My team has set up AWS SSO and is starting to use aws sso login for most of their needs. Everything is working smoothly. However, it appears that AWS SDKs (e.g. Golang apps that call AWS APIs) do not support reading the temporary SSO credentials stored in ~/.aws/cli/cache/~/.aws/sso/cache. (See aws/aws-sdk-go#3186)

And as a result, my team is blocked from adopting AWS SSO because it only works with the AWS CLI but none one our existing tools.

Ideally, the various language-specific AWS SDKs would be able to pick up on the current AWS SSO credentials seamlessly. Honoring AWS_PROFILE or AWS_DEFAULT_PROFILE environment variables, and using the same credential lookup algorithm as the CLI. (I assume that's the on the roadmap eventually.)

However, getting that change fixed across all of the AWS SDKs, as well as them upstreamed into tools that rely on them, will take a long time. And it would be nice to unblock my team until then so they can just rely on aws sso login.

I can see the credential files on my local disk, e.g. ~/.aws/sso/cache/61368d38a2497e42a24a243072108001849d0b07.json. But it isn't clear how to map the current set of environment variables to which JSON file to load.

Could the CLI support some way of returning whatever the credentials it is using? e.g.

# Return the SSO credentials file for the provided profile, or just use AWS_PROFILE, etc.
aws --profile staging-environment \
    sts get-caller-credentials

# Or even better: write the SSO credentials to ~/.aws/credentials. So other tools
# could just read from it.
aws sso write-credentials-to-disk --profile staging-environment

I don't know if there is a better approach here, as I'm do not know the specific differences between credential resolution in the AWS CLI vs. AWS SDKs. But hopefully there is some sort of workaround to make this scenario work?