SSO token provider configuration not supported

[adonskoy]

Describe the bug AWS IAM Identity Center (successor to AWS Single Sign-On) introduces a new kind of configuration, sso-session, which can be referenced by a profile. The toolkit does not load profile when sso_session is used.

To reproduce

1. Configure the new profile via aws configure sso
2. Open IDE
3. Get an informational message that the profile was not loaded with following detail error: java.lang.IllegalArgumentException: Profile 'test-profile' is not using role-based, session-based, process-based, or basic credentials.

Expected behavior The toolkit recognizes this type of profile and allows you to use it.

Your Environment

• OS: macOS 13.0.1
• JetBrains product: WebStorm
• JetBrains product version: 2022.3
• AWS Toolkit version: 1.56-223
• SAM CLI version:
• JVM/Python version:

[MattWiersma]

I am seeing the same issue using the AwsToolkit in IntelliJ:

the config file that I am using looks like this:

[profile silver]
sso_session = my-sso
sso_account_id = 555614872555
sso_role_name = silver-developer
region = us-west-2
output = json

[sso-session my-sso]
sso_start_url = https://my-login-source.awsapps.com/start/
sso_region = us-west-2

[dylanenabled]

I am having the same issue, it doesn't support sso_session.

[petercoulton]

Had a quick look at the code and it's currently checking the profile for the sso_start_url property, but doesn't have a branch for profiles using the sso_session property.

A work around that works for me is to create an additional profile and copy the sso-session fields e.g.:

[profile silver]
sso_session = my-sso
sso_account_id = 555614872555
sso_role_name = silver-developer
region = us-west-2
output = json

[sso-session my-sso]
sso_start_url = https://my-login-source.awsapps.com/start/
sso_region = us-west-2

[profile silver-ide]
sso_start_url = https://my-login-source.awsapps.com/start/
sso_region = us-west-2
sso_account_id = 555614872555
sso_role_name = silver-developer
region = us-west-2
output = json

[edeesis]

We recently ran into this as well, looks like the workaround is to hit enter on the SSO session name (Recommended): prompt, and the CLI will use the old Legacy format.

[tkhill-AWS]

We will advising users in the SDK guides to use a default profile as shown in the following sample. But I'm currently getting the same error as the others, but with this error message, java.lang.IllegalArgumentException: Profile 'default' is not using role-based, session-based, process-based, or basic credentials.

[default]
sso_session = my-sso
sso_account_id = 1234567890
sso_role_name = AdministratorAccess
region = us-east-1
output = json

[sso-session my-sso]
sso_start_url = https://blahblah.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access

[leonchik1976]

Same issue with PyCharm

[frankwese]

As a workaround it is sufficient to copy the sso_start_url and sso_region properties from the [sso-session] block into the [profile] block

[profile my-sso]
sso_session = my-sso
sso_account_id = 1234567890
sso_role_name = AWSAdministratorAccess
region = eu-central-1
output = json
sso_start_url = https://dings-bums.awsapps.com/start
sso_region = eu-central-1

[sso-session my-sso]
sso_start_url = https://dings-bums.awsapps.com/start
sso_region = eu-central-1
sso_registration_scopes = sso:account:access

[JKomoroski]

I ran into this issue today. I was able to work around it following the work around above from @frankwese

[adonskoy]

@rli, it's been about a year since aws introduced sso sessions. Any estimate on when this will be supported in the toolkit?