Open arianvp opened 1 year ago
Amazon SSO gives you a refresh_token which you can use to renew your access_token by making a call to Amazonka.SSOOIDC.CreateToken
refresh_token
access_token
Amazonka.SSOOIDC.CreateToken
This is what we currently use and looks like this:
[profile my-dev-profile] sso_start_url = https://my-sso-portal.awsapps.com/start sso_region = us-east-1 sso_account_id = 123456789011 sso_role_name = readOnly region = us-west-2 output = json
In this format the config file can have (multiple) [sso-session my-session] blocks. The SDK will keep track of tokens per session in .aws/sso/cache/${sha1 session-name}.json And will store both an access_token and a refresh_token
[sso-session my-session]
.aws/sso/cache/${sha1 session-name}.json
[profile my-dev-profile] sso_session = my-sso sso_account_id = 123456789011 sso_role_name = readOnly region = us-west-2 output = json [sso-session my-sso] sso_region = us-east-1 sso_start_url = https://my-sso-portal.awsapps.com/start sso_registration_scopes = sso:account:access
~/.aws/sso/cache
Example in other SDK: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.25/credentials/ssocreds/sso_token_provider.go
Amazon SSO gives you a
refresh_tokenwhich you can use to renew youraccess_tokenby making a call toAmazonka.SSOOIDC.CreateTokenLegacy non-refreshable format
This is what we currently use and looks like this:
Automatic token refresh format
In this format the config file can have (multiple)
[sso-session my-session]blocks. The SDK will keep track of tokens per session in.aws/sso/cache/${sha1 session-name}.jsonAnd will store both anaccess_tokenand arefresh_tokenReference implementation
access_tokenandrefresh_tokenare stored in a filename based on the hash of the session name in~/.aws/sso/cacheaccess_tokenis expired. We can request a new token with therefresh_tokenby callingAmazonka.SSOOIDC.CreateTokenExample in other SDK: https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.25/credentials/ssocreds/sso_token_provider.go