Add --revoke-sso-token flag to export-credentials#10259
Open
jviehhauser wants to merge 1 commit intoaws:v2from
Open
Add --revoke-sso-token flag to export-credentials#10259jviehhauser wants to merge 1 commit intoaws:v2from
jviehhauser wants to merge 1 commit intoaws:v2from
Conversation
When set, after credentials are emitted, the IAM Identity Center access token used to resolve them is server-side revoked via sso.Logout and its on-disk cache file is removed. The flag is opt-in and surgical: only the cache file for the active profile's sso_session (or legacy sso_start_url) is touched. Other profiles and concurrent SSO sessions are untouched. The cache key is derived identically to botocore's SSOTokenLoader so the file we look at is always the file aws sso login wrote. Best-effort error handling: credentials have already been emitted when revoke runs, so any failure must not change the exit status. Both the narrow ClientError path inside revoke_sso_token (which is also used by aws sso logout, with unchanged behavior) and broader transport-level errors (BotoCoreError, EndpointResolutionError, etc.) are swallowed. Use case: when aws configure export-credentials runs as a credential_process, the SSO token's on-disk lifetime collapses from the IAM Identity Center session duration (8h default) to the duration of a single STS exchange. Each refresh requires a new aws sso login flow. The existing sso.Logout call site in awscli/customizations/sso/ logout.py is refactored into a reusable helper revoke_sso_token. aws sso logout's behavior is unchanged. Tests pin the cache filename contract to botocore's SSOTokenLoader._generate_cache_key directly, so any drift between this command's lookup logic and botocore's storage logic surfaces as a test failure rather than a silent file-path mismatch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
94ed917 to
400eb18
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #10258.
Description of changes
--revoke-sso-tokenflag toaws configure export-credentials. When set, after credentials are emitted, the SSO access token used to resolve them is server-side revoked viasso.Logoutand its~/.aws/sso/cache/<digest>.jsonfile is removed.sso_session(or legacysso_start_url) is touched. Other profiles and concurrent SSO sessions are untouched.sso.Logoutcall site inawscli/customizations/sso/logout.pyinto a small reusable helperrevoke_sso_token(...)so bothaws sso logoutand the new flag share one revocation path.aws sso logout's behavior is unchanged.Description of tests
TestRevokeSSOTokenFlagclass intests/unit/customizations/configure/test_exportcreds.pycovers: sso-session profile, legacy SSO profile, non-SSO profile (no-op), missing cache file,LogoutAPI client error, output unaffected on revoke failure, and flag-off baseline.tests/unit/customizations/sso/test_logout.pycontinues to pass (24 tests) — the refactor preservesaws sso logoutbehavior.tests/unit/customizations/configure/test_exportcreds.pycontinues to pass (20 baseline tests).By submitting this PR, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.