If you ever see this message from an AWS client call:
Type: Sender, Code: InvalidClientTokenId, Message: The security token included in the request is invalid
you want to check for any and all access issues (googling told me so). Confirm that the correct authentication is set up, whether via role, environment variable, config file or anything else.
But what caught me up today was that I was using a library that only supported Signature v2. I was trying to connect to an AWS region that only supported Signature v4. As soon as I connected to an older AWS region, the error message went away.
Here are some relevant docs about which regions and services support v2. If it isn’t on that list, you have to use v4.