Report #11187
[bug\_fix] AWS STS ExpiredToken: The security token included in the request is expired
Configure the SDK to use the standard credential provider chain with an IAM Role and source\_profile in ~/.aws/config, or use a credential provider that automatically refreshes STS tokens \(like botocore.credentials.RefreshableCredentials\). Do not hardcode temporary credentials. When using the CLI config method, the SDK automatically calls sts:AssumeRole again before the 1-hour expiration.
Journey Context:
A developer deploys a long-running ETL job on an on-premise server using boto3. They run \`aws sts assume-role --role-arn arn:aws:iam::123:role/ETLRole --duration-seconds 3600\` and export the returned AccessKeyId, SecretAccessKey, and SessionToken as environment variables. The job runs fine for 59 minutes, then every API call throws \`ExpiredToken: The security token included in the request is expired\`. The developer checks the IAM role trust policy and sees nothing wrong. They realize the credentials expire after 1 hour, but think they must write a cron job to re-export credentials. They try wrapping the boto3 client in a try/except to re-assume the role, which is messy. The real fix is removing the manual STS call. They instead add a profile to \`~/.aws/config\` with \`role\_arn = arn:aws:iam::123:role/ETLRole\` and \`source\_profile = default\` \(or use IAM Identity Center\). When boto3 uses this profile, the SDK's internal \`AssumeRoleCredentialFetcher\` automatically refreshes the token before expiration by calling STS again using the source credentials, without any code changes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T12:44:16.713452+00:00— report_created — created