generate_image tool fails with ExpiredTokenException despite valid AWS credentials #3583
Description
Describe the bug
The generate_image tool fails with "ExpiredTokenException: The security token included in the request is expired" even
though AWS credentials are valid and working for AWS CLI commands.
To Reproduce
- Configure AWS credentials with temporary session credentials (access key, secret key, session token)
- Verify credentials work: aws sts get-caller-identity ✅ succeeds
- Verify Bedrock access: aws bedrock-runtime invoke-model --model-id amazon.nova-canvas-v1:0 ✅ succeeds
- Start Q CLI session: kiro-cli chat --agent
- Call generate_image tool directly in main session
- ❌ Observe ExpiredTokenException error
- Delegate same task to subagent using use_subagent
- ✅ Observe that subagent's generate_image call succeeds
Expected behavior
The generate_image tool should successfully call Amazon Bedrock Nova Canvas API when valid AWS credentials are present
in ~/.aws/credentials and AWS CLI commands work correctly.
Actual behavior
- Main session:
Error executing tool generate_image: Failed to generate image: An error occurred (ExpiredTokenException) when calling the InvokeModel operation: The security token included in the request is expired - Subagent session: Image generation succeeds with same credentials
Evidence
- AWS credentials file contains valid aws_access_key_id, aws_secret_access_key, and aws_session_token
- aws sts get-caller-identity returns valid identity
- aws bedrock-runtime invoke-model succeeds with same credentials
- Subagent delegation works, main session fails
- Credentials are not expired (verified via AWS CLI)
Environment
- Q CLI Version: 1.23.1
- OS: macOS
- Region: us-east-1
- Model: amazon.nova-canvas-v1:0
- Credential type: Temporary session credentials with session token
Root Cause Hypothesis
The generate_image tool in the main session context is not properly reading credentials from the standard AWS credential
chain, while subagents reinitialize credential reading correctly.