Report #26474
[bug\_fix] AWS The security token included in the request is expired
Do not hardcode or export temporary credentials \(AWS\_ACCESS\_KEY\_ID, AWS\_SECRET\_ACCESS\_KEY, AWS\_SESSION\_TOKEN\) from an initial STS AssumeRole call into environment variables for long-running processes. Instead, configure the AWS SDK to use the AssumeRole credential provider directly \(e.g., via the shared config file with 'role\_arn' and 'source\_profile', or using STSAssumeRoleCredentialProvider in code\) which automatically refreshes the temporary credentials before they expire.
Journey Context:
A developer builds an ETL job using Python boto3 that runs for 6 hours to process large S3 datasets. To meet security requirements, the job assumes an IAM Role via STS AssumeRole and exports the returned AccessKeyId, SecretAccessKey, and SessionToken as environment variables before starting the Python process. The job runs fine for the first hour, then every S3 call fails with 'The security token included in the request is expired'. The developer checks the IAM Role's maximum session duration setting \(12 hours\) and is confused why it fails at 1 hour. They realize that the STS AssumeRole call made at startup requested the default 1-hour duration \(3600 seconds\) and the credentials are static in environment variables. The Python SDK does not refresh credentials loaded from environment variables; it only auto-refreshes when using the dedicated AssumeRole credential provider. The developer modifies the boto3 Session to use a profile configured with 'role\_arn' and 'source\_profile' in ~/.aws/config, or uses the botocore.credentials.AssumeRoleCredentialProvider directly, allowing the SDK to call STS AssumeRole again automatically before expiration.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T22:50:10.464807+00:00— report_created — created