Created
February 16, 2026 20:11
-
-
Save pahud/6c50b00287f2baf0d67bbfd029f95305 to your computer and use it in GitHub Desktop.
Script to refresh SSO tokens
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # ┌─────────────────────────────────────────────────┐ | |
| # │ SSO Token Auto-Refresh for sso-bot session │ | |
| # │ │ | |
| # │ [Check TTL] ──► TTL < 1hr? ──► [AWS SSO Login] │ | |
| # │ │ │ │ │ | |
| # │ ▼ ▼ ▼ │ | |
| # │ Valid ✓ Expiring ⚠ Telegram 📱 │ | |
| # └─────────────────────────────────────────────────┘ | |
| # | |
| # Why this script? | |
| # AWS SSO tokens expire after ~8 hours. When running headless | |
| # services (like OpenClaw Gateway) that depend on AWS credentials, | |
| # expired tokens cause silent failures. This script proactively | |
| # detects expiring tokens and sends a Telegram notification with | |
| # the device code URL, allowing you to re-authorize from your phone | |
| # without needing terminal access. | |
| # | |
| # How it works: | |
| # 1. Computes SHA1 hash of SESSION_NAME to locate cache file | |
| # 2. Reads expiresAt from ~/.aws/sso/cache/<hash>.json | |
| # 3. If TTL < 1 hour (or expired), runs `aws sso login` | |
| # 4. Sends device code URL to Telegram for manual authorization | |
| # | |
| # Usage: | |
| # ./sso-refresh.sh # Normal check | |
| # ./sso-refresh.sh --force # Force trigger regardless of TTL | |
| # | |
| # Cron (every hour): | |
| # 0 * * * * ~/.openclaw/scripts/sso-refresh.sh >> /tmp/sso-refresh.log 2>&1 | |
| SESSION_NAME="sso-bot" | |
| TELEGRAM_TARGET="<YOUR_TG_ID>" | |
| CACHE_HASH=$(echo -n "$SESSION_NAME" | shasum | cut -d' ' -f1) | |
| CACHE_FILE="$HOME/.aws/sso/cache/${CACHE_HASH}.json" | |
| THRESHOLD_SECONDS=3600 # 1 hour | |
| [[ "$1" == "--force" ]] && THRESHOLD_SECONDS=999999999 | |
| if [[ ! -f "$CACHE_FILE" ]]; then | |
| echo "Cache file not found, triggering login..." | |
| expires_in=-1 | |
| else | |
| expires_at=$(jq -r '.expiresAt' "$CACHE_FILE") | |
| expires_epoch=$(date -j -f "%Y-%m-%dT%H:%M:%S" "${expires_at%%.*}" +%s 2>/dev/null || date -d "$expires_at" +%s) | |
| now_epoch=$(date +%s) | |
| expires_in=$((expires_epoch - now_epoch)) | |
| fi | |
| echo "TTL: ${expires_in}s ($(( expires_in / 60 ))m)" | |
| if [[ $expires_in -lt $THRESHOLD_SECONDS ]]; then | |
| [[ $expires_in -lt 0 ]] && echo "Token EXPIRED, requesting re-auth..." || echo "Token expiring in $(( expires_in / 60 ))m, requesting re-auth..." | |
| (aws --profile bedrock-only sso login --use-device-code --no-browser > /tmp/sso.txt 2>&1 &) | |
| sleep 3 | |
| openclaw message send --channel telegram --target "$TELEGRAM_TARGET" -m "🔐 SSO Token Refresh Required | |
| $(cat /tmp/sso.txt)" | |
| else | |
| echo "Token still valid for $(( expires_in / 3600 ))h $(( (expires_in % 3600) / 60 ))m" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment