Report #88105
[bug\_fix] ExpiredTokenException when using chained assume\_role profiles with AWS SSO source credentials
Re-run \`aws sso login\` to refresh the source profile's SSO token, or configure the \`source\_profile\` to use long-term credentials \(not recommended\), or ensure the \`duration\_seconds\` of the assumed role is shorter than the remaining lifetime of the source SSO session. The root cause is that the \`assume\_role\` provider uses the source profile's credentials to call \`sts:AssumeRole\`; when the source is an SSO session that expired, the AssumeRole API call itself fails with \`ExpiredTokenException\` because the parent credentials are invalid.
Journey Context:
Developer configures a profile \`\[prod\]\` with \`role\_arn = arn:aws:iam::PROD:role/DeployRole\` and \`source\_profile = sso-dev\`. \`sso-dev\` is configured with \`sso\_start\_url\` and \`sso\_region\`. Initially, everything works. After 8 hours, all calls using \`prod\` profile fail with \`ExpiredTokenException\`. Developer checks the IAM Role trust policy \(valid\) and the \`source\_profile\`. Realizes that while the \`assume\_role\` configuration is correct, the \`sts:AssumeRole\` API call is made using the credentials from \`sso-dev\`. Since the SSO token for \`sso-dev\` has expired, the temporary credentials derived from it are dead, so the AssumeRole call fails. The SDK cannot auto-refresh because the refresh requires a valid SSO token, not just an AWS session token. Developer runs \`aws sso login --sso-session \` to refresh the cache, and the \`prod\` profile works again.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T06:28:10.246470+00:00— report_created — created