`aws configure sso` generates inconsistent config when session name contains a space

[xkjjx]

Disclosure

I faced this issue when I was setting up SSO with the assistance of Claude, and it identified this issue and helped me remedy. Thus I found it natural to use it in generating a clear description of the bug. I used claude to assist me in generating everything after this section.

Summary

When a user enters an SSO session name containing a space (e.g., "My Session") during aws configure sso, the CLI generates a ~/.aws/config file where the [sso-session] section header wraps the name in single quotes but profile entries reference it without quotes. The AWS CLI tolerates this mismatch, but the AWS SDK for JavaScript (used by tools like AWS CDK) does not, resulting in credential resolution failures.

Workaround

Use a session name without spaces (e.g., my-session).

Environment

> aws --version
aws-cli/2.15.46 Python/3.11.8 Darwin/24.3.0 exe/x86_64 prompt/off

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

One of the following:

1. Reject spaces in session names during aws configure sso with a validation error, or
2. Generate consistent references so that the section header and profile values match regardless of how downstream tools parse the config file

Current Behavior

The CLI generates the following in ~/.aws/config:

[profile AdministratorAccess-123456789012]
sso_session = My Session
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
region = us-east-1

[sso-session 'My Session']
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start/
sso_region = us-east-1
sso_registration_scopes = sso:account:access

Note the mismatch: the profile references sso_session = My Session (no quotes) while the section header is [sso-session 'My Session'] (with quotes).

• aws sso login --profile AdministratorAccess-123456789012 succeeds
• AWS CDK cdk bootstrap --profile AdministratorAccess-123456789012 fails with:

  AuthenticationError: Need to perform AWS calls for account 123456789012,
  but no credentials have been configured
  

Reproduction Steps

1. Run aws configure sso
2. Enter a session name with a space, e.g., My Session
3. Complete the SSO configuration flow
4. Run a CDK command with the AWS profile you just configured

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.15.46 Python/3.11.8 Darwin/24.3.0 exe/x86_64 prompt/off

Environment details (OS name and version, etc.)

MacOS 15.3.1

[xkjjx]

This might be something that needs to be fixed in the JavaScript SDK: https://github.com/aws/aws-sdk-js-v3

[RyanFitzSimmonsAK]

Hi @xkjjx, thanks for reaching out. Unfortunately, rejecting names with spaces or changing the references to be consistent would both be breaking changes to customers reliant on the existing behavior. Because other AWS SDKs are inconsistent in how these section names are parsed and handled, the CLI purposeful does not document multi-word profile names as supported.

This might be something that needs to be fixed in the JavaScript SDK: https://github.com/aws/aws-sdk-js-v3

Yeah, they may be able to consider this as a feature request. I'd recommend cutting them an issue.

[xkjjx]

Hi Ryan,

Thanks for your response. What are your thoughts on adding a disclaimer message explicitly saying multi-word names are prone to errors/unsupported?

[RyanFitzSimmonsAK]

It could be helpful for sure. Currently, the AWS SDKs and Tools documentation does mentioned this limitation.

A section definition is a line that applies a name to a collection of settings. Section definition lines start and end with square brackets ([ ]). Inside the brackets, there is a section type identifier and a custom name for the section. You can use letters, numbers, hyphens ( - ), and underscores ( _ ), but no spaces.

The rules for the credentials file are generally identical to those for the config file, except that profile sections don't begin with the word profile.

Where else do you think it'd be helpful to put this disclaimer?