Fix aws.sh SSO credential check to use export-credentials

jpvelez · jpvelez · commit 53bd4a5de18d · 2026-03-26T21:27:56.000-04:00
The old early-exit used `aws sts get-caller-identity &amp;&amp; aws ec2
describe-instances`, which can pass via env vars or static credentials
even when the SSO token is expired. boto3/polars uses the SSO profile
directly, so it would fail with UnauthorizedSSOTokenError while the CLI
check reported "already valid".

Replace with `aws configure export-credentials --format json`, which
exercises the full SSO credential chain and fails if the SSO token is
expired — matching exactly what boto3 checks.

Made-with: Cursor
diff --git a/.devcontainer/devpod/aws.sh b/.devcontainer/devpod/aws.sh
@@ -20,10 +20,11 @@ if ! command -v aws >/dev/null 2>&1; then
   exit 1
 fi
 
-# Check if credentials are already valid (early exit if so)
-# Test with an actual EC2 API call since DevPod uses EC2
-if aws sts get-caller-identity &>/dev/null &&
-  aws ec2 describe-instances --max-results 5 &>/dev/null; then
+# Check if SSO credentials are already valid (early exit if so).
+# aws configure export-credentials exercises the full SSO credential chain,
+# so it fails if the SSO token is expired — unlike aws sts get-caller-identity,
+# which can succeed via env vars or static credentials even when SSO is stale.
+if aws configure export-credentials --format json &>/dev/null; then
   echo "✅ AWS credentials are already valid"
   echo
   exit 0
