Report #100148
[bug\_fix] botocore.exceptions.TokenRefreshError: Error when retrieving token from sso: Token has expired and could not be refreshed
Run \`aws sso login --profile \` \(or \`aws sso login --sso-session \`\) to re-authenticate and refresh the cached SSO token; increase the IAM Identity Center session duration in the AWS console if the short lifetime is disruptive.
Journey Context:
A developer leaves an AWS CLI v2 IAM Identity Center \(SSO\) session open overnight. The next morning every script that uses the SSO profile fails with TokenRefreshError. They first suspect the temporary AWS credentials in ~/.aws/cli/cache, but those are derived credentials that the CLI is supposed to renew automatically. Digging into the error they see the root is the SSO access token itself, stored under ~/.aws/sso/cache, which has a fixed lifetime set by IAM Identity Center. The CLI cannot silently extend an expired SSO OAuth token; it needs a fresh browser authentication. Running \`aws sso login\` opens the access portal, completes the OIDC flow, caches a new SSO token, and the CLI then exchanges it for fresh STS credentials. After that the profile works again until the next SSO session expiry.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:44:02.576519+00:00— report_created — created