Getting SSO login arn and expiration #8669
-
|
Been trying to figure out how to get the current creds used on my terminal window. So that I can place that in my PROMPT. I am able to run Before we used sso, I could just look at |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
You can get this without calling STS every time. For SSO profiles, AWS CLI caches the SSO access token locally under: ~/.aws/sso/cache/ Those cache files are JSON and include an Example (bash) to print the soonest-expiring SSO token expiry: ls -1 ~/.aws/sso/cache/.json >/dev/null 2>&1 && If you also want the “who am I” ARN without the 2–3s STS call, there is no built-in environment variable that AWS CLI exports (like AWS_SSO_ARN) because the caller identity is not derived purely from the local token; it’s resolved by AWS services (STS). Practical prompt approach: Use AWS_PROFILE (or AWS_DEFAULT_PROFILE) to show which profile is selected, and use the local SSO cache export AWS_PROFILE=my-sso-profile Then in your prompt:
If you need ARN, the only authoritative method is an API call like Summary:
|
Beta Was this translation helpful? Give feedback.
-
|
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
You can get this without calling STS every time.
For SSO profiles, AWS CLI caches the SSO access token locally under:
~/.aws/sso/cache/
Those cache files are JSON and include an
expiresAttimestamp. You can read that timestamp directly (fast, local file read) and use it in your prompt.Example (bash) to print the soonest-expiring SSO token expiry:
ls -1 ~/.aws/sso/cache/.json >/dev/null 2>&1 &&
jq -r '.expiresAt // empty' ~/.aws/sso/cache/.json 2>/dev/null | sort | head -n1
If you also want the “who am I” ARN without the 2–3s STS call, there is no built-in environment variable that AWS CLI exports (like AWS_SSO_ARN) because the caller identity is not derived purely from the local token; …