If you try to mount from a CloudShell environment, mount_efs complains that it can't find credentials. I have to get temporary credentials and create an .aws/credentials file for it.

CloudShell provides a very limited IMDSv2-like endpoint that can be used for this purpose:

$ TOKEN=$(curl -XPUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
$ curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN"
{
        "LastUpdated": "1970-01-01T00:00:00Z",
        "Type": "",
        "AccessKeyId": "ASIAYYF...",
        "SecretAccessKey": "UJbW..5k",
        "Token": "IQo..MA==",
        "Expiration": "2025-05-15T17:06:59Z",
        "Code": "Success"
}

That endpoint unfortunately can't apparently be used to retrieve anything else, like the region.

Another, more general option, would be to support the usual credential environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. That would allow me to just paste in the export commands from the SSO access portal, instead of having to edit them into the credentials file format.