The security token included in the request is expired

In my case the issue was that, I had credentials in my .aws/configure and was trying to configure from that but what I didn't realize is I had another pair of credentials AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY set in environmental variables.

you can do this ( which will remove credentials from environment ).

unset AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY

Now you will have only one set of access keys i.e in .aws/configure and I was able to make connection sucessfully.

aws configure
aws sts get-caller-identity

if you are using profile other than default, use --profile flag in the above command.

The assume_role method you are using returns temporary security credentials. The following is taken from the official documentation:

The temporary security credentials are valid for the duration that you specified when calling AssumeRole , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). The default is 1 hour.

Since you are not using the DurationSeconds keyword argument, the returned credentials are valid for the default 1 hour. You must make sure to get new credentials in order to make requests after 1 hour. See the following from the Temporary Security Credentials official documentation:

When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.

I also face this error and even I checked my .aws/credential file. It contains credentials but still I will recommend following step:

before doing anything, first thing you must do run following command

aws sts get-caller-identity

if you have more than one profile in aws credential then use this one

you can check your profile in following file .aws/credential. If you have only [default] then no need to mention profile

aws --profile NAME_OF_YOUR_PROFILE  sts get-caller-identity

Now the question is that above command will solve the problem?

No, But at least it will let you know that your credential are correct or not. I was facing same error and when I run above command it give me following error

An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

So at least I find out that I was using wrong credential. I just replace credential and my problem get solved.