chrnorm
commented
4 months ago Some additional background on this from my testing with the native AWS CLI:
Running aws sso configure gave me the following generated profile config:
[profile AWSAdministratorAccess-123456789012]
sso_session = commonfate
sso_account_id = 123456789012
sso_role_name = AWSAdministratorAccess
region = ap-southeast-2
[sso-session commonfate]
sso_start_url = https://example.awsapps.com/start
sso_region = ap-southeast-2
sso_registration_scopes = sso:account:accessand created the following files:
~/.aws/sso/cache/349065c70245ecd32e7f0bedacd045d06f33cc63.json:
{"clientId": "Wn1c2S1a1iknojKnWR_HVGFwLXNvdXRoZWFzdC0y", "clientSecret": "<SECRET>", "expiresAt": "2024-05-30T10:43:48Z", "scopes": ["sso:account:access"]}~/.aws/sso/cache/b10228e89e312638df9359ab1af32f2058d8b464.json
{"startUrl": "https://commonfate.awsapps.com/start", "region": "ap-southeast-2", "accessToken": "<token>", "expiresAt": "2024-03-01T11:44:08Z", "clientId": "Wn1c2S1a1iknojKnWR_HVGFwLXNvdXRoZWFzdC0y", "clientSecret": "<SECRET>", "registrationExpiresAt": "2024-05-30T10:43:48Z", "refreshToken": "<REFRESH_TOKEN>"}
Granted currently uses the legacy AWS SSO login flow. This is the current login screen that you see, which indicates the legacy flow:
The legacy login flow returns non-refreshable access tokens with a fixed 8hr expiry.
The new AWS SSO login flow looks like this:
It returns shorter-lived access tokens with a 1hr expiry, and returns refresh tokens allowing the access token to be refreshed. An organization's administrator can configure the session duration up to a maximum of 90 days.