aws-sso-profile doesn't support -S flag #1241
Description
Output of aws-sso version:
AWS SSO CLI Version 2.0.3 -- Copyright 2021-2025 Aaron Turner
Homebrew (2.0.3) built at 2025-05-29T15:07:31Z
Describe the bug:
aws-sso-profile fails when used on a new SSO account. However, eval $(aws-sso -L debug eval --profile profile -S customer1) works. Once eval is run once on any profile, aws-sso-profile will then work from then on with the new SSO account. So that has been my work-around. Might be an edge case, but I thought I should report it in case it is bigger.
PS I did search and replace account IDs, start URL and profile names as this is customer information that I wouldn't want them to find online, shared to the world. Would be like losing your clothes in public.
To Reproduce:
- ─ >
aws-sso --level=debug login -S customer1
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG no CreateTokenResponse for token-response:customer1
DEBUG Created OIDC device code storeKey=customer1 expires=600
Verify this code in your browser: KKFM-VZSZ
Please open the following URL in your browser:
https://customer1.awsapps.com/start/#/device?user_code=KKFM-VZSZ
INFO Waiting for SSO authentication...
INFO Refreshing AWS SSO role cache, please wait... sso=customer1
DEBUG refreshing SSO cache SSOname=customer1
DEBUG Processing 101234567890:AWSAdministratorAccess
DEBUG Processing 101234567890:AWSReadOnlyAccess
DEBUG Worker processing worker=2 accountID=102345678901
DEBUG Worker processing worker=3 accountID=103456789012
DEBUG Worker processing worker=5 accountID=104567890123
DEBUG Worker processing worker=1 accountID=105678901234
DEBUG Worker processing worker=4 accountID=106789012345
DEBUG Worker processing worker=1 accountID=107890123456
DEBUG Processing 105678901234:AWSAdministratorAccess
DEBUG Processing 105678901234:AWSReadOnlyAccess
DEBUG proccessed accounts=1 new_roles=2 total_roles=4
DEBUG Worker processing worker=5 accountID=108901234567
DEBUG Processing 104567890123:AWSAdministratorAccess
DEBUG Processing 104567890123:AWSReadOnlyAccess
DEBUG proccessed accounts=2 new_roles=2 total_roles=6
DEBUG Worker processing worker=2 accountID=109012345678
DEBUG Processing 102345678901:AWSAdministratorAccess
DEBUG Processing 102345678901:AWSReadOnlyAccess
DEBUG proccessed accounts=3 new_roles=2 total_roles=8
DEBUG Worker processing worker=3 accountID=110123456789
DEBUG Processing 103456789012:AWSAdministratorAccess
DEBUG Processing 103456789012:AWSReadOnlyAccess
DEBUG proccessed accounts=4 new_roles=2 total_roles=10
DEBUG Worker processing worker=4 accountID=111234567890
DEBUG Processing 106789012345:AWSAdministratorAccess
DEBUG Processing 106789012345:AWSReadOnlyAccess
DEBUG proccessed accounts=5 new_roles=2 total_roles=12
DEBUG Worker processing worker=2 accountID=112345678901
DEBUG Processing 109012345678:AWSAdministratorAccess
DEBUG Processing 109012345678:AWSReadOnlyAccess
DEBUG proccessed accounts=6 new_roles=2 total_roles=14
DEBUG Worker processing worker=1 accountID=113456789012
DEBUG Processing 107890123456:AWSAdministratorAccess
DEBUG Processing 107890123456:AWSReadOnlyAccess
DEBUG proccessed accounts=7 new_roles=2 total_roles=16
DEBUG Worker processing worker=3 accountID=114567890123
DEBUG Processing 110123456789:AWSAdministratorAccess
DEBUG Processing 110123456789:AWSReadOnlyAccess
DEBUG proccessed accounts=8 new_roles=2 total_roles=18
DEBUG Worker processing worker=5 accountID=116789012345
DEBUG Processing 108901234567:AWSAdministratorAccess
DEBUG Processing 108901234567:AWSReadOnlyAccess
DEBUG proccessed accounts=9 new_roles=2 total_roles=20
DEBUG Worker processing worker=4 accountID=115678901234
DEBUG Processing 111234567890:AWSOrganizationsFullAccess
DEBUG Processing 111234567890:AWSAdministratorAccess
DEBUG Processing 111234567890:AWSReadOnlyAccess
DEBUG proccessed accounts=10 new_roles=3 total_roles=23
DEBUG Worker processing worker=1 accountID=117890123456
DEBUG Processing 113456789012:AWSOrganizationsFullAccess
DEBUG Processing 113456789012:AWSAdministratorAccess
DEBUG Processing 113456789012:AWSReadOnlyAccess
DEBUG proccessed accounts=11 new_roles=3 total_roles=26
DEBUG Processing 114567890123:AWSAdministratorAccess
DEBUG Processing 114567890123:AWSReadOnlyAccess
DEBUG proccessed accounts=12 new_roles=2 total_roles=28
DEBUG Processing 112345678901:AWSAdministratorAccess
DEBUG Processing 112345678901:AWSReadOnlyAccess
DEBUG proccessed accounts=13 new_roles=2 total_roles=30
DEBUG Processing 115678901234:AWSAdministratorAccess
DEBUG Processing 115678901234:AWSReadOnlyAccess
DEBUG proccessed accounts=14 new_roles=2 total_roles=32
DEBUG Processing 116789012345:AWSAdministratorAccess
DEBUG Processing 116789012345:AWSReadOnlyAccess
DEBUG proccessed accounts=15 new_roles=2 total_roles=34
DEBUG Processing 117890123456:AWSOrganizationsFullAccess
DEBUG Processing 117890123456:AWSAdministratorAccess
DEBUG Processing 117890123456:AWSReadOnlyAccess
DEBUG proccessed accounts=16 new_roles=3 total_roles=37
INFO Updated cache added=37 deletd=0
- ─ >
aws-sso-profile customer1-Sandbox-01:AWSAdministratorAccess -S customer1
FATAL Must run `aws-sso login` before running `aws-sso eval`
[no --level switch option here]
- ─ >
eval $(aws-sso -L debug eval --profile customer1-Sandbox-01:AWSAdministratorAccess -S customer1)
DEBUG loading SSO retries=10 maxBackoff=5
DEBUG Getting role credentials arn=arn:aws:iam::115678901234:role/AWSAdministratorAccess
DEBUG Fetching STS token from AWS SSO
DEBUG SSOConfig.GetRole() error="unable to find 115678901234:AWSAdministratorAccess" config="&{settings:0xc0000d2848 key:customer1 SSORegion:eu-central-1 StartUrl:https://customer1.awsapps.com/start Accounts:map[] DefaultRegion: AuthUrlAction:print MaxBackoff:5 MaxRetry:10}"
DEBUG Getting role directly accountID=115678901234 role=AWSAdministratorAccess
DEBUG Retrieved role credentials from AWS SSO
- ─ >
find ~/.config/aws-sso/ -mmin -1
/home/david/.config/aws-sso/cache.json
I should have kept and before and after. It seems to just update the LastUpdate field. Although I tried removing the new account from cache.json but still couldn't reproduce the issue. So something is being altered somewhere else, some other way.
Expected behavior:
aws-sso-profile to work.
Desktop:
- OS: Debian
- Version 12
Additional context:
I tried this in a new local user. Fresh, clean slate. Some experience but the output changed for 1 step.
- ─ > aws-sso-profile customer1-Sandbox-01:AWSAdministratorAccess -S customer1
FATAL Must runaws-sso loginbefore runningaws-sso eval
was:
- ─ > aws-sso-profile customer1-Sandbox-01:AWSAdministratorAccess -S customer1
FATAL unable to locate role with Profile: customer1-Sandbox-01:AWSAdministratorAccess
BONUS notice the typo in the debug output?
INFO Updated cache added=37 deletd=0
Should be:
INFO Updated cache added=37 deleted=0
Contents of ~/.aws-sso/config.yaml:
SSOConfig:
customer2:
SSORegion: eu-central-1
StartUrl: https://customer2.awsapps.com/start
AuthUrlAction: print
customer1:
SSORegion: eu-central-1
StartUrl: https://customer1.awsapps.com/start
AuthUrlAction: print
customer3:
SSORegion: eu-central-1
StartUrl: https://customer3.awsapps.com/start
AuthUrlAction: print
DefaultSSO: customer3
SecureStore: pass
DefaultRegion: eu-central-1
ConsoleDuration: 720
CacheRefresh: 48
Threads: 5
MaxBackoff: 5
MaxRetry: 10
AutoConfigCheck: true
UrlAction: printurl
ConfigProfilesUrlAction: open
LogLevel: warn
HistoryLimit: 10
HistoryMinutes: 1440
ProfileFormat: "{{ .SSO }}-{{ FirstItem .AccountName (.AccountAlias | nospace) }}:{{ .RoleName }}"
AccountPrimaryTag:
- AccountName
- AccountAlias
- Email
PromptColors:
descriptionbgcolor: Turquoise
descriptiontextcolor: Black
inputbgcolor: DefaultColor
inputtextcolor: DefaultColor
prefixbackgroundcolor: DefaultColor
prefixtextcolor: Blue
previewsuggestionbgcolor: DefaultColor
previewsuggestiontextcolor: Green
scrollbarbgcolor: Cyan
scrollbarthumbcolor: LightGrey
selecteddescriptionbgcolor: DarkGray
selecteddescriptiontextcolor: White
selectedsuggestionbgcolor: DarkGray
selectedsuggestiontextcolor: White
suggestionbgcolor: Cyan
suggestiontextcolor: White
ListFields:
- AccountIdPad
- AccountAlias
- RoleName
- Profile
- Expires
FullTextSearch: true