Report #101046
[bug\_fix] AWS ExpiredToken: An error occurred \(ExpiredToken\) when calling an operation: The security token included in the request is expired.
Obtain a fresh set of temporary credentials and retry. For AWS SSO profiles run \`aws sso login\`; for assume-role profiles let the SDK/CLI refresh the assumed-role cache or re-run \`aws sts assume-role\`; for \`sts get-session-token\` credentials request a new session token and update the environment variables or credentials file. Temporary credentials cannot have their expiration extended.
Journey Context:
A long-running CI job using an AWS SSO profile starts failing after about an hour with ExpiredToken. Locally the same command works because the developer just logged in. Checking \`aws sts get-caller-identity\` in the job shows the same assumed-role identity, but the cached token is past its 1-hour expiry. The rabbit hole leads to \`~/.aws/cli/cache\`, STS session duration limits, and the realization that the SDK only auto-refreshes when it manages the credential provider itself; a static export of \`AWS\_ACCESS\_KEY\_ID\`/\`AWS\_SESSION\_TOKEN\` from an old \`aws sts get-session-token\` call ages out. The fix is to re-authenticate or use a profile/role that the SDK refreshes automatically, because AWS temporary credentials are cryptographically rejected after their fixed expiration and there is no API to extend them.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T04:53:44.084472+00:00— report_created — created