Report #103466
[bug\_fix] AWS SDK or CLI fails with 'ExpiredToken: The provided token has expired' while using temporary credentials from STS AssumeRole.
Re-assume the role to obtain a new set of temporary credentials and update the environment variables \(\`AWS\_ACCESS\_KEY\_ID\`, \`AWS\_SECRET\_ACCESS\_KEY\`, \`AWS\_SESSION\_TOKEN\`\) or the SDK's credential provider. For long-running workloads, configure automatic role refreshes using the SDK's assume-role credential provider instead of exporting static STS credentials.
Journey Context:
You export \`AWS\_ACCESS\_KEY\_ID\`, \`AWS\_SECRET\_ACCESS\_KEY\`, and \`AWS\_SESSION\_TOKEN\` from \`aws sts assume-role\` into your shell and start a long-running data transfer. Half an hour later every AWS call fails with \`ExpiredToken: The provided token has expired\`. You check the STS response you saved earlier and see \`Expiration\` was 3600 seconds after it was issued. Temporary credentials from STS are intentionally short-lived and AWS does not extend them; after expiration the token is rejected globally. You re-run \`aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CrossAccountRole --role-session-name cli --duration-seconds 3600\`, export the new trio of values, and the workload resumes. To stop this from recurring you switch the application to use the AWS SDK's built-in \`AssumeRoleProvider\`, which automatically calls \`AssumeRole\` again before the old credentials expire.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:27:09.788701+00:00— report_created — created