Cloud Catalog Items failing due to Error "Failed to execute API - Failed with status code and message: 400: The provided token has expired"Issue Cloud Catalog item failed due to expired token issue although the VM got provisioned. Stack provision is failing due to STS authentication token TTL expires before completing Create Stack transaction ResolutionWhen deployments take a longer time (such as in this case), the recommendation is to adjust (increase or decrease as appropriate) the value of the below configuration values. MID server properties to set this up - credential_ttl_seconds and mid.aws.sts.assume_role.credential_ttl_minutes .Other parameters you can set based on your requirement,mid.aws.sts.assume_role.disable_credential_caching - Set this property to true to prevent the caching of the temporary AWS credentials.cmp.aws.wait_provision_compute_minutes - property to set time to wait after the cloud provisioning request for status from AWSTime To Live (TTL) for the IAM role ( set on AWS ) - The maximum duration for child account to assume the role of the main account. Detailed explanation:There are two primary factors in play: The STS security token used by Cloud Provisioning and Governance application (CPG): This token is used to make authorized calls to AWS services. This is acquired at the start of every new request. In most cases, it does not need renewing as cloud deployments rarely take more than an hour. AWS allows the TTL to be configured for STS security token between 15 minutes to 36 hours, with a default of 12 hours. This setting is controlled by the MID server property: credential_ttl_seconds and mid.aws.sts.assume_role.credential_ttl_minutes.The Time To Live (TTL) for the IAM role: In the current customer setup, a main-child relationship exists between service accounts which signifies an organizational hierarchy. Child accounts depend upon main accounts for authorization to resources that they don't own directly. As such, the child accounts "AssumeRole" of main account for a specific period of time, ranging from 1 hour to 12 hours. It has to be configured on AWS.In addition to this, there are two more supplementary factors: Property for maximum wait time for a provisioning request in CP&G - This is an upper bound (specified in minutes) which tells how long should CP&G wait for some signal from AWS regarding status - completion or failure - of the order.Property to control caching of tokens: MID server - which CP&G uses to make calls to AWS - provides the ability to cache STS security tokens in order to optimize the number of AWS calls. Below product documentation talks about these properties and their context:AssumeRole:Configure a custom AWS member roleAssuming member roles with an AWS API - ServiceNowThe MID Server can call an AWS API and use the permanent credentials of an AWS main account (organization) to assume the role of one or more member accounts. By assuming the role, the MID Server receives temporary credentials for the member accounts generated by AWS for that role. Assuming member account roles in a large AWS organization is more convenient and offers better security than ...docs.servicenow.comSTS token and caching: Configure access using temporary credentials based on trusted AWS accounts without AWS credentialsAssume an AWS role for temporary Cloud Discovery credentialsThe MID Server can call an AWS API and use the permanent credentials of an AWS main account (organization) to assume the role of one or more member accounts. By assuming the role, the MID Server receives temporary credentials for the member accounts generated by AWS for that role.. Assuming member account roles in a large AWS organization is more convenient and offers better security than ...docs.servicenow.comBelow documentation talks about configuration changes in AWS:IAM role-related: Using IAM rolesUsing IAM Roles - AWS Identity and Access ManagementUsing IAM Roles. Before an IAM user, application, or service can use a role that you created, you must grant permission to switch to the role. You can use any policy attached to one of an IAM user's groups or to the user itself to grant the necessary permissions.docs.aws.amazon.com When deployments take a longer time (such as in this case), the recommendation is to adjust (increase or decrease as appropriate) the value of the configuration values mentioned above