Skip to content
Discussion options

You must be logged in to vote

You can get this without calling STS every time.

For SSO profiles, AWS CLI caches the SSO access token locally under:

~/.aws/sso/cache/

Those cache files are JSON and include an expiresAt timestamp. You can read that timestamp directly (fast, local file read) and use it in your prompt.

Example (bash) to print the soonest-expiring SSO token expiry:

ls -1 ~/.aws/sso/cache/.json >/dev/null 2>&1 &&
jq -r '.expiresAt // empty' ~/.aws/sso/cache/
.json 2>/dev/null | sort | head -n1

If you also want the “who am I” ARN without the 2–3s STS call, there is no built-in environment variable that AWS CLI exports (like AWS_SSO_ARN) because the caller identity is not derived purely from the local token; …

Replies: 2 comments 1 reply

Comment options

You must be logged in to vote
1 reply
@uldyssian-sh
Comment options

Answer selected by bytebeast
Comment options

You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants