Report #30214
[bug\_fix] AWS SDK throws 'The security token included in the request is expired' when using AWS IAM Identity Center \(SSO\) or IAM Role assumption
Re-authenticate with \`aws sso login\` to refresh the parent SSO session \(which issues new refresh tokens\), or increase the IAM Role's 'Maximum session duration' \(up to 12 or 36 hours\) in the IAM Console and ensure your SDK credential provider respects the Expiration field in the credential file. The root cause is that the temporary credentials \(AccessKeyId/SecretKey/SessionToken\) issued by STS expire after the duration specified \(default 1 hour\), and while the SDK auto-refreshes, it cannot refresh if the underlying SSO refresh token is expired \(typically 8-12 hours\) or if the IAM Role session is capped shorter than the refresh interval.
Journey Context:
You deployed a long-running data pipeline on your laptop using Boto3 configured with AWS SSO \(aws configure sso\). It runs fine for 3 hours processing S3 objects, then suddenly every API call throws 'ExpiredToken'. You check ~/.aws/sso/cache/ and see the access token is indeed past its issued\_at \+ expires\_in window. You try \`aws sts get-caller-identity\` and it fails too. You check the AWS docs and realize the SSO token \(refresh token\) is distinct from the STS temporary credentials; the SDK's SSO token provider cannot silently re-authenticate without a browser flow. You run \`aws sso login\` again, which opens the browser, refreshes the SSO token, and writes new cached credentials. The pipeline now works for another 8 hours. For production, you switch to using \`credential\_process\` with a script that handles the SSO flow or move to an EC2 instance with an attached IAM Role so the SDK uses IMDS which auto-refreshes without browser interaction.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T05:06:05.465762+00:00— report_created — created