AWS

ExpiredToken - Expired Token

Getting an **ExpiredToken** error means your temporary AWS credentials (session token) have expired—temporary credentials from STS, IAM roles, or assume role operations expire after a set time period (typically 1 hour, max 12 hours). This client-side error (4xx) happens when AWS validates credential expiration. Most common when temporary credentials expire after 1 hour, but also appears when session tokens expire, STS token expiration time passes, IAM role sessions expire, or token expiration time is reached.

#Common Causes

  • Identity: Temporary credentials expired. IAM role session expired. STS assume role session expired.
  • Network: Session token expired. VPC endpoint token expired.
  • Limits: STS token expiration time passed. Token expiration time reached. Default expiration is 1 hour (max 12 hours).

Solutions

  1. 1Step 1: Diagnose - Check token expiration: aws sts get-caller-identity. If ExpiredToken, credentials expired. Check when credentials were obtained. Verify expiration time.
  2. 2Step 2: Diagnose - Check credential type: aws configure list. Verify if using temporary credentials (session token). Check if using IAM role (auto-refreshes on EC2).
  3. 3Step 3: Diagnose - Review credential source: If from STS assume-role, check expiration. If from EC2 instance profile, should auto-refresh. If from Lambda, uses execution role.
  4. 4Step 4: Fix - Refresh temporary credentials: For STS: aws sts assume-role --role-arn ROLE_ARN --role-session-name SESSION_NAME. Update credentials: aws configure set aws_session_token NEW_TOKEN.
  5. 5Step 5: Fix - Implement automatic token refresh: On EC2, instance profile auto-refreshes. For Lambda, execution role auto-refreshes. For CLI, refresh manually or use assume-role with longer duration (up to 12 hours).

</>Code Examples

Check Token Expiration and Refresh Credentials
1#!/bin/bash
2# Check current credentials
3echo "=== Checking Current Credentials ==="
4aws sts get-caller-identity 2>&1
5
6if [ $? -ne 0 ]; then
7  echo "✗ Credentials expired or invalid (ExpiredToken)"
8  echo "\n=== Refreshing Credentials ==="
9  
10  # Refresh using assume role
11  ROLE_ARN="arn:aws:iam::123456789012:role/MyRole"  # Replace with your role
12  SESSION_NAME="session-$(date +%s)"
13  
14  CREDS=$(aws sts assume-role \
15    --role-arn ${ROLE_ARN} \
16    --role-session-name ${SESSION_NAME} \
17    --duration-seconds 3600 \
18    --query 'Credentials' \
19    --output json)
20  
21  # Update credentials
22  export AWS_ACCESS_KEY_ID=$(echo "${CREDS}" | jq -r '.AccessKeyId')
23  export AWS_SECRET_ACCESS_KEY=$(echo "${CREDS}" | jq -r '.SecretAccessKey')
24  export AWS_SESSION_TOKEN=$(echo "${CREDS}" | jq -r '.SessionToken')
25  EXPIRATION=$(echo "${CREDS}" | jq -r '.Expiration')
26  
27  echo "✓ Credentials refreshed"
28  echo "Expires at: ${EXPIRATION}"
29  
30  # Verify new credentials
31  echo "\n=== Verifying New Credentials ==="
32  aws sts get-caller-identity
33else
34  echo "✓ Credentials are valid"
35fi
Refresh IAM Role Session (EC2/Lambda)
1#!/bin/bash
2# On EC2, instance profile auto-refreshes
3echo "=== Checking if on EC2 ==="
4INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null)
5
6if [ ! -z "${INSTANCE_ID}" ]; then
7  echo "Running on EC2 instance: ${INSTANCE_ID}"
8  echo "Instance profile credentials auto-refresh"
9  
10  # Get current credentials
11  echo "\n=== Current Credentials ==="
12  aws sts get-caller-identity --output table
13  
14  # Credentials automatically refresh via instance metadata
15  echo "\n=== Note ==="
16  echo "EC2 instance profile credentials refresh automatically"
17  echo "No manual refresh needed"
18else
19  echo "Not on EC2 - using configured credentials"
20  echo "For Lambda, execution role credentials auto-refresh"
21  echo "For CLI, refresh manually using assume-role"
22fi

Related Errors

InvalidTokenTokenRefreshRequired

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

ExpiredToken - Expired Token | AWS Error Reference | Error Code Reference