The SSO session associated with this profile has expired or is otherwise invalid
TL;DR — Your IAM Identity Center (AWS SSO) access token has lapsed, so the profile can't mint credentials for the DynamoDB call. Run aws sso login --profile <profile> to re-authenticate. If the error persists right after logging in, you're logging into a different profile/session than the code is using, or the cached token under ~/.aws/sso/cache is stale — clear it and log in again.
What it means
UnauthorizedSSOTokenError: The SSO session associated with this profile has
expired or is otherwise invalid. To refresh this SSO session run aws sso login
with the corresponding profile.SSO-based profiles don't store long-lived keys. aws sso login caches an access token locally, and the CLI/SDK exchanges it for short-lived role credentials on demand. Both layers expire: the role credentials after minutes-to-hours, and the SSO token after your organization's configured session length. When the token is expired (or the refresh fails), every signed call — including DynamoDB reads and writes — fails with this error before reaching AWS.
Why it happens
- The SSO session simply timed out — session duration is set by your Identity Center administrator; overnight expiry is typical.
- You logged into a different profile —
aws sso loginran against one profile while your app/tool resolves another (AWS_PROFILEmismatch, or two profiles pointing at differentsso_sessionconfigs). - Stale or corrupted token cache — the JSON files under
~/.aws/sso/cacheno longer match the profile's SSO configuration (region/start URL changed), so tools keep seeing an "invalid" session even after login. - Third-party tools resolving credentials themselves — SDKs and tools that read the SSO cache directly can disagree with the CLI about validity (some treat tokens as expired slightly ahead of their actual expiry).
How to fix it
Re-authenticate the right profile:
aws sso login --profile my-profile aws sts get-caller-identity --profile my-profile # confirm it workedMake sure your code uses that same profile — set
AWS_PROFILE=my-profilefor the process that talks to DynamoDB, and check~/.aws/configfor duplicate/legacy profile definitions.Still "expired" after login? Clear the token cache and log in fresh —
aws sso logoutis the documented way to delete the cached credentials (they live under~/.aws/sso/cache):aws sso logout rm -rf ~/.aws/sso/cache # only if a stale cache file still lingers aws sso login --profile my-profileFor long-running or headless workloads, don't use SSO profiles — an interactive browser login can't refresh unattended. Use an IAM role attached to the compute (instance/task/execution role) or a CI OIDC role instead.
Sessions expiring annoyingly fast? Session duration is an Identity Center setting — ask your administrator to extend it.
Desktop tools inherit the same fix: once aws sso login succeeds, the DynoTable desktop app picks up your refreshed SSO profile and reconnects to your tables. While the session is live, the DynamoDB Expression Builder helps you turn what you want to query into a correct request.
Related errors
- The security token included in the request is expired — expired role credentials rather than the SSO session.
- The security token included in the request is invalid
- Unable to locate credentials (boto3)
References
- Configuring IAM Identity Center authentication with the AWS CLI — AWS CLI User Guide
- sso login — AWS CLI Command Reference
- Set session duration for AWS accounts — IAM Identity Center User Guide
Last verified 2026-07-13 against the official AWS documentation linked above.