[BUG] Claude Code does not handle expiry of short term IAM credentials (security tokens)

Resolved 💬 13 comments Opened Jun 19, 2025 by robgott Closed Jul 15, 2025

Environment

  • Platform (select one):
  • [ ] Anthropic API
  • [x] AWS Bedrock
  • [ ] Google Vertex AI
  • [ ] Other: <!-- specify -->
  • Claude CLI version: 1.0.29 (Claude Code)
  • Operating System: Windows 11
  • Terminal: cmd

Bug Description

When using CLAUDE_CODE_USE_BEDROCK=1, if your IAM credentials expire, Claude Code does not pick up new credentials if they are refreshed.

Steps to Reproduce

  1. log into AWS via CLI and export AWS_PROFILE of relevant profile (using short-term STS token)
  2. start Claude Code
  3. wait for credentials to expire
  4. refresh AWS credentials (in another window)
  5. it will no longer be possible to run any commands in Claude Code

Expected Behaviour

I expect Claude Code to check for refreshed credentials when receiving 403s (API Error: 403 The security token included in the request is expired) from AWS API calls.

Actual Behaviour

API Error: 403 The security token included in the request is expired is returned continually.
To work around you can quit and restart with claude --continue but if using many Claude Code sessions this is problematic.

Additional Context

It is common for enterprises to not use long lived IAM access keys but rather short lived STS tokens, for example via saml2aws/oktacli if using Okta. These credentials typically only last for hours or a day.
If you have many different Claude Code sessions open all sharing the same base IAM profile you will need to re-open all of them to pick up new credentials.

View original on GitHub ↗

This issue has 13 comments on GitHub. Read the full discussion on GitHub ↗