (string) -- AWS temporary session token region_name (string) -- Default region when creating new connections botocore_session (botocore.session.Session) -- Use this Botocore session instead of creating a new default one. profile_name (string) -- The name of a profile to use. If not given, then the default profile is used. Regarding the aws_session_token Specifies an AWS session token used as part of the credentials to authenticate the user. A session token is required only if you manually specify temporary security credentials. Resources aws_session_token Common scenarios for roles: Users, applications, and services Boto3 Credentials Session Reference