diff --git a/internal/creds-last-used.go b/internal/creds-last-used.go
index 1acd341..30a44ef 100644
--- a/internal/creds-last-used.go
+++ b/internal/creds-last-used.go
@@ -16,6 +16,24 @@ var credsLastUsedCmd = &cobra.Command{
 		if err != nil {
 			ExitWithError(1, "failed to get last used role", err)
 		}
+		if role.Credentials.IsExpired() {
+			sessions, err := credentials.GetSessions()
+			if err != nil {
+				ExitWithError(2, "failed to parse sso sessions", err)
+			}
+			session := sessions.FindByName(role.SessionName)
+			if session == nil {
+				ExitWithError(3, "failed to find sso session " + role.SessionName, err)
+			}
+			err = session.RefreshRoleCredentials(&role)
+			if err != nil {
+				ExitWithError(4, "failed to get credentials", err)
+			}
+			err = role.Credentials.Save(session.Name, role.CacheKey())
+			if err != nil {
+				ExitWithError(5, "failed to save credentials", err)
+			}
+		}
 		serialized, err := role.Credentials.ToJSON()
 		if err != nil {
 			ExitWithError(2, "failed to serialize role credentials", err)
diff --git a/internal/creds-select.go b/internal/creds-select.go
index 3631d84..c7eb72b 100644
--- a/internal/creds-select.go
+++ b/internal/creds-select.go
@@ -36,6 +36,24 @@ var credsSelectCmd = &cobra.Command{
 			ExitWithError(3, "failed to pick role credentials", err)
 		}
 		selectedRole := selection.Value.(credentials.Role)
+		if selectedRole.Credentials.IsExpired() {
+			sessions, err := credentials.GetSessions()
+			if err != nil {
+				ExitWithError(2, "failed to parse sso sessions", err)
+			}
+			session := sessions.FindByName(selectedRole.SessionName)
+			if session == nil {
+				ExitWithError(3, "failed to find sso session " + selectedRole.SessionName, err)
+			}
+			err = session.RefreshRoleCredentials(&selectedRole)
+			if err != nil {
+				ExitWithError(4, "failed to get credentials", err)
+			}
+			err = selectedRole.Credentials.Save(session.Name, selectedRole.CacheKey())
+			if err != nil {
+				ExitWithError(5, "failed to save credentials", err)
+			}
+		}
 		serialized, err := selectedRole.Credentials.ToJSON()
 		if err != nil {
 			ExitWithError(4, "failed to serialize role credentials", err)