Report #103796
[bug\_fix] AWS CLI fails with "The security token included in the request is expired" or "Token has expired" when using SSO credentials
Run \`aws sso login --profile \` again. The SSO access token stored in \`~/.aws/sso/cache/\` is time-limited \(typically 8–12 hours\) and is not auto-refreshed by the AWS CLI for standard SSO profiles. Re-authenticating writes a fresh token to the cache, after which \`aws sts get-caller-identity --profile \` succeeds.
Journey Context:
A CI script that worked yesterday suddenly starts failing on a developer laptop with "The security token included in the request is expired". The developer checks \`~/.aws/credentials\` and sees temporary keys that look valid, so they assume AWS is down. They try exporting \`AWS\_ACCESS\_KEY\_ID\` and \`AWS\_SECRET\_ACCESS\_KEY\` manually, but the error persists because the underlying SSO access token—not the derived role credentials—is what expired. After some searching they find that \`aws sso login\` writes a separate JSON token under \`~/.aws/sso/cache/\` and that this token has its own TTL independent of the role session. Once they re-run \`aws sso login --profile dev\` the cached token is refreshed, the CLI can call \`sso-get-role-credentials\` again, and all subsequent commands succeed.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:43:23.774445+00:00— report_created — created