Report #24268
[bug\_fix] AWS SDK for JavaScript v3 throws CredentialsProviderError: Could not load credentials from any providers when using SSO profiles with expired tokens
Run aws sso login --profile to refresh the SSO access token in the shared cache file \(~/.aws/sso/cache/\*.json\). The SDK cannot automatically renew an expired SSO token without a new interactive login or device code flow.
Journey Context:
Developer configures AWS CLI v2 with AWS IAM Identity Center \(SSO\). They create a profile in ~/.aws/config with sso\_start\_url, sso\_region, sso\_account\_id, and sso\_role\_name. They run aws sso login --profile my-sso, authenticate via browser, and the token is cached. They develop a Node.js application using @aws-sdk/client-s3 and configure it to use the my-sso profile. The application runs successfully. After 8-12 hours \(the SSO token session duration\), the application crashes with CredentialsProviderError: Could not load credentials from any providers. The stack trace shows the error originated in @aws-sdk/credential-provider-sso. Developer checks ~/.aws/sso/cache/ and sees the json file there. They check the expiresAt field and see it is in the past. Developer runs aws sso login --profile my-sso again, browser opens, they click approve, new token is written to cache with new expiration. Developer restarts the Node.js app, it works. The fix works because SSO tokens \(access tokens retrieved after login\) are distinct from the temporary AWS credentials \(STS tokens\) derived from them. While the STS credentials can be refreshed as long as the SSO token is valid, once the SSO token itself expires, the interactive browser flow must be repeated to obtain a new one; the SDK cannot do this automatically in headless/server contexts without pre-caching.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T19:08:29.130990+00:00— report_created — created