Running aws s3 ls or kubectl commands against EKS started throwing: ExpiredTokenException: The security token included in the request is expired. Everything was working fine an hour ago.
Root cause:
AWS STS assumed-role credentials expire after 1 hour by default (max 12 hours if the IAM role allows it). Once the token in ~/.aws/credentials or the shell environment expires, every AWS API call fails until you re-authenticate.
Fix:
If using AWS SSO:
aws sso login --profile my-profile
export AWS_PROFILE=my-profileIf using assume-role directly:
# Re-assume the role
CREDS=$(aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/MyRole \
--role-session-name refresh-session \
--query 'Credentials' --output json)
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.SessionToken')Add a helper to ~/.bashrc for quick re-auth:
function aws-refresh() {
aws sso login --profile ${AWS_PROFILE:-default}
echo "AWS credentials refreshed."
}Lesson: STS tokens are short-lived by design — build a one-command refresh into your workflow so expired tokens don't break your morning deploys.