Support refresh (by default, with opt-out) for print and write

[dougmoscrop]

bmx renew did not survive the rewrite from python to golang I think it would be useful to support it.

Example:

bmx renew --profile=test-foo

Renew would:

• check if the given profile exists
• if it does, move on to checking if the credentials are still valid -- if the credentials are valid, done -- if expired, then refresh the credentials using the previously used account and role, which may or may not prompt for a password/code
• if it does not, act like bmx write

--profile would default to $AWS_PROFILE if unspecified, allowing users to export AWS_PROFILE=xyz and just bmx renew (all bmx commands should understand and respect AWS_PROFILE in my opinion). I would also argue that renew should be a profile-only command, and I actually completely discourage using default credentials anywhere

[chris-redekop]

From your description, I think a --refresh option on both write and print would make sense and be useful. Did I get that right?

[dougmoscrop]

Yeah, although I think further to your point, --refresh should just be the default behaviour!

Or said, "As a developer, I want to type as few things as possible" 😆

bmx [write|print] should:

1. take $AWS_PROFILE if set
2. override that with --profile when provided and fall back to 'default' profile if AWS_PROFILE and --profile are not provided
3. look to see what account/role was used for {resolved-profile}, if profile is being specified
4. see if the credentials are expired, and refresh them if necessary, this should only prompt for account/role if default profile was used, or no pre-existing profile-to-account-and-role mapping exists, or --no-refresh is set
5. write or print them depending on the command

In order to make switching roles possible via interactive prompts, the refresh flag should default to true, but be able to be disabled bmx print --no-refresh would stop at 3. and just act like it currently does (selection for account, role, etc.)