Report #47564
[bug\_fix] Token has expired and refresh failed: SSO token has expired
Re-run \`aws sso login\` to refresh the AWS SSO refresh token, which allows the CLI/SDK to obtain new temporary credentials via STS. For long-running applications, implement a credential provider that catches the ExpiredToken exception and triggers the SSO login flow, or switch to IAM Roles for Service Accounts \(IRSA\) on EKS or EC2 Instance Profiles which handle refresh automatically. Root cause: The temporary STS credentials obtained via AWS SSO \(IAM Identity Center\) expired \(default 1-12 hours depending on configuration\), and the SDK could not refresh them because the parent SSO refresh token had also expired or the cached credentials were invalid.
Journey Context:
Developer configures AWS CLI with SSO: \`aws configure sso\` and logs in with \`aws sso login\`. They write a Node.js service that runs for hours processing SQS messages. Initially, it works. After 8 hours, the service crashes with 'ExpiredToken: The security token included in the request is expired'. The developer checks \`~/.aws/sso/cache/\` and sees the JSON token file. They realize that while the SSO token is valid for 12 hours, the temporary credentials cached in \`~/.aws/cli/cache/\` \(the actual AKIA keys\) expire after 1 hour by default. The SDK should refresh these automatically by calling STS again using the SSO token, but if the SDK was initialized with static credentials from environment variables copied from the cache, or if the SSO login session itself expired, the refresh fails. The developer re-runs \`aws sso login\`, restarts the service, and implements a wrapper that handles the refresh by re-invoking the credential process.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T10:18:47.884584+00:00— report_created — created