Configure aws-vault to cache role tokens

[Supermathie]

We would like to have aws-vault cache role tokens.

By default, a new session is created for every invocation which means a round trip to AWS and back to retrieve the new token. For our people in more remote regions this means a round trip on every invocation which we'd like to avoid.

We ask that instead of retrieving a new role token on every call, we can instruct aws-vault to remember it for a period of time and return that instead of a new one.

If this is not already possible, would you be open to a PR implementing such a thing?

e.g. instead of:

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQXGPG4QWB

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQRW6FRWUG

we get:

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQXGPG4QWB

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQXGPG4QWB

• I am using the latest release of AWS Vault
  using arch aws-vault 7.2.0-1
• I have provided my .aws/config (redacted if necessary)

[default]
cli_pager =
region = us-east-1

[profile root-account]
mfa_serial = arn:aws:iam::111111111111:mfa/supermathie

[profile prod]
source_profile = root-account
role_arn = arn:aws:iam::222222222222:role/admin
mfa_serial = arn:aws:iam::111111111111:mfa/supermathie
region = us-west-2

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[blowfishpro]

The extra round trips can add up. One example is where IAM roles are used to provide EKS access tokens, and then some scripting is done around kubectl that ends up invoking the token generator multiple times.