diff --git a/envsec/internal/envcli/flags.go b/envsec/internal/envcli/flags.go
index 6a10156b..e6b56d15 100644
--- a/envsec/internal/envcli/flags.go
+++ b/envsec/internal/envcli/flags.go
@@ -11,9 +11,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"go.jetpack.io/envsec"
-	"go.jetpack.io/envsec/internal/awsfed"
 	"go.jetpack.io/envsec/internal/jetcloud"
 	"go.jetpack.io/envsec/internal/typeids"
+	"go.jetpack.io/envsec/pkg/awsfed"
 	"go.jetpack.io/pkg/sandbox/auth/session"
 )
 
@@ -99,7 +99,7 @@ func (f *configFlags) genConfig(ctx context.Context) (*cmdConfig, error) {
 		}
 	}
 
-	ssmConfig, err := genSSMConfigForUser(ctx, tok)
+	ssmConfig, err := awsfed.GenSSMConfigForUser(ctx, tok)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -133,23 +133,3 @@ func (f *configFlags) genConfig(ctx context.Context) (*cmdConfig, error) {
 		EnvID: envid,
 	}, nil
 }
-
-func genSSMConfigForUser(
-	ctx context.Context,
-	tok *session.Token,
-) (*envsec.SSMConfig, error) {
-	if tok == nil {
-		return &envsec.SSMConfig{}, nil
-	}
-	fed := awsfed.New()
-	creds, err := fed.AWSCreds(ctx, tok)
-	if err != nil {
-		return nil, errors.WithStack(err)
-	}
-	return &envsec.SSMConfig{
-		AccessKeyID:     *creds.AccessKeyId,
-		SecretAccessKey: *creds.SecretKey,
-		SessionToken:    *creds.SessionToken,
-		Region:          fed.Region,
-	}, nil
-}
diff --git a/envsec/internal/awsfed/awsfed.go b/envsec/pkg/awsfed/awsfed.go
similarity index 82%
rename from envsec/internal/awsfed/awsfed.go
rename to envsec/pkg/awsfed/awsfed.go
index b42e85df..f29a5194 100644
--- a/envsec/internal/awsfed/awsfed.go
+++ b/envsec/pkg/awsfed/awsfed.go
@@ -8,6 +8,8 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/service/cognitoidentity"
 	"github.com/aws/aws-sdk-go-v2/service/cognitoidentity/types"
+	"github.com/pkg/errors"
+	"go.jetpack.io/envsec"
 	"go.jetpack.io/envsec/internal/envvar"
 	"go.jetpack.io/envsec/internal/filecache"
 	"go.jetpack.io/pkg/sandbox/auth/session"
@@ -107,3 +109,23 @@ func cacheKey(t *session.Token) string {
 
 	return fmt.Sprintf("%s-%s", cacheKeyPrefix, id)
 }
+
+func GenSSMConfigForUser(
+	ctx context.Context,
+	tok *session.Token,
+) (*envsec.SSMConfig, error) {
+	if tok == nil {
+		return &envsec.SSMConfig{}, nil
+	}
+	fed := New()
+	creds, err := fed.AWSCreds(ctx, tok)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+	return &envsec.SSMConfig{
+		AccessKeyID:     *creds.AccessKeyId,
+		SecretAccessKey: *creds.SecretKey,
+		SessionToken:    *creds.SessionToken,
+		Region:          fed.Region,
+	}, nil
+}