Credential cache
Mimic reads two AWS credential cache locations to determine auth state and expiry.
SSO cache
~/.aws/sso/cache/*.json
Keyed by start URL. Contains the SSO access token. Mimic reads auth_expires_at from these files during scan_profiles.
Key points:
- One token per SSO organization (start URL)
- Shared across all profiles in the same org
- Duration set in IAM Identity Center settings (default 1h, max 12h)
- Concurrent access safe (botocore uses append-write + atomic rename)
STS cache
~/.aws/cli/cache/*.json
Keyed by SHA1 of {accountId, roleName, sessionName}. Contains temporary credentials. Mimic reads credential_expires_at and derives duration from file mtime vs Expiration.
Key points:
- Written when
aws sts assume-roleis called - Only applies to AssumeRole profiles with a cache hit
- Duration is the role's
MaxSessionDuration
Silent refresh
The AWS CLI refreshes the SSO token in the background when you run CLI commands, without opening a browser. This works as long as the portal session (browser cookie) is still valid. Mimic detects silent refreshes via the auth poller.