awsAuthRefresh Credential Reload Issues - Inconsistent Behavior and Multi-Session Failures
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
awsAuthRefresh successfully executes and updates ~/.aws/credentials, but Claude Code fails to properly reload the refreshed credentials. This results in:
Issue 1 - Same Session: After awsAuthRefresh completes successfully with 2FA, the first request shows "API Error: The security token included in the request is expired". The second request succeeds without re-authentication (intermittent).
Issue 2 - Multiple Sessions: When one Claude Code session refreshes credentials, other running sessions remain stuck with expired cached credentials and never reload from the updated file. The only workaround is exit + claude --continue.
See full report with detailed evidence and timelines in the bug report markdown attached.
What Should Happen?
According to the documentation:
"When Claude Code detects that your AWS credentials are expired... it will automatically run your configuredawsAuthRefreshand/orawsCredentialExportcommands to obtain new credentials before retrying the request."
Expected behavior:
- Detect expired credentials ✅ (Works)
- Run
awsAuthRefresh✅ (Works) - Update credentials file ✅ (Works)
- Reload credentials from file ❌ (FAILS - not reloading properly)
- Retry original request seamlessly ❌ (FAILS - shows error instead)
- User sees successful response ❌ (FAILS - requires manual retry)
Additionally, all Claude Code sessions should reload credentials when the file is updated externally.
Error Messages/Logs
API Error: The security token included in the request is expired
Additional error seen during testing:
API Error: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/my-role/user@example.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/my-role
Note: The credentials file shows valid credentials after awsAuthRefresh completes, confirmed by running `aws sts get-caller-identity --profile my-profile` which succeeds immediately.
Steps to Reproduce
Single Session Reproduction:
- Configure
awsAuthRefreshin~/.claude/settings.json:
``json``
{
"awsAuthRefresh": "saml2aws login --skip-prompt --idp-account default",
"env": {
"AWS_REGION": "us-east-1",
"AWS_PROFILE": "my-profile",
"CLAUDE_CODE_USE_BEDROCK": "1"
}
}
- Start Claude Code with Bedrock
- Wait for credentials to expire (4 hours in this case)
- Send a message to trigger credential check
- Complete 2FA when prompted
- Observe: "API Error: The security token included in the request is expired"
- Send another message immediately
- Observe: Request succeeds without re-authentication
Multi-Session Reproduction:
- Start Claude Code Session A in directory X
- Start Claude Code Session B in directory Y
- Wait for credentials to expire
- In Session A: send message → triggers refresh → complete 2FA → Session A works
- In Session B: send message → shows "token expired" despite valid credentials in file
- Verify with
aws sts get-caller-identity --profile my-profile(succeeds) - Session B continues to fail until restarted with
claude --continue
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.72 (Claude Code)
Platform
AWS Bedrock
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Detailed Timeline Evidence
Test 1 (Single session):
- Credentials expired at 11:28
- First "Ping" at 14:08 → awsAuthRefresh triggered → 2FA completed → file updated → ERROR shown
- Second "Ping" immediately after → Works without re-auth
Test 2 (Multi-session at 17:32-17:45):
- Session A (PID 87556, SOCIntelligence): Triggered refresh → 2FA → File updated → Works ✅
- Session B (PID 99749, probe): Shows "token expired" despite valid file credentials ❌
- Verified:
aws sts get-caller-identity --profile my-profilesucceeds from CLI - Session B file credentials: expire at 21:32 (4 hours in future), but session still shows error
Configuration Details
Uses role chaining:
[profile my-profile]
role_arn = arn:aws:iam::XXXXXXXXXXXX:role/my-role
source_profile = saml
Base [saml] credentials refreshed by saml2aws, then my-profile assumes role.
Test Results
| Test | Result | Notes |
|------|--------|-------|
| Single session, first attempt | Inconsistent | Sometimes works, sometimes needs 2nd message |
| Multi-session reload | Always fails | Other sessions never reload |
| Workaround: claude --continue | Always works | 100% success rate |
Suggested Fix Priority
- Force AWS SDK credential reload after awsAuthRefresh succeeds
- Retry original request after credentials refreshed (don't just show error)
- Multi-session: file watching or periodic checks
- Better error messaging to distinguish refresh failures from reload failures
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗