[BUG] Claude Code doesn't inherit refreshed AWS credentials from SAML-to in GitHub Codespaces, causing 403 "security token expired" errors every 30 minutes
Environment
- Platform (select one):
- [ ] Anthropic API
- [x] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version:
1.0.80 (Claude Code) - Operating System: Linux (GitHub Codespaces with devcontainer, inside of a Windows 11 laptop)
- Terminal: VS Code integrated terminal in GitHub Codespaces
Bug Description
Claude Code fails to inherit refreshed AWS credentials from the SAML-to VS Code extension in GitHub Codespaces, resulting in "security token expired" 403 errors approximately every 30 minutes. This forces users to quit and restart their Claude Code session, losing conversation context if we don't explicitly write claude --continue
Steps to Reproduce
- Set up a GitHub Codespace with SAML-to devcontainer feature configured (using
ghcr.io/saml-to/devcontainer-features/assume-aws-role) - Start Claude Code CLI in the Codespace terminal
- Work normally with AWS resources (reading files, running commands, etc.)
- Wait approximately 30 minutes for the AWS STS tokens to expire
- Attempt any operation that requires AWS credentials
Expected Behavior
Claude Code should seamlessly inherit the refreshed AWS credentials from the SAML-to VS Code extension (like GitHub Copilot and Cline do in the same environment), allowing uninterrupted work without credential expiration issues.
Actual Behavior
After ~30 minutes, Claude Code encounters 403 errors with "The security token included in the request is expired" and retries multiple times before failing:
⎿ API Error (403 The security token included in the request is expired) · Retrying in 1 seconds… (attempt 1/10)
⎿ API Error (403 The security token included in the request is expired) · Retrying in 1 seconds… (attempt 2/10)
⎿ API Error (403 The security token included in the request is expired) · Retrying in 2 seconds… (attempt 3/10)
⎿ API Error (403 The security token included in the request is expired) · Retrying in 4 seconds… (attempt 4/10)
⎿ API Error (403 The security token included in the request is expired) · Retrying in 10 seconds… (attempt 5/10)
until I force-quit, and re-join that session using claude --continue
(which works immediately, because I have SAML-to installed in my VSCode Codespaces)
Additional Context
- Our (private) repository uses
saml-to.ymlconfiguration for AWS SAML authentication - The devcontainer.json includes the SAML-to feature and VS Code extension (
saml-to.saml-to-vscode) - Other tools in the same Codespace (GitHub Copilot, Cline, bash AWS CLI) work continuously without credential issues or forced refresh commands.
- The SAML-to extension successfully refreshes credentials for other processes, but Claude Code doesn't inherit these refreshed credentials
- Using
--resumeto restore context after restarting is a workaround but disrupts workflow
Similar issues noted:
- https://github.com/anthropics/claude-code/issues/3823 (prev closed)
This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗