Skip to content

Credential cache

Mimic reads two AWS credential cache locations to determine auth state and expiry.

SSO cache

~/.aws/sso/cache/*.json

Keyed by start URL. Contains the SSO access token. Mimic reads auth_expires_at from these files during scan_profiles.

Key points:

  • One token per SSO organization (start URL)
  • Shared across all profiles in the same org
  • Duration set in IAM Identity Center settings (default 1h, max 12h)
  • Concurrent access safe (botocore uses append-write + atomic rename)

STS cache

~/.aws/cli/cache/*.json

Keyed by SHA1 of {accountId, roleName, sessionName}. Contains temporary credentials. Mimic reads credential_expires_at and derives duration from file mtime vs Expiration.

Key points:

  • Written when aws sts assume-role is called
  • Only applies to AssumeRole profiles with a cache hit
  • Duration is the role's MaxSessionDuration

Silent refresh

The AWS CLI refreshes the SSO token in the background when you run CLI commands, without opening a browser. This works as long as the portal session (browser cookie) is still valid. Mimic detects silent refreshes via the auth poller.