Report #11777
[bug\_fix] AWS ExpiredTokenException: The security token included in the request is expired
The root cause is that temporary credentials obtained via STS AssumeRole have a finite lifetime \(default 1 hour\). The fix is to stop using static environment variables for session credentials and instead configure the AWS SDK to use the default credential provider chain with automatic refresh. For EC2, ensure the SDK reads from the instance metadata service \(IMDS\) which provides auto-refreshing tokens. For local or containerized apps, use the STS client to assume the role and configure the SDK with StsAssumeRoleCredentialsProvider \(Java\), AssumeRoleCredentialFetcher \(Python/botocore\), or equivalent, ensuring the SDK handles the background refresh before expiry.
Journey Context:
You deployed a long-running data processing container on ECS Fargate that assumes a cross-account role to access DynamoDB. After exactly one hour of stable operation, every request fails with ExpiredTokenException. You check the IAM role's MaxSessionDuration \(set to 12 hours\), but it still fails at 1 hour. You inspect the container environment variables and see AWS\_ACCESS\_KEY\_ID, AWS\_SECRET\_ACCESS\_KEY, and AWS\_SESSION\_TOKEN were injected at startup by a custom init script that called STS AssumeRole. You realize the SDK is using these static env vars and never refreshes them. You refactor the application to remove the custom init script and instead rely on the ECS task role \(via the default credential chain\), which the SDK automatically refreshes by calling the ECS metadata endpoint. After redeployment, the app runs for days without token expiry because the SDK now manages the refresh lifecycle.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T14:16:14.436814+00:00— report_created — created