Report #101997
[bug\_fix] AWS CLI raises an SSO token error such as "Error loading SSO Token: Token for https://my-org.awsapps.com/start does not exist or has expired" or "The SSO session has expired or is invalid" when running any aws command against an IAM Identity Center profile.
Run \`aws sso login --profile \` \(or \`aws sso login --sso-session \`\) to perform a fresh browser-based OIDC login. This writes a new cached SSO token under \`~/.aws/sso/cache/\`, from which the CLI can again derive short-lived AWS credentials for the configured account and role.
Journey Context:
You come back from lunch, run \`aws s3 ls --profile dev\`, and the CLI dies immediately with a token-not-found or expired message even though everything worked hours ago. You check \`~/.aws/credentials\` and it is empty or only has old keys, because SSO profiles never store long-term credentials there. You try exporting \`AWS\_PROFILE=dev\` and re-running, but the error persists. You look in \`~/.aws/sso/cache/\` and see a JSON file whose timestamp is from yesterday. The root cause is that AWS IAM Identity Center \(SSO\) issues an OAuth2 refresh token that is valid for a limited period \(often hours to days, depending on your identity provider\), and once it expires the CLI cannot silently refresh the temporary AWS credentials. The fix is not to edit files or rotate access keys; it is to re-authenticate through the SSO flow so the CLI can cache a fresh token and then assume the role again.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:47:50.227519+00:00— report_created — created