How do I resolve the error ‘The security token included in the request is expired’ when running Java applications on Amazon EC2?
5 minute read
My Java applications using the AWS SDK for Java on an Amazon Elastic Compute Cloud (Amazon EC2) instance receive an exception similar to the following:
com.amazonaws.AmazonServiceException: The security token included in the request is expired (Service: AmazonSQS; Status Code: 403; Error Code: ExpiredToken; Request ID: 12a345b6-78cd-901e-fg23-45hi67890jkl)
How can I resolve this?
All application API requests to Amazon Web Services (AWS) must be cryptographically signed using credentials issued by AWS.
If your application uses temporary credentials when creating an AWS client, then the credentials expire at the time interval specified during their creation. You must refresh the credentials before they expire.
Another reason for expiration is using the incorrect time. A consistent and accurate time reference is crucial for many server tasks and processes. If your instance's date and time aren't set correctly, the AWS credentials are rejected.
If your application is running on an Amazon EC2 instance, it's a best practice to use an AWS Identity and Access Management (IAM) role assigned to the instance. Using an IAM role allows the use of a default service constructor. The default constructor client searches for credentials by using the default credentials provider chain, in the following order:
In system environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
In the Java system properties: aws.accessKeyId and aws.secretKey.
In the default credentials file (the location of this file varies by platform).
Important: If your application uses the AWS SDK ProfileCredentialsProvider class to provide temporary AWS credentials, then you're responsible for checking for and refreshing credentials before they expire. Not checking or refreshing your credentials increases the likelihood of application failures caused by ExpiredToken errors.
To see the AWS credentials for an IAM role that's attached to an instance, run the following commands from a Linux shell or from Windows PowerShell (v3.0 or later). Be sure to replace examplerole with the name of your IAM role.
2. Verify that the instance isn't making multiple concurrent requests and running multiple sessions in parallel. Multiple concurrent requests and multiple sessions running in parallel might cause throttling by the Instance Metadata Service (IMDS). To mitigate this, use caching and retries with exponential backoff. As with any service, calls might fail occasionally. Clients are expected to retry when this occurs. For more information, see Query throttling.
To implement retries, modify AWS_METADATA_SERVICE_NUM_ATTEMPTS. You can set options using environment variables, in the ~/.aws/config file, or in the user's botocore session. For more information, see Configuration in the Boto3 DOCS 1.17.6 documentation.
Use these commands to check the latest temporary credentials for the instance. These credentials automatically rotate or refresh approximately five minutes before the expiration of the assigned temporary credentials.