TL;DR: Creating a ZSH alias that runs aws sso login appeared to succeed, but subsequent commands failed with "no credentials found" because the alias was not correctly setting the profile for downstream tools.
I was trying to streamline my workflow by adding an alias to my .zshrc to automate logging into a specific AWS SSO profile. The goal was simple: run one command, and have all subsequent AWS CLI commands work immediately using that authenticated session.
The alias looked like this in my .zshrc:
alias awslogin="aws sso login --profile 123456789012_AWSEngineerAccessRole"
When I ran awslogin, the terminal returned:
Login successful
However, as soon as I tried to list my S3 buckets using that same profile, the CLI threw a credential error:
fatal error: An error occurred (NoCredentialsError) when calling the ListBuckets operation: unable to locate credentials.
The Root Cause
The issue was not with the SSO login itself — the browser-based authentication was completing successfully and updating the token cache in ~/.aws/sso/cache. The problem was a mismatch between how I was initiating the session and how my AWS configuration was structured.
In my ~/.aws/config, I had defined the profile like this:
[profile 123456789012_AWSEngineerAccessRole]
sso_start_url = https://your-org.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 123456789012
sso_role_name = AWSEngineerAccessRole
region = eu-west-2
While aws sso login --profile <name> successfully refreshed the SSO token, subsequent commands were failing because they were not explicitly told to use that specific profile. The AWS CLI defaults to looking for a [default] profile or AWS_ACCESS_KEY_ID environment variables. Since neither was set, it found nothing — even though the SSO token was valid.
The Fix
Update the alias to also export AWS_PROFILE after a successful login:
alias awslogin='aws sso login --profile 123456789012_AWSEngineerAccessRole && export AWS_PROFILE=123456789012_AWSEngineerAccessRole'
The && means the export only runs if the login succeeded. From that point, every subsequent command in the shell session picks up the correct profile automatically — no --profile flag needed.
Verification:
$ awslogin
Login successful
$ aws s3 ls
[your buckets appear]
$ aws sts get-caller-identity
{
"UserId": "...",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AWSEngineerAccessRole/..."
}
The sts get-caller-identity check is worth adding to your alias or running manually after login — it confirms the session is actually active, not just that the token handshake completed.
Top comments (0)