Add command to detect when SSO credential is expired (but CLI STS token is still valid) #9845
Description
Describe the feature
Need some way to detect expired SSO credentials without manually reading the cache files. This can be by implementing a dedicated command, or by making aws sso login optional or by allowing the cli to be run with a flag telling it to ignore the STS cache files (but still seeing SSO ones)
Use Case
There is a very frequently encountered edge case when SSO credentials have expired but the cached STS credential for CLI is still valid, so that aws-cli still appears to work, but no other tool (example - ecr-credentials-helper) works.
I would like to use the cli itself to detect this rather than try to dig in the cache files - I know it is possible to do, but it gets very ugly very fast and requires a lot of code that would have to be distributed.
Proposed Solution
- command like
aws sso statusthat will return success if current SSO session exists and is valid, and error if it is not
Alternatives:
Alternative 1. aws sso login --optional - add --optional flag to aws sso login so that it only triggers login IF you are not already logged in.
Alternative 2. aws --no-cache sts get-caller-identity - add a --no-cache flag to aws that will ignore any STS credential caches when (no read or write) without deleting the cache
Other Information
No response
Acknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CLI version used
aws-cli/2.17.39 Python/3.11.9 Darwin/24.6.0 exe/x86_64
Environment details (OS name and version, etc.)
MacOs 15