[BUG] Claude Code doesn't inherit refreshed AWS credentials from SAML-to in GitHub Codespaces, causing 403 "security token expired" errors every 30 minutes

Resolved 💬 9 comments Opened Aug 14, 2025 by mslshao Closed Jan 7, 2026

Environment

  • Platform (select one):
  • [ ] Anthropic API
  • [x] AWS Bedrock
  • [ ] Google Vertex AI
  • [ ] Other: <!-- specify -->
  • Claude CLI version: 1.0.80 (Claude Code)
  • Operating System: Linux (GitHub Codespaces with devcontainer, inside of a Windows 11 laptop)
  • Terminal: VS Code integrated terminal in GitHub Codespaces

Bug Description

Claude Code fails to inherit refreshed AWS credentials from the SAML-to VS Code extension in GitHub Codespaces, resulting in "security token expired" 403 errors approximately every 30 minutes. This forces users to quit and restart their Claude Code session, losing conversation context if we don't explicitly write claude --continue

Steps to Reproduce

  1. Set up a GitHub Codespace with SAML-to devcontainer feature configured (using ghcr.io/saml-to/devcontainer-features/assume-aws-role)
  2. Start Claude Code CLI in the Codespace terminal
  3. Work normally with AWS resources (reading files, running commands, etc.)
  4. Wait approximately 30 minutes for the AWS STS tokens to expire
  5. Attempt any operation that requires AWS credentials

Expected Behavior

Claude Code should seamlessly inherit the refreshed AWS credentials from the SAML-to VS Code extension (like GitHub Copilot and Cline do in the same environment), allowing uninterrupted work without credential expiration issues.

Actual Behavior

After ~30 minutes, Claude Code encounters 403 errors with "The security token included in the request is expired" and retries multiple times before failing:

  ⎿  API Error (403 The security token included in the request is expired) · Retrying in 1 seconds… (attempt 1/10)
  ⎿  API Error (403 The security token included in the request is expired) · Retrying in 1 seconds… (attempt 2/10)
  ⎿  API Error (403 The security token included in the request is expired) · Retrying in 2 seconds… (attempt 3/10)
  ⎿  API Error (403 The security token included in the request is expired) · Retrying in 4 seconds… (attempt 4/10)
  ⎿  API Error (403 The security token included in the request is expired) · Retrying in 10 seconds… (attempt 5/10)

until I force-quit, and re-join that session using claude --continue
(which works immediately, because I have SAML-to installed in my VSCode Codespaces)

Additional Context

  • Our (private) repository uses saml-to.yml configuration for AWS SAML authentication
  • The devcontainer.json includes the SAML-to feature and VS Code extension (saml-to.saml-to-vscode)
  • Other tools in the same Codespace (GitHub Copilot, Cline, bash AWS CLI) work continuously without credential issues or forced refresh commands.
  • The SAML-to extension successfully refreshes credentials for other processes, but Claude Code doesn't inherit these refreshed credentials
  • Using --resume to restore context after restarting is a workaround but disrupts workflow

Similar issues noted:

View original on GitHub ↗

This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗