Skip to content

fix: Support AWS CLI v2 SSO cache and CLI assume-role cache#87

Merged
huseyinbabal merged 1 commit intomasterfrom
fix/sso-cache-formats
Jan 15, 2026
Merged

fix: Support AWS CLI v2 SSO cache and CLI assume-role cache#87
huseyinbabal merged 1 commit intomasterfrom
fix/sso-cache-formats

Conversation

@huseyinbabal
Copy link
Owner

@huseyinbabal huseyinbabal commented Jan 15, 2026

Summary

Fix issue where taws doesn't recognize active sessions created by other tools (AWS CLI v2, external apps).

Closes #85

Changes

1. SSO Token Cache (sso.rs)

  • Support CLI v2 format: SHA1(sso_session) for cache file name
  • Support CLI v1/legacy format: SHA1(sso_start_url) as fallback
  • Support both snake_case and camelCase field names via serde aliases
  • Make region field optional (not all cache files have it)

2. AWS CLI Assume-Role Cache (credentials.rs)

  • Read cached credentials from ~/.aws/cli/cache/
  • Match cache files by comparing role ARN and account ID
  • Check expiration before using cached credentials
  • Fall back to performing STS AssumeRole if no valid cache found

3. Tests

  • Add tests for CLI cache file matching logic
  • Add tests for expired credential handling
  • Add tests for non-matching role ARNs

What This Enables

taws can now use credentials cached by:

  • aws sso login (CLI v2)
  • aws sts get-caller-identity --profile <assume-role-profile>
  • External tools that populate ~/.aws/cli/cache/

Priority Order for Role Assumption Profiles

When a profile has role_arn configured:

  1. First check ~/.aws/cli/cache/ for existing valid credentials
  2. If not found, perform STS AssumeRole (existing behavior)

This avoids unnecessary API calls when valid credentials already exist.

@huseyinbabal
fix: Support AWS CLI v2 SSO cache and CLI assume-role cache
fc091a8 
Fix issue where taws doesn't recognize active sessions created by other
tools (AWS CLI v2, external apps).

Changes:

1. SSO Token Cache (sso.rs):
   - Support CLI v2 format: SHA1(sso_session) for cache file name
   - Support CLI v1/legacy format: SHA1(sso_start_url) as fallback
   - Support both snake_case and camelCase field names via serde aliases
   - Make region field optional (not all cache files have it)

2. AWS CLI Assume-Role Cache (credentials.rs):
   - Read cached credentials from ~/.aws/cli/cache/
   - Match cache files by comparing role ARN and account ID
   - Check expiration before using cached credentials
   - Fall back to performing STS AssumeRole if no valid cache found

3. Tests:
   - Add tests for CLI cache file matching logic
   - Add tests for expired credential handling
   - Add tests for non-matching role ARNs

This allows taws to use credentials cached by:
- aws sso login (CLI v2)
- aws sts get-caller-identity --profile <assume-role-profile>
- External tools that populate ~/.aws/cli/cache/

Closes #85
@huseyinbabal huseyinbabal mentioned this pull request Jan 15, 2026
Closed
10 tasks
@huseyinbabal huseyinbabal merged commit 5bc1140 into master Jan 15, 2026
4 checks passed
@huseyinbabal huseyinbabal deleted the fix/sso-cache-formats branch January 15, 2026 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Not all cached sessions are used by taws

1 participant

@huseyinbabal