[BUG] `"awsAuthRefresh":` setting causes constant repeated auth attempts

Resolved 💬 24 comments Opened Nov 26, 2025 by timfallmk Closed Apr 27, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When opening Claude, if an AWS token refresh command is present in ~/.claude/settings.json at "awsAuthRefresh", claude will loop asking for a new auth token (and prompting a browser open) every few seconds. Passing the login challenge (or denying it) does not stop the loop.

A user cannot get past this point.

Example ~/.claude/settings.json snippet:

{
   "awsAuthRefresh": "aws sso login --profile <profile>",
   "env": {
     "AWS_PROFILE": "<profile>",
     "AWS_REGION": "us-west-2",
     "CLAUDE_CODE_MAX_OUTPUT_TOKENS": "16384",
     "CLAUDE_CODE_USE_BEDROCK": "1",
     "DISABLE_AUTOUPDATER": "1"
   },

What Should Happen?

Claude should successful launch, check if the current auth token is valid and run auth _once_ if necessary to get a valid token. It should then be ready to accept messages after that.

Error Messages/Logs

Steps to Reproduce

  1. Set an "awsAuthRefresh": command in ~/.claude/settings.json
  2. Launch Claude Code

Claude Model

Sonnet (default)

Is this a regression?

Yes, this worked in a previous version

Last Working Version

2.0.52

Claude Code Version

2.0.53

Platform

AWS Bedrock

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

This regression appears to have been introduced in 2.0.53. It does not happen prior to this version.
Note: This is possibly related to #10594

View original on GitHub ↗

24 Comments

github-actions[bot] · 7 months ago

Found 3 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/9027
  2. https://github.com/anthropics/claude-code/issues/10594
  3. https://github.com/anthropics/claude-code/issues/9473

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

timfallmk · 7 months ago

Possible regression of #9027 although possibly unrelated.

timfallmk · 7 months ago

This appears to be fixed in 2.0.56

timfallmk · 7 months ago

Reopening as it was not fixed in 2.0.56

jhigginbottom · 7 months ago

Is there a fix or workaround for this???

sagarrth · 6 months ago

Still happening on 2.0.76. Is there any solution for this?

MWatter · 6 months ago

Hate to be a "me too", but this is breaking the flow for dozens of people here at my org.

chodges15 · 6 months ago

Still seeing this issue in 2.1.2 and also causing issues for many in my org

segabor · 6 months ago

Still broken in v2.1.7. Claude Code keeps opening AWS login pages in every 2 seconds.

MarioPires · 5 months ago

I was hitting this problem until I noticed the role name was not the same as the one I had access to in AWS.

so, double check the values - account number, role name, and IAM configs.

edit: actually, nevermind.. it came back when I prompted something..

edit2: changed to Administrator role and it's working now, then I realized the account did not have the necessary IAM configuration set!

https://code.claude.com/docs/en/amazon-bedrock?search=autoUpdatesChannel#iam-configuration

timfallmk · 5 months ago
edit2: changed to Administrator role and it's working now, then I realized the account did not have the necessary IAM configuration set! https://code.claude.com/docs/en/amazon-bedrock?search=autoUpdatesChannel#iam-configuration

Updated our IAM policy to match what the documentation says exactly and we're still getting the loop.

gergely-halacsy · 5 months ago

Still seeing this as of v2.1.23 Very annoying!

bradam12 · 5 months ago

Noticed in debug logs (~/.claude/debug/latest) that it was looping on AWS login. We have a corporate VPN that MITM's our SSL traffic.

Running with env var NODE_TLS_REJECT_UNAUTHORIZED=0 solved my issue.

2026-01-29T18:33:13.970Z [DEBUG] [API:request] Creating client, ANTHROPIC_CUSTOM_HEADERS present: false, has Authorization header: false
2026-01-29T18:33:13.970Z [DEBUG] [API:auth] OAuth token check starting
2026-01-29T18:33:13.970Z [DEBUG] [API:auth] OAuth token check complete
2026-01-29T18:33:13.971Z [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2026-01-29T18:33:14.039Z [DEBUG] Running AWS auth refresh command
2026-01-29T18:33:14.434Z [DEBUG] Attempting to open your default browser.
If the browser does not open, open the following URL:

https://oidc.us-east-1.amazonaws.com/<redacted>
2026-01-29T18:33:15.587Z [DEBUG] Successfully logged into Start URL: https://<redacted>
2026-01-29T18:33:15.645Z [DEBUG] AWS auth refresh completed successfully
2026-01-29T18:33:15.645Z [DEBUG] Clearing AWS credential provider cache
2026-01-29T18:33:15.698Z [DEBUG] Failed to clear AWS credential cache (this is expected if no credentials are configured)
2026-01-29T18:33:15.745Z [ERROR] API error (attempt 4/11): Error: self signed certificate in certificate chain
timfallmk · 5 months ago

Can we get this fixed? This is extremely annoying.

sheriferson · 5 months ago

This was happening to me with the latest version from Homebrew (2.1.31), and at least in my case, the following change solved the endless sso loop:

In ~/.aws/config, replace role_arn which had the full arn to the role I wanted claude code to use with sso_role_name.

timfallmk · 5 months ago
In ~/.aws/config, replace role_arn which had the full arn to the role I wanted claude code to use with sso_role_name.

Unfortunately this was already set for me. Still having this issue.

Kamil-Budzik-Auctane · 5 months ago

Bump — I’m experiencing the exact same issue. Does anyone have a workaround?

iamharisai · 5 months ago

Please provide a fix for this. :-)

liranZiv27 · 4 months ago

I also had this issue, when I removed my ~/.aws/credentials file, it was resolved.
I don't need it because we're using aws sso login.
Good luck!

rdundon · 4 months ago
I also had this issue, when I removed my ~/.aws/credentials file, it was resolved.

That did it for me! Well technically I moved the file elsewhere just in case I do need it, but worked nonetheless.

timfallmk · 4 months ago
I also had this issue, when I removed my ~/.aws/credentials file, it was resolved.

Wow this finally solved it for me! Thanks so much!

campey · 4 months ago

Workaround: Prevent the refresh loop with a smart wrapper

We hit this same issue (we needed to use the credentials approach) and debugged it thoroughly. The root cause for me was AWS credential propagation delay: after the awsAuthRefresh command writes new credentials, they take ~3-5 seconds to become valid on AWS's side. Claude Code retries immediately, gets another 403, triggers another refresh — which writes new credentials, resetting the propagation clock. This creates the loop.

The fix is to make your refresh command smarter with three guards:

  1. Skip if credentials are fresh — if ~/.aws/credentials was written < 120 seconds ago, exit 0 immediately without refreshing. This prevents re-generating credentials that are still propagating.
  1. Lock file — if multiple 403s fire (e.g. from concurrent sessions), only one instance runs the actual refresh. Others wait for it to finish, then exit cleanly.
  1. Poll for validity after refresh — after writing credentials, poll aws sts get-caller-identity every 1s (up to 30s) before returning. This ensures Claude Code only retries once the credentials are confirmed working.

Create ~/.claude/scripts/aws-refresh.sh:

#!/bin/bash
CREDS_FILE="$HOME/.aws/credentials"
LOCKFILE="/tmp/aws-refresh.lock"
SKIP_IF_NEWER_THAN=120

# Skip if credentials were recently written (propagation delay, not actually expired)
if [ -f "$CREDS_FILE" ]; then
  if [[ "$OSTYPE" == "darwin"* ]]; then
    CREDS_AGE=$(( $(date +%s) - $(stat -f %m "$CREDS_FILE") ))
  else
    CREDS_AGE=$(( $(date +%s) - $(stat -c %Y "$CREDS_FILE") ))
  fi
  if [ "$CREDS_AGE" -lt "$SKIP_IF_NEWER_THAN" ]; then
    exit 0
  fi
fi

# Lock to prevent concurrent refreshes across sessions
if [ -f "$LOCKFILE" ]; then
  while [ -f "$LOCKFILE" ]; do
    sleep 1
  done
  exit 0
fi
trap "rm -f $LOCKFILE" EXIT
touch "$LOCKFILE"

# Run your actual refresh command here
[command]

# Poll until credentials are valid before returning
ELAPSED=0
while [ "$ELAPSED" -lt 30 ]; do
  if aws sts get-caller-identity --profile YOUR_PROFILE &>/dev/null; then
    exit 0
  fi
  sleep 1
  ELAPSED=$((ELAPSED + 1))
done
exit 0

Then chmod +x ~/.claude/scripts/aws-refresh.sh and update settings:

{
  "awsAuthRefresh": "~/.claude/scripts/aws-refresh.sh"
}

Replace [command] with what you're doing to get your token.

This completely eliminates the loop. The first refresh runs, polls until valid (~4s), and Claude recovers cleanly.

In our case, after getting this working I moved the guards code into the [command] js script that we run to refreash the token, for neatness, but this shell script approach works just fine.

This behaviour could probably be built into claude at some point, but until then this should get you going too.

cnotin · 4 months ago

On my side I'm using okta-aws-cli and I've managed to fix it by adding -e -x to the command line:

  - -e (--cache-access-token): Caches the Okta OIDC token to disk so subsequent runs don't need browser re-authentication within the token's validity period.
  - -x (--expiry-aws-variables): Writes x_security_token_expires into ~/.aws/credentials, so Claude Code can read the expiry time and know the credentials are still valid — skipping the refresh call entirely until they actually expire.

  Next time you run the refresh, it'll cache both the Okta token and the expiry timestamp. After that, Claude should stop prompting on every startup.
github-actions[bot] · 2 months ago

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.