We would like to have aws-vault cache role tokens.

By default, a new session is created for every invocation which means a round trip to AWS and back to retrieve the new token. For our people in more remote regions this means a round trip on every invocation which we'd like to avoid.

We ask that instead of retrieving a new role token on every call, we can instruct aws-vault to remember it for a period of time and return that instead of a new one.

If this is not already possible, would you be open to a PR implementing such a thing?

e.g. instead of:

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQXGPG4QWB

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQRW6FRWUG

we get:

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQXGPG4QWB

○ → aws-vault export prod | grep AWS_ACCESS_KEY_ID
AWS_ACCESS_KEY_ID=ASIAQ2NCZ6TQXGPG4QWB

• I am using the latest release of AWS Vault
  using arch aws-vault 7.2.0-1
• I have provided my .aws/config (redacted if necessary)

[default]
cli_pager =
region = us-east-1

[profile root-account]
mfa_serial = arn:aws:iam::111111111111:mfa/supermathie

[profile prod]
source_profile = root-account
role_arn = arn:aws:iam::222222222222:role/admin
mfa_serial = arn:aws:iam::111111111111:mfa/supermathie
region = us-west-2