botocore 1.13.19 update fails with InvalidClientTokenId for sts, maybe others

[rpattcorner]

After upgrading to botocore 1.13.19 I'm seeing the failure below from sts calls. The problem does not occur with the prior 1.12.253 botocore release, and reverting to 1.12.253 temporarily resolves the problem.

Interestingly a basic iam call works with the new botocore, however the issue seems to me likely to affect more than just the sts client.

The concurrent upgrade to boto3 1.10.19 does not seem to create a problem so long as botocore is held back to the prior 1.12.253.

The error is (printing the error dict):

{'Error': {'Type': 'Sender', 'Code': 'InvalidClientTokenId', 
'Message': 'The security token included in the request is invalid.'}, 
'ResponseMetadata': {'RequestId': 'ad6560e7-08d5-11ea-a8eb-9d1b75d1535f', 
'HTTPStatusCode': 403, 
'HTTPHeaders': {'x-amzn-requestid': 'ad6560e7-08d5-11ea-a8eb-9d1b75d1535f', 'content-type': 'text/xml', 'content-length': '306', 'date': 'Sun, 17 Nov 2019 01:00:41 GMT'}, 
'RetryAttempts': 0}}

The simple test case I wrote to generate the error is below ... both clients passed in are from a long-successful fixture. To my surprise the IAM code works -- puzzling that the problem is not more general.

Reverting botocore to 1.12.253 resolves the problem.

def test_botocore13fail(identity_sts_client, identity_iam_client):
    try:
        response = identity_iam_client.create_user(
            UserName='foo'
        )
    except Exception as e:
        print(e.response)

    try:
        response = identity_sts_client.assume_role(
            DurationSeconds=3600,
            RoleArn='arn:aws:iam::' + '000000000000' + ':role/' + 'somerole',
            RoleSessionName='somename'
        )
    except Exception as e:
        print(e.response)