Credentials don't automatically refreshΒ #288
Description
I'm using this command for my authentication (variables are not actually variables in the config file, they are properly defined. Just redacted here)
okta-aws-cli --org-domain $OKTA_DOMAIN.okta.com--oidc-client-id $OIDC_CLIENT_ID --aws-acct-fed-app-id $FED_APP_ID --profile $PROFILE --aws-iam-role $ARN --open-browser --format process-credentials --aws-iam-idp $IDP_ARN
I currently have the following ~/.aws/config that works the first time I need to authenticate
[profile security-KubernetesAdmin]
credential_process = okta-aws-cli --org-domain $OKTA_DOMAIN.okta.com--oidc-client-id $OIDC_CLIENT_ID --aws-acct-fed-app-id $FED_APP_ID --profile $PROFILE --aws-iam-role $ARN --open-browser --format process-credentials --aws-iam-idp $IDP_ARN
[profile develop-KubernetesAdmin]
source_profile = security-KubernetesAdmin
role_arn = arn:aws:iam::123456789012:role/KubernetesAdmin
region = us-west-2
[profile develop-TerraformOnly]
source_profile = security-TerraformOnly
role_arn = arn:aws:iam::123456789012:role/Atlantis
region = us-west-2
In the current setup, every time I run a command; ie: aws sts --profile develop-KubernetesAdmin get-caller-identity, my browser opens and requires me to authenticate with a code. I can add --write-aws-credentials to store the credentials in ~/.aws/credentials so I don't have to do it everytime, but once the credentials expire, if I run an aws command, I get the error: An error occurred (ExpiredToken) when calling the AssumeRole operation: The security token included in the request is expired. I can rm ~/.aws/credentials and rerun the command, which then prompts me to authenticate.
I'm trying to find a way so that the first time I authenticate, the credentials are cached so I can use them until they expire, but once they expire, the normal authentication process happens again without me needing to manually remove the credentials file. I did confirm that running the okta-aws-cli command does include an expiration time.