[BUG] awsAuthRefresh doesn't invalidate AWS SDK credential cache after extended token expiration
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When AWS credentials have been expired for an extended period (~12 hours overnight), refreshing them externally doesn't work. Claude detects the 403, runs awsAuthRefresh, but retries still use stale cached credentials from memory instead of re-reading from ~/.aws/credentials.
All 10 retry attempts fail with "The security token included in the request is expired" even though the credentials file has been updated (verified by timestamp).
No mitigation available — /compact and /handoff also require API access, so they fail with 403 too. User is completely locked out with no way to save context before restarting.
What Should Happen?
Per the docs (https://code.claude.com/docs/en/amazon-bedrock):
> "When Claude Code detects that your AWS credentials are expired...it will automatically run your configured awsAuthRefresh...before retrying the request."
After awsAuthRefresh runs, Claude should re-read credentials from ~/.aws/credentials and retry successfully.
Error Messages/Logs
Error Messages/Logs:
403 The security token included in the request is expired
Retrying in 2 seconds… (attempt 4/10)
Steps to Reproduce
Steps to Reproduce:
- Configure
awsAuthRefreshin~/.claude/settings.json:
```json
{
"env": {
"CLAUDE_CODE_USE_BEDROCK": "1"
},
"awsAuthRefresh": "echo '🔐'"
}
(placeholder command - our SSO is interactive)
- Let AWS session credentials expire overnight (~12 hours)
- In a separate terminal, run interactive SSO login to update ~/.aws/credentials
- Verify credentials file timestamp updated
- In the Claude Code window, send a message
- Observe: 403 errors, awsAuthRefresh runs (🔐 appears), retries still fail
Time-dependent behavior:
- Works: Token expires during active session → refresh externally → Claude picks up fresh creds
- Fails: Leave session overnight (~12 hours) → refresh externally → Claude still uses stale cached creds
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.7
Platform
AWS Bedrock
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Root cause hypothesis: AWS SDK caches credentials in memory. After awsAuthRefresh runs, Claude Code doesn't invalidate this cache, so retries use stale credentials instead of re-reading from disk.
Note: awsAuthRefresh is a placeholder (echo '🔐') because our corporate SSO requires interactive password prompt. The workflow:
- awsAuthRefresh runs (🔐 output confirms execution)
- Refresh credentials externally via interactive SSO
- ~/.aws/credentials IS updated (verified by timestamp)
- Claude retries but still uses stale cached credentials
Clarification on the workflow:
To be clear - credentials are refreshed before sending a message to Claude:
- Morning: run interactive SSO login in separate terminal
~/.aws/credentialsfile is updated (verified by timestamp)- Then go to Claude window and send a message
- Claude tries → 403 → runs
awsAuthRefresh→ retries → still 403
The credentials are already fresh in the file before Claude even attempts the request. The issue is Claude isn't re-reading from disk after awsAuthRefresh runs - it's still using stale credentials cached in memory.
The awsAuthRefresh command doesn't need to do the actual refresh. It just needs to signal "credentials may have changed, re-read from ~/.aws/credentials". But that re-read isn't happening.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗