Support XDG Directories for .aws/sso/cache Storage

[jakedgy]

Description

Currently, granted stores AWS SSO tokens in ~/.aws/sso/cache. To improve portability and align with both AWS CLI conventions and XDG directory standards, it would be beneficial to support configurable paths for storing SSO tokens, similar to issue #570.

This is particularly useful for environments like GitHub Codespaces, where the home directory is ephemeral. In such cases, AWS credentials, configuration, and cache directories need to be redirected to a persistent location (e.g., /workspaces) to survive container restarts and rebuilds.

Proposed Solution

AWS already provides environment variables to override default storage locations for credentials and config files:

• AWS_CONFIG_FILE – Overrides the default ~/.aws/config location.
• AWS_SHARED_CREDENTIALS_FILE – Overrides the default ~/.aws/credentials location.

Additionally, AWS CLI stores temporary credentials under ~/.aws/cli/cache, and it would be useful to make this path configurable as well. More details on AWS CLI configuration file locations can be found in the AWS documentation.

To ensure better integration with both AWS CLI and XDG directory standards, granted could:

1. Respect AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE for credential storage.
2. Introduce support for XDG_CACHE_HOME to determine the location of .aws/sso/cache.
3. Allow explicitly setting an environment variable (e.g., GRANTED_AWS_SSO_CACHE_DIR) for cases where users need direct control over the cache location.

Affected Code

The relevant logic appears to be in pkg/cfaws/ssotoken.go.

Would love to hear thoughts on this and whether there's an existing workaround. Happy to contribute if needed! 🚀

[chris3ware]

The AWS CLI does not support this: aws/aws-cli#9031