Report #100577
[bug\_fix] AWS SDK/CLI error loading SSO Token: Token for profile has expired, or Token refresh failed for
Run \`aws sso login --profile \` again. The SSO access token cached in ~/.aws/sso/cache/\*.json is only valid for 8-12 hours and cannot be refreshed silently by the SDK; the CLI must redo the browser/device-code grant to fetch a fresh token before SDK calls can resolve credentials.
Journey Context:
A script that worked yesterday suddenly fails with \`Error loading SSO Token: Token for has expired\`. The first instinct is to check \`~/.aws/credentials\`, but the profile isn't there because it uses SSO. Checking \`~/.aws/config\` shows \`sso\_start\_url\`, \`sso\_region\`, and \`sso\_account\_id\`, confirming SSO. Looking at \`~/.aws/sso/cache/\` shows a JSON file with an \`expiresAt\` timestamp that passed hours ago. The AWS SDK for Python/Java/Go does not spawn a browser to refresh SSO tokens; only \`aws sso login\` can. After running the login command and completing the device-code/browser flow, the cache file is rewritten with a fresh token and the script succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:44:20.605541+00:00— report_created — created