aws configure sso writes config to [default] instead of [profile default] #9484
Description
Describe the bug
When running aws configure sso, I want to be able to pass default as the profile name so that the resulting config is simply written to my default profile. The CLI seems to recognize this as a valid option, as it appropriately omits the --profile argument on the output it prints at the end, encouraging me to test the credentials (when using a profile name other than default, it adds a --profile <name of profile> at the end:
The AWS CLI is now configured to use the default profile.
Run the following command to verify your configuration:
aws sts get-caller-identity
However, it does something very confusing: it writes the values that it collects to the wrong section of the ~/.aws/config file. It writes them to [default] instead of [profile default], which means that if an account other than the one being selected had previously been written to [profile default], that account will remain there.
This caused lots and lots of confusion, though I recognize now that I could have sorted this out sooner if I paid closer attention to the output of get-caller-identity 😞
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
$ aws configure sso
SSO session name [session_name]:
There are 2 AWS accounts available to you.
Using the account ID 4662*********
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
Default client Region [us-east-2]: us-east-1
CLI default output format (json if not specified) [None]:
Profile name [AdministratorAccess-4662*********]: default
The AWS CLI is now configured to use the default profile.
Run the following command to verify your configuration:
aws sts get-caller-identity
$ aws sts get-caller-identity --no-cli-pager
{
"UserId": "AROA*********:mikhail@session_name.ai",
"Account": "4662*********",
"Arn": "arn:aws:sts::4662*********:assumed-role/AWSReservedSSO_AdministratorAccess_6524fde39e1c398d/mikhail@session_name.ai"
}
$ head -10 ~/.aws/config
[default]
region = us-east-1
output = json
sso_session = session_name
[profile default]
sso_session = session_name
sso_account_id = 4662*********
sso_role_name = AdministratorAccess
Current Behavior
Note that the account number in get-caller-identity and in [profile default] do not match the number that is given to sso configure.
$ aws configure sso
SSO session name [session_name]:
There are 2 AWS accounts available to you.
Using the account ID 4662*********
The only role available to you is: AdministratorAccess
Using the role name "AdministratorAccess"
Default client Region [us-east-2]: us-east-1
CLI default output format (json if not specified) [None]:
Profile name [AdministratorAccess-4662*********]: default
The AWS CLI is now configured to use the default profile.
Run the following command to verify your configuration:
aws sts get-caller-identity
$ aws sts get-caller-identity --no-cli-pager
{
"UserId": "AROA*********:mikhail@session_name.ai",
"Account": "3111*********",
"Arn": "arn:aws:sts::3111*********:assumed-role/AWSReservedSSO_AdministratorAccess_6524fde39e1c398d/mikhail@session_name.ai"
}
$ head -10 ~/.aws/config
[default]
region = us-east-1
output = json
sso_session = session_name
sso_account_id = 4662*********
sso_role_name = AdministratorAccess
[profile default]
sso_session = session_name
sso_account_id = 3111*********
sso_role_name = AdministratorAccess
Reproduction Steps
- Execute
aws sso configure - Follow the prompts
- Specify
defaultas the profile name on the last question
Possible Solution
No response
Additional Information/Context
No response
CLI version used
2.27.10
Environment details (OS name and version, etc.)
macOS 15.4.1 (24E263)