Authorization Token has expired issue AWS-CLI on MacOS Sierra
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The Authorization Token has expired error in the AWS CLI usually means the command is using temporary credentials that are no longer valid. macOS Sierra is mostly incidental here. The real causes are expired STS sessions, stale environment variables, expired SSO or MFA sessions, or a local clock that is far enough out of sync to break request signing.
What The Error Usually Means
AWS CLI commands can use several kinds of credentials:
- long-lived access keys
- STS temporary session credentials
- assumed-role credentials
- AWS SSO cached credentials
- service-specific temporary login tokens
The expired-token error appears when the active credential source is time-limited and its validity window has ended.
First: Find Out Which Credentials The CLI Is Using
Do not start by editing random files. First identify the active credential source.
aws configure list tells you whether credentials come from environment variables, shared config files, or another source. That matters because the fix depends on where the expired token came from.
Common Cause: Stale Environment Variables
A very common problem is an old session token left in the shell environment.
If you see values such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN, they override what is in the normal profile files.
To clear them for the current shell:
Then retry the command.
Common Cause: Expired Assume-Role Or STS Session
If you obtained credentials through aws sts assume-role or a helper script, the session eventually expires. In that case, you must re-run the role-assumption flow rather than expecting the CLI to refresh the token automatically.
A minimal example looks like this:
If your workflow depends on assumed-role credentials, make sure the tooling that populates your profile is rerun before the session expires.
Common Cause: AWS SSO Login Expired
If the profile uses AWS SSO, refresh it explicitly.
This is one of the most common fixes on developer laptops because SSO sessions are cached locally and eventually time out.
Check The System Clock
AWS request signing is time-sensitive. If the local clock drifts badly enough, even otherwise valid credentials can appear expired or not yet valid.
On macOS, confirm that time synchronization is enabled and the system time is correct. Even though the article title mentions macOS Sierra specifically, this part is the same on other macOS versions as well.
Inspect The Active Profile Files
If the CLI is reading shared config files, inspect them directly.
Look for:
- an old
aws_session_token - a profile that points to a credential process or SSO config
- the wrong default profile
This helps you distinguish between an expired cached token and a completely different profile-selection problem.
A Simple Recovery Workflow
For most local development environments, a clean troubleshooting sequence is:
- run
aws configure list - check for
AWS_environment variables - clear stale environment overrides if present
- refresh SSO or assume-role credentials
- verify with
aws sts get-caller-identity
That is more reliable than repeatedly rerunning the same failing command.
Common Pitfalls
A common mistake is updating ~/.aws/credentials while an expired AWS_SESSION_TOKEN environment variable is still set. In that case the CLI keeps using the stale environment values and ignores the file changes.
Another issue is assuming the error is tied to macOS Sierra itself. The operating system can contribute through clock skew or old local tooling, but the error almost always comes from AWS credential lifetime rules.
Developers also sometimes forget which profile is active. If the shell is using a default profile but the fresh credentials were stored under a named profile, the error persists even after a successful refresh.
Finally, do not ignore --debug output when basic checks fail. It often reveals exactly which credential provider was used.
Summary
- '
Authorization Token has expiredusually means the AWS CLI is using expired temporary credentials.' - Start by checking which credential source is active with
aws configure list. - Clear stale
AWS_environment variables if they are overriding profile files. - Re-run the correct refresh flow for assumed roles or AWS SSO sessions.
- Verify local clock accuracy because AWS request signing is time-sensitive.

