Report #101489
[bug\_fix] AWS SSO session expired: 'Error when retrieving token from sso: Token has expired and refresh failed'
Run \`aws sso login --profile \` \(or \`aws sso login --sso-session \`\). If the cached token is corrupted, run \`aws sso logout\` first, then log in again. The AWS SDK cannot initiate an interactive SSO login; only the AWS CLI can refresh the parent SSO session.
Journey Context:
You run a Terraform plan or a Python script using boto3 with an SSO-backed profile and it fails with a token-expired error even though you remember logging in yesterday. You check \`~/.aws/sso/cache/\` and see a JSON file, but the \`expiresAt\` field is in the past. The SDK can refresh short-lived role credentials while the SSO access token is valid, but once the SSO access token itself expires, the credential provider chain stops and asks you to re-authenticate. Running \`aws sso login\` opens the browser/device-code flow, writes a new access token to the cache, and the next SDK call can trade it for fresh role credentials. This is a daily/weekly ritual for teams using IAM Identity Center.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T04:56:37.030376+00:00— report_created — created