The SSO session associated with this profile has expired or is otherwise invalid

TL;DR — Your IAM Identity Center (AWS SSO) access token has lapsed, so the profile can't mint credentials for the DynamoDB call. Run aws sso login --profile <profile> to re-authenticate. If the error persists right after logging in, you're logging into a different profile/session than the code is using, or the cached token under ~/.aws/sso/cache is stale — clear it and log in again.

What it means

UnauthorizedSSOTokenError: The SSO session associated with this profile has
expired or is otherwise invalid. To refresh this SSO session run aws sso login
with the corresponding profile.

SSO-based profiles don't store long-lived keys. aws sso login caches an access token locally, and the CLI/SDK exchanges it for short-lived role credentials on demand. Both layers expire: the role credentials after minutes-to-hours, and the SSO token after your organization's configured session length. When the token is expired (or the refresh fails), every signed call — including DynamoDB reads and writes — fails with this error before reaching AWS.

Why it happens

  • The SSO session simply timed out — session duration is set by your Identity Center administrator; overnight expiry is typical.
  • You logged into a different profileaws sso login ran against one profile while your app/tool resolves another (AWS_PROFILE mismatch, or two profiles pointing at different sso_session configs).
  • Stale or corrupted token cache — the JSON files under ~/.aws/sso/cache no longer match the profile's SSO configuration (region/start URL changed), so tools keep seeing an "invalid" session even after login.
  • Third-party tools resolving credentials themselves — SDKs and tools that read the SSO cache directly can disagree with the CLI about validity (some treat tokens as expired slightly ahead of their actual expiry).

How to fix it

  1. Re-authenticate the right profile:

    aws sso login --profile my-profile
    aws sts get-caller-identity --profile my-profile   # confirm it worked
  2. Make sure your code uses that same profile — set AWS_PROFILE=my-profile for the process that talks to DynamoDB, and check ~/.aws/config for duplicate/legacy profile definitions.

  3. Still "expired" after login? Clear the token cache and log in fresh — aws sso logout is the documented way to delete the cached credentials (they live under ~/.aws/sso/cache):

    aws sso logout
    rm -rf ~/.aws/sso/cache   # only if a stale cache file still lingers
    aws sso login --profile my-profile
  4. For long-running or headless workloads, don't use SSO profiles — an interactive browser login can't refresh unattended. Use an IAM role attached to the compute (instance/task/execution role) or a CI OIDC role instead.

  5. Sessions expiring annoyingly fast? Session duration is an Identity Center setting — ask your administrator to extend it.

Desktop tools inherit the same fix: once aws sso login succeeds, the DynoTable desktop app picks up your refreshed SSO profile and reconnects to your tables. While the session is live, the DynamoDB Expression Builder helps you turn what you want to query into a correct request.

References

Last verified 2026-07-13 against the official AWS documentation linked above.

Work with DynamoDB without the Console

DynoTable is a fast desktop client for DynamoDB — browse tables, run SQL-style queries, and edit items locally.