Report #102994
[bug\_fix] AWS ExpiredTokenException: The security token included in the request is expired
Stop caching temporary credentials in environment variables and let the AWS SDK use the default credential provider chain. On EC2/ECS/EKS use an IAM role or IRSA so the SDK calls the metadata service and refreshes tokens before they expire. For manually assumed roles, re-assume before expiry or configure an AWS CLI/SDK profile with source\_profile \+ role\_arn so the SDK refreshes automatically.
Journey Context:
A long-running EKS data-pipeline pod started failing every few hours with ExpiredTokenException on SQS ReceiveMessage. The pod used kube2iam and aws-java-sdk-core's InstanceProfileCredentialsProvider, which should refresh automatically. The team first suspected clock skew, then a kube2iam bug. After enabling SDK debug logging they saw the provider was not being consulted; instead static AWS\_ACCESS\_KEY\_ID, AWS\_SECRET\_ACCESS\_KEY, and AWS\_SESSION\_TOKEN values were in the process environment. An init container had curled those from the EC2 instance metadata endpoint at startup and exported them. Because environment variables rank first in the AWS default credential provider chain, the SDK kept using those expired values instead of returning to IMDS for fresh ones. Once the init script stopped exporting the keys and the pod relied on the instance role directly, the SDK began refreshing credentials and the errors stopped.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:49:55.564284+00:00— report_created — created