The AWS credential provider checks for credentials in the following order outlined here. Instead of specifying the AWS_ACCESS_KEY, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN as environment variables the SDK can retrieve the credentials from a profile in the $HOME/.aws/config file. These are the credentials handled by the AWS sso. This means the developer will only have to run aws sso login to retrieve the new temporary credentials.

To use this method instead of adding the session_token to the credentials we can use the default constructor for S3Connection that does not take a credentials object. This will then use the default AWSCredentialProvider which will follow the steps outlined above.

Alternatively, we could add an extra bit of logic when establishing the client connection and retrieve the credentials from a profile in the $HOME/.aws/config file if the environment variables don't exist.