Description
Environment
- Elixir & Erlang versions (elixir --version): Elixir 1.17.3 (compiled with Erlang/OTP 27)
- ExAws version
mix deps |grep ex_aws: ex_aws 2.5.5 - HTTP client version. IE for hackney do
mix deps | grep hackney: hackney 1.20.1
Current behavior
When using SSO credentials e.g. config :ex_aws, access_key_id: [{:awscli, "my-profile-here", 300}], ex_aws reads the cached OIDC token from ~/.aws/sso/cache/ and uses it to fetch the AWS creds. The token in the cache only has an expiration of one hour before the user has to repeat the aws sso login workflow.
Expected behavior
Suggestion: The credentials returned by request_sso_role_credentials can have an expiration of >1h (in my setup it's 6h), so ex_aws could cache those creds in the local filesystem. This is effectively what aws cli does: https://github.com/boto/botocore/blob/287fb2bbe32f11d449826344d4c6a21da6b1c9c5/botocore/credentials.py#L687 pulls from ~/.aws/cli/cache/HASH.json
ex_aws could try to reconstruct the hash algo for that part of awscli to do a read, but that seems flaky since their method takes the entire args json. Instead, I think it'd be nicer to write out to e.g. ~/.ex_aws/cache/credentials/PROFILE_HASH.json. Then CredentialsIni.File could look there for existing cached credentials before attempting to pull via the cached SSO token, and the user doesn't have to re-login once an hour.
Let me know if this is a change you're open to making. Happy to contribute a PR if so.