Java applications using the AWS SDK for Java running on an Amazon EC2 instance experience an exception similar to the following:

com.amazonaws.AmazonServiceException: The security token included in the request is expired (Service: AmazonSQS; Status Code: 403; Error Code: ExpiredToken; Request ID: 12a345b6-78cd-901e-fg23-45hi67890jkl)

All application API requests to Amazon Web Services must be cryptographically signed using credentials issued by AWS. If your application uses temporary credentials when creating an AWS client (such as an AmazonSQS client mentioned in the exception noted above), the credentials expire at the time interval specified during their creation. If your application is running on an Amazon EC2 Instance, we recommend using an IAM role assigned to the instance. Using an IAM role allows the use of a default service constructor. The default constructor client searches for credentials by using the default credentials provider chain, in the following order:

  1. In system environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
  2. In the Java system properties: aws.accessKeyId and aws.secretKey.
  3. In the default credentials file (the location of this file varies by platform).
  4. In the instance profile credentials contained in the instance metadata associated with the IAM role for the EC2 instance. Instance profile credentials are added to the default credentials provider chain when you attach an instance profile to your instance as described at Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.

If instance profile credentials are available, the default client constructor creates an instance of the AWS SDK InstanceProfileCredentialsProvider class to sign API requests with AWS credentials using temporary credentials from Amazon EC2 instance metadata.

If your application uses the AWS SDK ProfileCredentialsProvider class to provide temporary AWS credentials, you are responsible for checking for and refreshing credentials before they expire. Not checking or refreshing your credentials can increase the likelihood of application failures caused by ExpiredToken errors.

We recommend refreshing temporary credentials 5 minutes before their expiration. 

Attach an instance profile to your instance as described at Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances. Verify in your code as well as on the instance that no other credentials are specified. Using any of the first three methods specified in the default credentials provider chain will circumvent the use of the IAM role as described in the fourth method of the default credentials provider chain.

To see the AWS credentials for an IAM role that’s attached to an instance, run the following commands from a Linux shell or from Windows PowerShell (v3.0 or later) and replace examplerole with the name of your IAM role.

  • Linux:

$ curl

This command will return output similar to the following:


     "Code" : "Success",

     "LastUpdated" : "2016-04-26T16:39:16Z",

     "Type" : "AWS-HMAC",

     "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",

     "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",

     "Token" : "token",

     "Expiration" : "2016-04-27T22:39:16Z"


  • Windows:

PS C:\> Invoke-RestMethod

This command will return output similar to the following:

Code            : Success

LastUpdated     : 2016-07-18T18:09:47Z

Type            : AWS-HMAC



Token           : token

Expiration      : 2016-04-27T22:39:16Z

Use these commands to check the latest temporary credentials for the instance. These credentials are automatically rotated/refreshed approximately 5 minutes before the expiration of the assigned temporary credentials.

Instance profile, security token, EC2, Java, SDK, AmazonServiceException, credentials, refresh, ProfileCredentialsProvider, expired

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-07-19
Updated: 2016-07-20