🎉 DevOps Interview Prep Bundle is live — 1000+ Q&A across 20 topicsGet it →
All Fixes
Today I Fixed

AWS CLI failing with ExpiredTokenException on assumed-role credentials

awsJun 29, 20265 minutes to fixawstroubleshooting

Running aws s3 ls or kubectl commands against EKS started throwing: ExpiredTokenException: The security token included in the request is expired. Everything was working fine an hour ago.

Root cause: AWS STS assumed-role credentials expire after 1 hour by default (max 12 hours if the IAM role allows it). Once the token in ~/.aws/credentials or the shell environment expires, every AWS API call fails until you re-authenticate.

Fix:

If using AWS SSO:

bash
aws sso login --profile my-profile
export AWS_PROFILE=my-profile

If using assume-role directly:

bash
# Re-assume the role
CREDS=$(aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/MyRole \
  --role-session-name refresh-session \
  --query 'Credentials' --output json)
 
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.SessionToken')

Add a helper to ~/.bashrc for quick re-auth:

bash
function aws-refresh() {
  aws sso login --profile ${AWS_PROFILE:-default}
  echo "AWS credentials refreshed."
}

Lesson: STS tokens are short-lived by design — build a one-command refresh into your workflow so expired tokens don't break your morning deploys.