Stuck with AWS error code ExpiredToken? We can help you.

All application API requests to Amazon Web Services (AWS) must cryptographically signed using credentials issued by AWS.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how our techs fix this.

How to resolve AWS error code ExpiredToken?

Typical error might look as shown below:

com.amazonaws.AmazonServiceException: The security token included in the request is expired (Service: AmazonSQS; Status Code: 403; Error Code: ExpiredToken; Request ID: 12a345b6-78cd-901e-fg23-45hi67890jkl)

If your application uses temporary credentials when creating an AWS client, then the credentials expire at the time interval specified during their creation.

You must refresh the credentials before they expire.

Another reason for expiration is using the incorrect time.

A consistent and accurate time reference is crucial for many server tasks and processes.

If your instance’s date and time aren’t set correctly, the AWS credentials are rejected.

If your application is running on an Amazon EC2 instance, it’s a best practice to use an AWS Identity and Access Management (IAM) role assigned to the instance.

Using an IAM role allows the use of a default service constructor.

The default constructor client searches for credentials by using the default credentials provider chain, in the following order:

1. Firstly, in system environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
2. Next, in the Java system properties: aws.accessKeyId and aws.secretKey.
3. In the default credentials file (the location of this file varies by platform).
4. Then, in the instance profile credentials contained in the instance metadata associated with the IAM role for the EC2 instance.

Attaching an instance profile to your instance adds instance profile credentials to the default credentials provider chain.

If instance profile credentials are available, then the default client constructor creates an instance of the AWS SDK InstanceProfileCredentialsProvider class.

AWS uses this class to sign API requests with AWS credentials using temporary security credentials from Amazon EC2 instance metadata.

Today, let us see the steps followed by our Support Techs to resolve this error.

Use Amazon Time Sync Service or NTP sources

Configure the Amazon Time Sync Service, or another Network Time Protocol (NTP) source on your Amazon EC2 instance.

This makes sure that your Linux instance has a consistent and accurate time reference.

For more information, see Set the time for your Linux instance, or Set the time for a Windows instance.

Use custom temporary AWS credentials

Refresh temporary credentials five minutes before their expiration.

Use an IAM role assigned to an instance

Attach an instance profile to your instance.

Then, verify that no other credentials are specified in your code or on the instance.

The instance profile credentials are the last place the default credential provider chain searches for credentials.

If you have credentials located anywhere earlier in the search chain, then those credentials prevent the IAM from being used.

To see the AWS credentials for an IAM role that’s attached to an instance, run the following commands from a Linux shell or from Windows PowerShell (v3.0 or later).

Be sure to replace examplerole with the name of your IAM role.

Linux

Use the curl command to see AWS credentials:

$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/examplerole

This command returns output similar to the following:

{
"Code" : "Success",
"LastUpdated" : "2016-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2016-04-27T22:39:16Z"
}

Note: If running the preceding curl command returns a 404 error, check the following:

1. Firstly, use the following command to verify that HTTP proxy is disabled for the metadata IP address:

$ export NO_PROXY=169.254.169.254

2. Then, verify that the instance isn’t making multiple concurrent requests and running multiple sessions in parallel.

Multiple concurrent requests and multiple sessions running in parallel might cause throttling by the Instance Metadata Service (IMDS).

To mitigate this, use caching and retries with exponential backoff. As with any service, calls might fail occasionally.

Clients are expected to retry when this occurs. For more information, see Query throttling.

To implement retries, modify AWS_METADATA_SERVICE_NUM_ATTEMPTS. You can set options using environment variables, in the ~/.aws/config file, or in the user’s botocore session.

Example:

AWS_METADATA_SERVICE_TIMEOUT = 10
AWS_METADATA_SERVICE_NUM_ATTEMPTS = 5

3. Next if you’re running the curl test in a docker container, adjust the instance-metadata-options http-put-response-hop-limit:

$ aws ec2 modify-instance-metadata-options --instance-id $(curl 169.254.169.254/latest/meta-data/instance-id) --http-put-response-hop-limit 2 --http-endpoint enabled

For more information, see Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service.

4. Then, verify that the instance profile is properly attached to the instance.

Windows

Use the Invoke-RestMethod command to see AWS credentials:

PS C:\> Invoke-RestMethod http://169.254.169.254/latest/meta-data/iam/security-credentials/examplerole

This command returns output similar to the following:

Code : Success
LastUpdated : 2016-07-18T18:09:47Z
Type : AWS-HMAC
AccessKeyId : AKIAIOSFODNN7EXAMPLE
SecretAccessKey : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Token : token
Expiration : 2016-04-27T22:39:16Z

Use these commands to check the latest temporary credentials for the instance.

These credentials automatically rotate or refresh approximately five minutes before the expiration of the assigned temporary credentials.

[Need help with the resolution? We’d be glad to assist you]

Conclusion

In short, we saw how our Support Techs fix AWS error code ExpiredToken for our customers.