How to determine the mapping(get json file name) between the profile and the /cli/cache

[rehanvdm]

Confirm by changing [ ] to [x] below:

• I've gone though the User Guide and the API reference
• I've searched for previous similar issues and didn't find any solution

Issue is about usage on:

• Service API : I want to do X using Y service, what should I do?
• CLI : passing arguments or cli configurations.
• Other/Not sure.

Platform/OS/Hardware/Device
Windows

Describe the question
How do I know what the JSON file name will be for a given profile when it is stored in the /cli/cache directory?

I can see (is that even the right place?) that it does a sha1 hash of some arguments but which?

aws-cli/awscli/botocore/credentials.py

Line 744 in 43679b4

def _create_cache_key(self):

[kdaily]

Hi @rehanvdm, this function and the method for hashing to generate the cache file is not really intended to be public facing and is subject to change. If you provide some more details about your use case maybe we can provide some guidance or a feature request that can help you solve your problem.

[rehanvdm]

Well I guess(know) I am doing something that I am not suppose to. I want to write to the cache.

I have an external program that handles the MFA and SSO logins. Currently I am exporting the STS tokens back to the profile under a different profile name so that they can be used by any other program as well. But it would not be needed if I could just write to the cache.

[kdaily]

I see - using the cache outside of the AWS CLI is not recommended, and as previously noted those are implementation details that may change, the interface is not intended to be public.

By "used by any other program" do you mean another program that uses an AWS SDK? If that's the case, wouldn't the credentail process be a possible solution?

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

[kdaily]

Since this is a guidance question, I'm moving this to GitHub Discussions. Thanks!

[raymondchen625]

For the time being, it's a SHA1 digest of a JSON string with RoleArn and SerialNumber. Here is a bash script example:

echo -n '{"RoleArn": "arn:aws:iam::123456789:role/myrole", "SerialNumber": "arn:aws:iam::234567890:mfa/first.last"}' | sha1sum | awk '{print $1".json"}'

[rehanvdm]

Thanks @raymondchen625, I came to a similar conclusion debugging the source, but I figured I don't want to misuse the AWS CLI and make use of non public info/functionality.

FYI @kdaily this is what I meant with "used by any other program", this is that program https://cloudglance.dev/ 😁

[funnylookinhat]

This is relevant for a use case I'm trying to fill... we have several tools that must have credentials set in the environment (e.g. AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN )

We can easily script around ensuring that a given profile has been accessed at least once to make sure a set of credentials exists in ~/.aws/sso/cache/*.json - but determining which file to use is where I'm stuck.

I'm happy to use the bash snippet that @raymondchen625 shared above - but I don't see a consistent way to determine the values for the SerialNumber. (I can get the account ID and role from ~/.aws/config)

Any suggestions?

[jnawk]

It's the ARN of the MFA device. If no MFA device is used, then omit the key from the string to be hashed.
From a read of the source, the explanation above is not exactly wrong, but it is a little misleading in that it's not a complete explanation - the args to the AssumeRole call are stuffed into a dict (we're talking python here). If the RoleSessionName is the default, then that argument is removed. The dict is the JSON serialised (with sorted keys).

for now. (accurate today)

Here's the relevant source.

https://github.com/boto/botocore/blob/1eaa8aed894ce6d3cbfd038a358f2dfe55444926/botocore/credentials.py#L736