fwdcloudsec · jasday · Jul 31, 2025
diff --git a/pkg/assume/assume.go b/pkg/assume/assume.go
@@ -284,6 +284,7 @@ func AssumeCommand(c *cli.Context) error {
 		MFATokenCode: assumeFlags.String("mfa-token"),
 		Args:         assumeFlags.StringSlice("pass-through"),
 		DisableCache: assumeFlags.Bool("no-cache"),
+		Refresh:      assumeFlags.Bool("refresh"),
 	}
 
 	// attempt to get session duration from profile

diff --git a/pkg/assume/entrypoint.go b/pkg/assume/entrypoint.go
@@ -55,6 +55,7 @@ func GlobalFlags() []cli.Flag {
 		&cli.BoolFlag{Name: "confirm", Aliases: []string{"y"}, Usage: "Skip confirmation prompts for access requests"},
 		&cli.BoolFlag{Name: "wait", Usage: "When using Granted with Common Fate the assume will halt while waiting for the access request to be approved."},
 		&cli.BoolFlag{Name: "no-cache", Usage: "Disables caching of session credentials and forces a refresh", EnvVars: []string{"GRANTED_NO_CACHE"}},
+		&cli.BoolFlag{Name: "refresh", Usage: "Forces Granted to refresh session credentials", EnvVars: []string{"GRANTED_REFRESH"}},
 		&cli.StringSliceFlag{Name: "browser-launch-template-arg", Usage: "Additional arguments to provide to the browser launch template command in key=value format, e.g. '--browser-launch-template-arg foo=bar"},
 		&cli.BoolFlag{Name: "skip-profile-registry-sync", Usage: "You can use this to skip the automated profile registry sync process."},
 		&cli.StringSliceFlag{Name: "attach", Usage: "Attach justifications to your request, such as a Jira ticket id or url `--attach=TP-123`"},

diff --git a/pkg/cfaws/assumer_aws_iam.go b/pkg/cfaws/assumer_aws_iam.go
@@ -29,11 +29,16 @@ func (aia *AwsIamAssumer) AssumeTerminal(ctx context.Context, c *Profile, config
 	sessionCredStorage := securestorage.NewSecureSessionCredentialStorage()
 
 	cachedCreds, err := sessionCredStorage.GetCredentials(c.AWSConfig.Profile)
-	if err != nil {
+	switch {
+	case err != nil:
 		clio.Debugw("error loading cached credentials", "error", err)
-	} else if cachedCreds != nil && !cachedCreds.Expired() {
-		clio.Debugw("credentials found in cache", "expires", cachedCreds.Expires.String(), "canExpire", cachedCreds.CanExpire, "timeNow", time.Now().String())
-		return *cachedCreds, err
+	case cachedCreds != nil:
+		if !cachedCreds.Expired() {
+			clio.Debug("credentials found in cache", "expires", cachedCreds.Expires.String(), "canExpire", cachedCreds.CanExpire, "timeNow", time.Now().String(), "refresh", configOpts.Refresh)
+			if !configOpts.Refresh {
+				return *cachedCreds, err
+			}
+		}
 	}
 
 	clio.Debugw("refreshing credentials", "reason", "not found")

diff --git a/pkg/cfaws/profiles.go b/pkg/cfaws/profiles.go
@@ -27,6 +27,7 @@ type ConfigOpts struct {
 	ShouldRetryAssuming        *bool
 	MFATokenCode               string
 	DisableCache               bool
+	Refresh                    bool
 }
 
 type Profile struct {