[BUG] `"awsAuthRefresh":` setting causes constant repeated auth attempts
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When opening Claude, if an AWS token refresh command is present in ~/.claude/settings.json at "awsAuthRefresh", claude will loop asking for a new auth token (and prompting a browser open) every few seconds. Passing the login challenge (or denying it) does not stop the loop.
A user cannot get past this point.
Example ~/.claude/settings.json snippet:
{
"awsAuthRefresh": "aws sso login --profile <profile>",
"env": {
"AWS_PROFILE": "<profile>",
"AWS_REGION": "us-west-2",
"CLAUDE_CODE_MAX_OUTPUT_TOKENS": "16384",
"CLAUDE_CODE_USE_BEDROCK": "1",
"DISABLE_AUTOUPDATER": "1"
},
What Should Happen?
Claude should successful launch, check if the current auth token is valid and run auth _once_ if necessary to get a valid token. It should then be ready to accept messages after that.
Error Messages/Logs
Steps to Reproduce
- Set an
"awsAuthRefresh":command in~/.claude/settings.json - Launch Claude Code
Claude Model
Sonnet (default)
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.0.52
Claude Code Version
2.0.53
Platform
AWS Bedrock
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
This regression appears to have been introduced in 2.0.53. It does not happen prior to this version.
Note: This is possibly related to #10594
24 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
Possible regression of #9027 although possibly unrelated.
This appears to be fixed in
2.0.56Reopening as it was not fixed in
2.0.56Is there a fix or workaround for this???
Still happening on
2.0.76. Is there any solution for this?Hate to be a "me too", but this is breaking the flow for dozens of people here at my org.
Still seeing this issue in
2.1.2and also causing issues for many in my orgStill broken in
v2.1.7. Claude Code keeps opening AWS login pages in every 2 seconds.I was hitting this problem until I noticed the role name was not the same as the one I had access to in AWS.
so, double check the values - account number, role name, and IAM configs.
edit: actually, nevermind.. it came back when I prompted something..
edit2: changed to Administrator role and it's working now, then I realized the account did not have the necessary IAM configuration set!
https://code.claude.com/docs/en/amazon-bedrock?search=autoUpdatesChannel#iam-configuration
Updated our IAM policy to match what the documentation says exactly and we're still getting the loop.
Still seeing this as of
v2.1.23Very annoying!Noticed in debug logs (~/.claude/debug/latest) that it was looping on AWS login. We have a corporate VPN that MITM's our SSL traffic.
Running with env var
NODE_TLS_REJECT_UNAUTHORIZED=0solved my issue.Can we get this fixed? This is extremely annoying.
This was happening to me with the latest version from Homebrew (2.1.31), and at least in my case, the following change solved the endless sso loop:
In
~/.aws/config, replacerole_arnwhich had the full arn to the role I wanted claude code to use withsso_role_name.Unfortunately this was already set for me. Still having this issue.
Bump — I’m experiencing the exact same issue. Does anyone have a workaround?
Please provide a fix for this. :-)
I also had this issue, when I removed my
~/.aws/credentialsfile, it was resolved.I don't need it because we're using
aws sso login.Good luck!
That did it for me! Well technically I moved the file elsewhere just in case I do need it, but worked nonetheless.
Wow this finally solved it for me! Thanks so much!
Workaround: Prevent the refresh loop with a smart wrapper
We hit this same issue (we needed to use the credentials approach) and debugged it thoroughly. The root cause for me was AWS credential propagation delay: after the
awsAuthRefreshcommand writes new credentials, they take ~3-5 seconds to become valid on AWS's side. Claude Code retries immediately, gets another 403, triggers another refresh — which writes new credentials, resetting the propagation clock. This creates the loop.The fix is to make your refresh command smarter with three guards:
~/.aws/credentialswas written < 120 seconds ago, exit 0 immediately without refreshing. This prevents re-generating credentials that are still propagating.aws sts get-caller-identityevery 1s (up to 30s) before returning. This ensures Claude Code only retries once the credentials are confirmed working.Create
~/.claude/scripts/aws-refresh.sh:Then
chmod +x ~/.claude/scripts/aws-refresh.shand update settings:Replace [command] with what you're doing to get your token.
This completely eliminates the loop. The first refresh runs, polls until valid (~4s), and Claude recovers cleanly.
In our case, after getting this working I moved the guards code into the
[command]js script that we run to refreash the token, for neatness, but this shell script approach works just fine.This behaviour could probably be built into claude at some point, but until then this should get you going too.
On my side I'm using
okta-aws-cliand I've managed to fix it by adding-e -xto the command line:This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.