Hi there, I am getting crazy here. I am trying to update a aws stack but I keep getting the error

aws:batch:JobDefinition (my-jobDefinition):
    error: 1 error occurred:
    	* Retrieving AWS account details: validating provider credentials: retrieving caller identity from STS: operation error STS: GetCallerIdentity, https response error StatusCode: 403, RequestID: b48d33a2-5fda-4c9d-829a-1ded6a2143ea, api error ExpiredToken: The security token included in the request is expired

The error occurs for three different jobDefinitions. The same error occurs with

pulumi destroy

. I am using a Pulumi environment with aws-oidc. I tried: 1. Recreating the oidc role. 2. Using a standard aws profile instead of a Pulumi environment a. Removing all configs and credentials and make them brand new 3. Using a sso profile. CLI command

aws sts get-caller-identity

returns correctly my info. Any idea?

The STS get-caller-identity instruction can't 403 in many cases, as you don't need any actual permissions for that instruction. The only times it can happen are when your temporary credentials aren't valid. So the problem is absolutely with your OIDC and SSO credentials. You can ignore the stuff about JobDefinition: that's probably just when it's happening, not why it's happening.

Thanks for the answer, but how can it be that creating a new stack and destroying it works fine?

Timing? Short-term credentials expire. I don't have enough information to debug, I'm just proposing areas of investigation.