docs: Add troubleshooting guide for AWS Bedrock security token expiration

- Create new page for handling security token timeout errors
- Document awsAuthRefresh and awsCredentialExport configuration
- Add troubleshooting steps for common credential refresh issues
- Reference GitHub issues #3823 and #11264 for known bugs/feature requests
- Update main Bedrock page with link to troubleshooting guide
- Add journal entries for new documentation

Author: codekiln

journals/2025_11_12.md

@@ -1,4 +1,5 @@
 ## Rustacian Installers
 	- [[Rust/CLI/Concept/Best Practices for Rust-Based CLI Installers]]
-## Marketing Quote
-	- [[Marketing]] - Added quote about marketing as the bridge between company purpose and customer needs from [[Person/Philip Kotler]]
+- ## Marketing Quote
+	- [[Marketing]] - Added quote about marketing as the bridge between company purpose and customer needs from [[Person/Philip Kotler]]
+		- > > **Marketing** is the art and science of creating genuine customer value. It is the **bridge** between the company's **purpose** and the customer's **needs**. #Quote from [[Person/Philip Kotler]], Father of Modern Marketing

journals/2025_11_13.md

@@ -0,0 +1 @@
+- [[LangChain/Academy/LangSmith/Quickstart Essentials/Module 2 Evaluation/Online]]

journals/2025_11_14.md

@@ -0,0 +1,2 @@
+- [[Claude Code]]
+	- Created [[Claude Code/Bedrock/How To/Get Around Security Token Timeout]] - troubleshooting guide for handling "API Error: The security token included in the request is expired" when using Bedrock with Claude Code

pages/Claude Code___Bedrock.md

@@ -12,7 +12,7 @@ alias:: [[Anthropic/App/Claude Code/Bedrock]]
 			  }
 			  ```
 	- ##### Configuration settings explained
-		- **`awsAuthRefresh`**: Use this for commands that modify the `.aws` directory (e.g., updating credentials, SSO cache, or config files). Output is shown to the user (but user input is not supported), making it suitable for browser-based authentication flows where the CLI displays a code to enter in the browser.**`awsCredentialExport`**: Only use this if you cannot modify `.aws` and must directly return credentials. Output is captured silently (not shown to the user). The command must output JSON in this format:
+		- **`awsAuthRefresh`**: Use this for commands that modify the `.aws` directory (e.g., updating credentials, SSO cache, or config files). Output is shown to the user (but user input is not supported), making it suitable for browser-based authentication flows where the CLI displays a code to enter in the browser.**`awsCredentialExport`**: Only use this if you cannot modify `.aws` and must directly return credentials. Output is captured silently (not shown to the user). The command must output JSON in this format:
 			- ```
 			  {
 			  "Credentials": {
@@ -21,4 +21,6 @@ alias:: [[Anthropic/App/Claude Code/Bedrock]]
 			    "SessionToken": "value"
 			  }
 			  }
-			  ```
+			  ```
+	- #### Troubleshooting credential expiration
+		- If you encounter the error "API Error: The security token included in the request is expired" and automatic credential refresh isn't working, see [[Claude Code/Bedrock/How To/Get Around Security Token Timeout]] for troubleshooting steps and workarounds.

pages/Claude Code___Bedrock___How To___Get Around Security Token Timeout.md

@@ -0,0 +1,166 @@
+tags:: [[Diataxis/How To]], [[Claude Code]], [[AWS/Bedrock]]
+alias:: [[Anthropic/App/Claude Code/Bedrock/How To/Get Around Security Token Timeout]]
+
+- # How To Handle Security Token Expiration Errors with Claude Code and AWS Bedrock
+	- ## Problem
+		- When using [[Claude Code]] with [[AWS/Bedrock]], you may encounter the error:
+			- ```
+			  API Error: The security token included in the request is expired
+			  ```
+		- This occurs when AWS credentials (STS tokens, SSO sessions, etc.) have expired and Claude Code needs to refresh them.
+	- ## Expected Behavior
+		- According to the [official documentation](https://code.claude.com/docs/en/amazon-bedrock), Claude Code should automatically detect expired credentials and run your configured `awsAuthRefresh` command before retrying the request.
+		- Detection happens in two ways:
+			- **Local detection**: Based on credential timestamp in `~/.aws/credentials` or SSO cache
+			- **Remote detection**: When Bedrock returns a credential error (like the expired token error)
+	- ## Configuration
+		- ### Basic Setup
+			- Add `awsAuthRefresh` to your Claude Code settings file (`~/.claude/settings.json`):
+				- ```json
+				  {
+				    "awsAuthRefresh": "aws sso login --profile myprofile",
+				    "env": {
+				      "AWS_PROFILE": "myprofile",
+				    }
+				  }
+				  ```
+		- ### Command Types
+			- **`awsAuthRefresh`**: For commands that modify the `.aws` directory (credentials, SSO cache, config files)
+				- Output is shown to the user
+				- User input is NOT supported (see [GitHub Issue #11264](https://github.com/anthropics/claude-code/issues/11264) for feature request to support interactive authentication)
+				- Suitable for browser-based authentication flows
+				- **Limitation**: Interactive authentication tools (like `gimme-aws-creds` with password/MFA prompts) cannot be used with `awsAuthRefresh` currently
+			- **`awsCredentialExport`**: For commands that output credentials directly as JSON
+				- Output is captured silently (not shown)
+				- Must output JSON in this format:
+					- ```json
+					  {
+					    "Credentials": {
+					      "AccessKeyId": "value",
+					      "SecretAccessKey": "value",
+					      "SessionToken": "value"
+					    }
+					  }
+					  ```
+				- **Example Commands**:
+					- **Using AWS STS assume-role with jq** (most common):
+						- ```json
+						  "awsCredentialExport": "aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyRole --role-session-name mysession | jq '{Credentials: .Credentials | {AccessKeyId, SecretAccessKey, SessionToken}}'"
+						  ```
+						- Reference: [AWS CLI Command Reference: assume-role](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html)
+					- **Using AWS STS get-session-token with jq**:
+						- ```json
+						  "awsCredentialExport": "aws sts get-session-token | jq '{Credentials: .Credentials | {AccessKeyId, SecretAccessKey, SessionToken}}'"
+						  ```
+						- Reference: [AWS CLI Command Reference: get-session-token](https://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html)
+					- **Using a custom script**:
+						- ```json
+						  "awsCredentialExport": "/path/to/generate_aws_grant.sh"
+						  ```
+						- The script should output the JSON format shown above to stdout
+						- Reference: [Claude Code Settings Documentation](https://code.claude.com/docs/en/settings) - See `awsCredentialExport` setting
+					- **Using AWS CLI export-credentials** (if your AWS CLI version supports it):
+						- ```json
+						  "awsCredentialExport": "aws configure export-credentials --profile myprofile --format json | jq '{Credentials: {AccessKeyId: .AccessKeyId, SecretAccessKey: .SecretAccessKey, SessionToken: .SessionToken}}'"
+						  ```
+						- Reference: [AWS CLI Command Reference: configure export-credentials](https://docs.aws.amazon.com/cli/latest/reference/configure/export-credentials.html)
+					- **Using a wrapper script with environment variables**:
+						- ```json
+						  "awsCredentialExport": "bash -c 'aws sts assume-role --role-arn $AWS_ROLE_ARN --role-session-name $SESSION_NAME | jq \"{Credentials: .Credentials | {AccessKeyId, SecretAccessKey, SessionToken}}\"'"
+						  ```
+						- References:
+							- [AWS CLI Command Reference: assume-role](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html)
+							- [jq Manual](https://stedolan.github.io/jq/manual/) - For [[jq]] filter syntax
+				- **Important Notes**:
+					- The command must output **only** valid JSON to stdout (no error messages or other output)
+					- Use `jq` to filter AWS STS output, as it includes additional fields (`Expiration`, `AssumedRoleUser`, etc.) that Claude Code doesn't need
+					- Ensure `jq` is available in Claude Code's PATH if your command uses it
+					- For commands with pipes, you may need to wrap them in `bash -c` or `sh -c`
+					- Test your command manually first to ensure it outputs the correct JSON format
+	- ## Troubleshooting: When Automatic Refresh Doesn't Work
+		- ### Issue: Command Not Triggering
+			- If you see the expired token error but no indication that `awsAuthRefresh` ran:
+				- **Check command path**: Ensure your command is in your PATH when Claude Code runs
+					- Claude Code may not have access to the same PATH as your shell
+					- Try using the full path: `"/usr/local/bin/aws sso login --profile myprofile"`
+				- **Check command syntax**: Verify the command works when run manually
+					- ```bash
+					  aws sso login --profile myprofile
+					  ```
+				- **Check permissions**: Ensure Claude Code has permission to execute the command
+					- Check your `permissions` settings in `settings.json`
+					- May need to add: `"Bash(aws:*)"` to allowed commands
+			- **Workaround**: Manually refresh credentials before using Claude Code
+				- ```bash
+				  aws sso login --profile myprofile
+				  ```
+				- Then retry your Claude Code request
+		- ### Issue: Credentials Refreshed But Not Used (Known Bug)
+			- **Symptom**: `awsAuthRefresh` runs successfully and credentials are updated in `~/.aws/credentials`, but Claude Code still fails with expired token errors
+			- **Cause**: This is a [known bug in Claude Code](https://github.com/anthropics/claude-code/issues/3823) where the refreshed credentials aren't always picked up after `awsAuthRefresh` completes
+			- **Workaround**: Exit and resume Claude Code to force it to reload credentials
+				- Exit Claude Code: `Ctrl+C` or `exit`
+				- Resume with: `claude -r` (resume last session)
+				- This forces Claude Code to reload credentials from `~/.aws/credentials`
+			- **Alternative Workaround**: Use `awsCredentialExport` instead of `awsAuthRefresh`
+				- `awsCredentialExport` directly provides credentials to Claude Code, bypassing the credential file reload issue
+				- See the `awsCredentialExport` examples above
+			- **Note**: The issue tracker includes a request for a `/refresh-credential` command to manually trigger credential reload without exiting
+		- ### Issue: Command Not Found
+			- If your refresh command isn't available in Claude Code's environment:
+				- **Option 1**: Use full path to the command
+					- Find command location: `which aws` or `command -v aws`
+					- Use full path in `awsAuthRefresh`: `"/usr/local/bin/aws sso login --profile myprofile"`
+				- **Option 2**: Use direct script path
+					- If you have a custom refresh script, reference it directly:
+						- ```json
+						  "awsAuthRefresh": "/path/to/refresh_credentials.sh"
+						  ```
+				- **Option 3**: Use `awsCredentialExport` with a wrapper script
+					- Create a script that outputs credentials in the required JSON format
+					- See examples in the `awsCredentialExport` section above
+		- ### Issue: Interactive Commands
+			- If your refresh command requires user interaction (like password entry, MFA approval, Touch ID):
+				- Claude Code's `awsAuthRefresh` shows output but doesn't support user input
+				- This may cause the command to hang or fail
+				- **Current Workaround**: Use `awsCredentialExport` instead, or ensure your command can run non-interactively
+				- **Future Enhancement**: [GitHub Issue #11264](https://github.com/anthropics/claude-code/issues/11264) requests support for interactive `awsAuthRefresh` to enable enterprise authentication flows (gimme-aws-creds, saml2aws, etc.)
+				- **Alternative**: For now, manually refresh credentials in a separate terminal before using Claude Code
+		- ### Issue: Environment Variables Not Available
+			- If your refresh command needs specific environment variables:
+				- Add them to the `env` section of your settings.json
+			- Example:
+				- ```json
+				  {
+				    "awsAuthRefresh": "aws sso login --profile myprofile",
+				    "env": {
+				      "AWS_PROFILE": "myprofile",
+				      "OP_SESSION_myorg": "your-session-token",
+				      "PATH": "/custom/path:$PATH"
+				    }
+				  }
+				  ```
+	- ## Manual Refresh Workflow
+		- When automatic refresh fails, use this workflow:
+		  1. **Check current credentials**:
+			- ```bash
+			  aws sts get-caller-identity --profile myprofile
+			  ```
+			  2. **Refresh credentials**:
+			- ```bash
+			  aws sso login --profile myprofile
+			  ```
+			  3. **Verify new credentials**:
+			- ```bash
+			  aws sts get-caller-identity --profile myprofile
+			  ```
+			  4. **Retry Claude Code request**
+	- ## Related Pages
+		- [[Claude Code/Bedrock]] - Main Bedrock integration guide
+		- [[mise/Task/How To/invoke aws_okta_keyman from mise with a configuration that references a default AWS account]] - Example of setting up credential refresh scripts
+		- [[Claude Code/Settings]] - Claude Code settings documentation
+	- ## References
+		- [Claude Code on Amazon Bedrock - Advanced Credential Configuration](https://code.claude.com/docs/en/amazon-bedrock#advanced-credential-configuration)
+		- [Claude Code Settings Documentation](https://code.claude.com/docs/en/settings)
+		- [GitHub Issue #3823: CC not taking the updated credentials with awsAuthRefresh](https://github.com/anthropics/claude-code/issues/3823) - Known bug where refreshed credentials aren't always used
+		- [GitHub Issue #11264: Interactive awsAuthRefresh](https://github.com/anthropics/claude-code/issues/11264) - Feature request to support interactive authentication flows (password/MFA prompts) within Claude Code

pages/Claude Code___Plugin___Marketplace___Report___25___11___Precedents.md

@@ -15,7 +15,7 @@ tags:: [[AI Deep Research]], [[Report]]
 				- A large community-maintained marketplace with 84 agents, 63 plugins, and 47 skills.
 				- Implements an internal `/plugin marketplace add` command for plugin management and orchestration, facilitating user-driven plugin registration and discovery.
 				- Features a progressive disclosure architecture for skills, likely mapping to manifest-driven discovery and dependency definition.
-			- #### 1.1.4. [davila7/claude-code-templates](https://github.com/davila7/claude-code-templates)
+			- #### 1.1.4. [davila7/claude-code-templates](https://github.com/davila7/claude-code-templates) - see also [Claude Code Templates - Supercharge Your AI-Powered Development with Anthropic's Claude Code](https://www.aitmpl.com/hooks)
 				- A CLI-driven plugin/skill marketplace focused on Claude Code setups.
 				- Offers over 100 modular components (agents, commands, MCPs, hooks, skills) and a plugin dashboard.
 				- Includes extensive documentation (docs.aitmpl.com), analytics, and possible health-check utilities.

pages/LangChain___Academy___LangSmith___Quickstart Essentials___Module 2 Evaluation___Online.md

@@ -0,0 +1,7 @@
+- [Quickstart: LangSmith Essentials - LangChain Academy](https://academy.langchain.com/courses/take/quickstart-langsmith-essentials/lessons/70020762-online-evaluation-insights)
+	- [[My Notes]]
+		- Pretty useful! Quite a few new things
+		- I learned about Waterfall view in LangSmith trace, which I wasn't as familiar with
+		- Has some demos of a new insights dashboard
+			- https://docs.langchain.com/langsmith/insights
+				- once again, it requires either an Anthropic or OpenAI key - likely does not work with Bedrock or Azure

pages/Person___Daniel Avila___GitHub___claude-code-templates.md

@@ -1,3 +1,5 @@
+alias:: [[aitmpl.com]]
+
 - # [Claude Code Templates (aitmpl.com)](https://github.com/davila7/claude-code-templates)
 	- Repository: [davila7/claude-code-templates](https://github.com/davila7/claude-code-templates)
 	- [[Person/Daniel Avila/GitHub/claude-code-templates/DeepWiki]] #DeepWiki
@@ -90,5 +92,4 @@
 	- **Commands Collection:**
 		- **awesome-claude-code Commands** by hesreallyhim - Licensed under CC0 1.0 Universal (21 commands)
 - ## License
-	- MIT License - see the [LICENSE file](https://github.com/davila7/claude-code-templates/blob/main/LICENSE) for details
-
+	- MIT License - see the [LICENSE file](https://github.com/davila7/claude-code-templates/blob/main/LICENSE) for details