DEV Community

nareshipme
nareshipme

Posted on

Fixing "No Credentials Found" when using AWS SSO Profiles in Zsh

#aws #cli #zsh #devops

TL;DR: An AWS SSO login was successful, but subsequent AWS commands failed with "No credentials found" because the shell alias was pointing to a profile name that didn't match the configured credential block in ~/.aws/config.

I wanted to automate my AWS authentication by creating an alias in my .zshrc to trigger the SSO login process. After running the command, the terminal reported Login successful, but any subsequent attempt to list S3 buckets or use the AWS CLI resulted in a credential error.

The issue stemmed from a mismatch between how the profile was defined in ~/.aws/config and how I was calling it via the CLI.

Here is the configuration block I had in my ~/.aws/config:

[profile 123456789012_AWSEngineerAccessRole]
sso_start_url = https://your-org.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 123456789012
sso_role_name = AWSEngineerAccessRole
region = eu-west-2
Enter fullscreen mode Exit fullscreen mode

When I ran my login command, the output was:

Login successful
Enter fullscreen mode Exit fullscreen mode

However, running a basic AWS command immediately after produced this error:

Unable to locate credentials. You can configure credentials manually via the 'aws configure' command.
Enter fullscreen mode Exit fullscreen mode

The failure happened because even though the SSO session was active in the background, the AWS CLI does not automatically know which profile to use for subsequent commands unless explicitly instructed. If my alias or environment variable was pointing to a generic default profile, the CLI looked for credentials under [default], found nothing, and failed—ignoring the fact that a valid SSO session existed for the specific 123456789012_AWSEngineerAccessRole profile.

To fix this, I updated my .zshrc alias to ensure every command explicitly references the correct profile name defined in the config file:

# Before (failed because it defaulted to 'default' profile)
alias awslogin="aws sso login"

# After (explicitly targets the SSO profile)
alias awslogin="aws sso login --profile 123456789012_AWSEngineerAccessRole"
alias aws='aws --profile 123456789012_AWSEngineerAccessRole'
Enter fullscreen mode Exit fullscreen mode

By appending --profile 123456789012_AWSEngineerAccessRole to the login command, the CLI maps the successful authentication token specifically to that profile block. By aliasing aws itself, I ensure all subsequent commands bypass the empty [default] profile and use the authenticated SSO session.

Top comments (0)