You’re trying to use AWS CLI with IAM Identity Center SSO profiles. You run aws sso login --profile my-sso-profile and immediately hit an error. Or the profile works once, but after a few hours it stops working. Or you’ve set up everything correctly but boto3 (Python SDK) still can’t find your credentials. In this post, I’ll show you how to fix the most common AWS CLI SSO issues.
The Problem
Running aws sso login --profile my-sso-profile fails with errors such as:
Error loading SSO Token: Token for d-xxxxxxxxxxxxxxxx/us-east-1/aws-portal does not exist
SSO Token has expired
The SSO configuration profile is invalid or profile is not configured correctly to use SSO
Or: AWS CLI works, but boto3 throws credential errors, or the token has expired and you have to re-run aws sso login.
| Error Message | Root Cause |
|---|---|
| “Token for xxx does not exist” | ~/.aws/cli/cache/ is missing the cached token |
| “SSO Token has expired” | Token is older than 8 hours; needs refresh |
| “InvalidParameterException: No SSO config” | Profile missing required SSO parameters |
| “Profile is not configured correctly” | sso_start_url, sso_account_id, or sso_role_name missing |
| “Unable to parse response as XML” | Using wrong region for sso_region |
Why Does This Happen?
-
Missing required profile fields: The
~/.aws/configfile is missing one or more required fields:sso_start_url,sso_account_id,sso_role_name, orsso_region. -
SSO token has expired: Tokens are valid for 8 hours by default. After expiry, you must run
aws sso loginagain to refresh. -
Using SDK before SSO login: boto3 or other SDKs attempt to load credentials before the user has run
aws sso login. The cached token file doesn’t exist yet. -
Multiple profiles pointing to different start URLs: If you have multiple SSO profiles from different AWS accounts or IdPs, a misconfigured profile can cause conflicts.
-
Credential process configuration conflict: If your profile also has a
credential_processdirective, it can conflict with SSO configuration.
The Fix
Step 1: Verify Your Profile Configuration
Check ~/.aws/config for the correct structure:
[profile my-sso-profile]
sso_start_url = https://my-org.awsapps.com/start
sso_account_id = 123456789012
sso_role_name = PowerUserAccess
sso_region = us-east-1
region = us-east-1
All four SSO fields are required. If any are missing, add them.
Step 2: Use aws configure sso to Auto-Generate Profile
Instead of manually editing ~/.aws/config, use the interactive CLI setup:
aws configure sso --profile my-sso-profile
You’ll be prompted for:
- SSO start URL (from your IAM Identity Center portal)
- SSO region (region where IAM Identity Center is set up, usually us-east-1)
- Account ID (AWS account you want to access)
- Role name (permission set name, e.g., “PowerUserAccess”)
This ensures the profile is correctly formatted.
Step 3: Log In and Cache Token
aws sso login --profile my-sso-profile
This opens your default browser and prompts you to authenticate with your IdP. Once authenticated, the token is cached locally in ~/.aws/cli/cache/.
Step 4: Verify Credentials Are Loaded
aws sts get-caller-identity --profile my-sso-profile
If this succeeds, your profile is working. You’ll see your account ID, user ARN, and a message showing the assumed role ARN.
Step 5: Check Token Cache (Advanced)
If you want to see cached tokens (useful for debugging):
ls -la ~/.aws/cli/cache/
Tokens are JSON files with timestamps. If the file is older than 8 hours, the token has expired and you need to run aws sso login again.
How to Run This
- Open
~/.aws/configand verify your profile has all four SSO fields - Run
aws configure list --profile my-sso-profileto display current profile settings - If anything is missing, run
aws configure sso --profile my-sso-profileand re-enter values - Run
aws sso login --profile my-sso-profileto authenticate and cache the token - Test:
aws sts get-caller-identity --profile my-sso-profile - For SDK use (boto3), ensure you run
aws sso loginfirst, or setAWS_PROFILE=my-sso-profileenvironment variable
Bonus: Using SSO Profile with boto3
In Python, after you’ve run aws sso login, use:
import boto3
session = boto3.Session(profile_name='my-sso-profile')
s3 = session.client('s3')
Ensure aws sso login --profile my-sso-profile has been run before executing the script.
Is This Safe?
Yes. Running aws sso login only caches a temporary token locally. The token can’t be used outside your session, and it expires automatically after 8 hours. You’re not storing long-term credentials.
Key Takeaway
AWS CLI SSO requires four configuration fields, a fresh token cached via aws sso login, and matching profiles between CLI and SDK. Always use aws configure sso to generate profiles—it prevents typos and configuration errors.
Have questions or ran into a different SSO issue? Connect with me on LinkedIn or X.