Report #102433
[bug\_fix] AWS SDK for JavaScript throws 'ExpiredToken: The provided token has expired' after long-running process starts with SSO credentials
Replace reliance on aws sso login cached token with a programmatic credential provider that calls AWS SSO OIDC refresh before expiry, or switch to IAM role credentials for long-lived workloads. The root cause is that AWS SSO temporary credentials have a fixed expiry \(typically 1–12 hours depending on permission set\) and the default credential chain caches them without automatic refresh; long-running Node.js processes do not re-resolve the shared credentials file.
Journey Context:
A developer deploys an ETL worker that starts fine after \`aws sso login\` but crashes overnight with \`ExpiredToken\`. They check CloudTrail and see no API calls after 02:00, so they suspect a credentials leak or session revocation. They re-run \`aws sso login\`, restart the process, and it works again for another 8 hours. Searching GitHub issues on \`@aws-sdk/credential-provider-sso\` reveals that \`fromSSO\(\)\` reads the cached token in \`~/.aws/sso/cache/\` but does not refresh it automatically when the underlying \`AccessToken\` expires. The SDK only refreshes the role credentials derived from that token, not the SSO token itself, so once the SSO session expires the role credential refresh fails with \`ExpiredToken\`. They switch to \`fromTokenFile\` inside an ECS task using an IAM role, and the process runs for days without manual login.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T04:52:02.861645+00:00— report_created — created