[BUG] awsAuthRefresh doesn't invalidate AWS SDK credential cache after extended token expiration

Resolved 💬 3 comments Opened Jan 15, 2026 by jrh9 Closed Jan 19, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When AWS credentials have been expired for an extended period (~12 hours overnight), refreshing them externally doesn't work. Claude detects the 403, runs awsAuthRefresh, but retries still use stale cached credentials from memory instead of re-reading from ~/.aws/credentials.

All 10 retry attempts fail with "The security token included in the request is expired" even though the credentials file has been updated (verified by timestamp).

No mitigation available — /compact and /handoff also require API access, so they fail with 403 too. User is completely locked out with no way to save context before restarting.

What Should Happen?

Per the docs (https://code.claude.com/docs/en/amazon-bedrock):

> "When Claude Code detects that your AWS credentials are expired...it will automatically run your configured awsAuthRefresh...before retrying the request."

After awsAuthRefresh runs, Claude should re-read credentials from ~/.aws/credentials and retry successfully.

Error Messages/Logs

Error Messages/Logs:
  403 The security token included in the request is expired
  Retrying in 2 seconds… (attempt 4/10)

Steps to Reproduce

Steps to Reproduce:

  1. Configure awsAuthRefresh in ~/.claude/settings.json:

```json
{
"env": {
"CLAUDE_CODE_USE_BEDROCK": "1"
},
"awsAuthRefresh": "echo '🔐'"
}
(placeholder command - our SSO is interactive)

  1. Let AWS session credentials expire overnight (~12 hours)
  2. In a separate terminal, run interactive SSO login to update ~/.aws/credentials
  3. Verify credentials file timestamp updated
  4. In the Claude Code window, send a message
  5. Observe: 403 errors, awsAuthRefresh runs (🔐 appears), retries still fail

Time-dependent behavior:

  • Works: Token expires during active session → refresh externally → Claude picks up fresh creds
  • Fails: Leave session overnight (~12 hours) → refresh externally → Claude still uses stale cached creds

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.7

Platform

AWS Bedrock

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Root cause hypothesis: AWS SDK caches credentials in memory. After awsAuthRefresh runs, Claude Code doesn't invalidate this cache, so retries use stale credentials instead of re-reading from disk.

Note: awsAuthRefresh is a placeholder (echo '🔐') because our corporate SSO requires interactive password prompt. The workflow:

  1. awsAuthRefresh runs (🔐 output confirms execution)
  2. Refresh credentials externally via interactive SSO
  3. ~/.aws/credentials IS updated (verified by timestamp)
  4. Claude retries but still uses stale cached credentials

Clarification on the workflow:

To be clear - credentials are refreshed before sending a message to Claude:

  1. Morning: run interactive SSO login in separate terminal
  2. ~/.aws/credentials file is updated (verified by timestamp)
  3. Then go to Claude window and send a message
  4. Claude tries → 403 → runs awsAuthRefresh → retries → still 403

The credentials are already fresh in the file before Claude even attempts the request. The issue is Claude isn't re-reading from disk after awsAuthRefresh runs - it's still using stale credentials cached in memory.

The awsAuthRefresh command doesn't need to do the actual refresh. It just needs to signal "credentials may have changed, re-read from ~/.aws/credentials". But that re-read isn't happening.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗