awsAuthRefresh Credential Reload Issues - Inconsistent Behavior and Multi-Session Failures

Resolved 💬 3 comments Opened Mar 11, 2026 by jeffjen Closed Mar 15, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

awsAuthRefresh successfully executes and updates ~/.aws/credentials, but Claude Code fails to properly reload the refreshed credentials. This results in:

Issue 1 - Same Session: After awsAuthRefresh completes successfully with 2FA, the first request shows "API Error: The security token included in the request is expired". The second request succeeds without re-authentication (intermittent).

Issue 2 - Multiple Sessions: When one Claude Code session refreshes credentials, other running sessions remain stuck with expired cached credentials and never reload from the updated file. The only workaround is exit + claude --continue.

See full report with detailed evidence and timelines in the bug report markdown attached.

What Should Happen?

According to the documentation:

"When Claude Code detects that your AWS credentials are expired... it will automatically run your configured awsAuthRefresh and/or awsCredentialExport commands to obtain new credentials before retrying the request."

Expected behavior:

  1. Detect expired credentials ✅ (Works)
  2. Run awsAuthRefresh ✅ (Works)
  3. Update credentials file ✅ (Works)
  4. Reload credentials from file ❌ (FAILS - not reloading properly)
  5. Retry original request seamlessly ❌ (FAILS - shows error instead)
  6. User sees successful response ❌ (FAILS - requires manual retry)

Additionally, all Claude Code sessions should reload credentials when the file is updated externally.

Error Messages/Logs

API Error: The security token included in the request is expired

Additional error seen during testing:
API Error: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/my-role/user@example.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/my-role

Note: The credentials file shows valid credentials after awsAuthRefresh completes, confirmed by running `aws sts get-caller-identity --profile my-profile` which succeeds immediately.

Steps to Reproduce

Single Session Reproduction:

  1. Configure awsAuthRefresh in ~/.claude/settings.json:

``json
{
"awsAuthRefresh": "saml2aws login --skip-prompt --idp-account default",
"env": {
"AWS_REGION": "us-east-1",
"AWS_PROFILE": "my-profile",
"CLAUDE_CODE_USE_BEDROCK": "1"
}
}
``

  1. Start Claude Code with Bedrock
  2. Wait for credentials to expire (4 hours in this case)
  3. Send a message to trigger credential check
  4. Complete 2FA when prompted
  5. Observe: "API Error: The security token included in the request is expired"
  6. Send another message immediately
  7. Observe: Request succeeds without re-authentication

Multi-Session Reproduction:

  1. Start Claude Code Session A in directory X
  2. Start Claude Code Session B in directory Y
  3. Wait for credentials to expire
  4. In Session A: send message → triggers refresh → complete 2FA → Session A works
  5. In Session B: send message → shows "token expired" despite valid credentials in file
  6. Verify with aws sts get-caller-identity --profile my-profile (succeeds)
  7. Session B continues to fail until restarted with claude --continue

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.72 (Claude Code)

Platform

AWS Bedrock

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Detailed Timeline Evidence

Test 1 (Single session):

  • Credentials expired at 11:28
  • First "Ping" at 14:08 → awsAuthRefresh triggered → 2FA completed → file updated → ERROR shown
  • Second "Ping" immediately after → Works without re-auth

Test 2 (Multi-session at 17:32-17:45):

  • Session A (PID 87556, SOCIntelligence): Triggered refresh → 2FA → File updated → Works ✅
  • Session B (PID 99749, probe): Shows "token expired" despite valid file credentials ❌
  • Verified: aws sts get-caller-identity --profile my-profile succeeds from CLI
  • Session B file credentials: expire at 21:32 (4 hours in future), but session still shows error

Configuration Details

Uses role chaining:

[profile my-profile]
role_arn = arn:aws:iam::XXXXXXXXXXXX:role/my-role
source_profile = saml

Base [saml] credentials refreshed by saml2aws, then my-profile assumes role.

Test Results

| Test | Result | Notes |
|------|--------|-------|
| Single session, first attempt | Inconsistent | Sometimes works, sometimes needs 2nd message |
| Multi-session reload | Always fails | Other sessions never reload |
| Workaround: claude --continue | Always works | 100% success rate |

Suggested Fix Priority

  1. Force AWS SDK credential reload after awsAuthRefresh succeeds
  2. Retry original request after credentials refreshed (don't just show error)
  3. Multi-session: file watching or periodic checks
  4. Better error messaging to distinguish refresh failures from reload failures

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗