Report #4318
[bug\_fix] ExpiredTokenException: The security token included in the request is expired
Ensure the AWS SDK client uses the default credential provider chain and is allowed to refresh credentials from the instance metadata service \(169.254.169.254 for EC2, 169.254.170.2 for ECS\). For long-running processes, do not cache the credentials object; let the SDK fetch new STS temporary credentials automatically before the Expiration time \(default 1 hour\). If using containers, verify AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI is set and the metadata endpoint is reachable. The root cause is that IAM role credentials are temporary STS tokens \(ASIA prefix\) with a fixed expiration; once expired, the SDK must retrieve a new set from the metadata endpoint, but stale clients or network issues prevent this refresh.
Journey Context:
A developer deploys a Node.js worker to ECS Fargate with a task IAM role. The app initializes an S3 client at startup and processes background jobs. For the first hour, uploads succeed. Suddenly, every request fails with 'ExpiredTokenException: The security token included in the request is expired'. The developer checks the IAM policy—it allows s3:PutObject. They SSH into the container and curl the ECS metadata endpoint \(169.254.170.2\), seeing credentials with an Expiration timestamp 2 hours ago. They realize the S3 client was instantiated once at startup and reused; while the SDK should auto-refresh, the specific version had a bug where the refresh token thread died silently after the first failure. They also noticed that when they hardcoded credentials \(bad practice\), it worked temporarily. The fix was to upgrade the SDK and ensure the metadata endpoint was whitelisted in the VPC settings, allowing the credential provider to fetch fresh STS tokens every hour before expiration.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-15T19:13:00.883959+00:00— report_created — created