[BUG] Claude Code does not handle expiry of short term IAM credentials (security tokens)
Environment
- Platform (select one):
- [ ] Anthropic API
- [x] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: 1.0.29 (Claude Code)
- Operating System: Windows 11
- Terminal: cmd
Bug Description
When using CLAUDE_CODE_USE_BEDROCK=1, if your IAM credentials expire, Claude Code does not pick up new credentials if they are refreshed.
Steps to Reproduce
- log into AWS via CLI and export AWS_PROFILE of relevant profile (using short-term STS token)
- start Claude Code
- wait for credentials to expire
- refresh AWS credentials (in another window)
- it will no longer be possible to run any commands in Claude Code
Expected Behaviour
I expect Claude Code to check for refreshed credentials when receiving 403s (API Error: 403 The security token included in the request is expired) from AWS API calls.
Actual Behaviour
API Error: 403 The security token included in the request is expired is returned continually.
To work around you can quit and restart with claude --continue but if using many Claude Code sessions this is problematic.
Additional Context
It is common for enterprises to not use long lived IAM access keys but rather short lived STS tokens, for example via saml2aws/oktacli if using Okta. These credentials typically only last for hours or a day.
If you have many different Claude Code sessions open all sharing the same base IAM profile you will need to re-open all of them to pick up new credentials.
This issue has 13 comments on GitHub. Read the full discussion on GitHub ↗