Skip to content

Cannot retrieve region information from SSO sessions #385

New issue
New issue
Open
Open
Cannot retrieve region information from SSO sessions#385
Labels
bugThis issue is a bug.module/powershell-cmdletsneeds-triageThis issue or PR still needs to be triaged.p2This is a standard priority issue
@aetos382

Description

@aetos382
aetos382
opened on Jun 20, 2025

Describe the bug

A procedure that works in aws cli does not work in PowerShell Tools.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

The SSO functionalities in PowerShell Tools work the same way as in the aws cli.

Current Behavior

PowerShell commands cannot retrieve region information from SSO sessions.

Reproduction Steps

The following script works correctly.

> aws configure sso
SSO session name (Recommended): example-session-cli
SSO start URL [None]: https://example.awsapps.com/start
SSO region [None]: us-east-2
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://oidc.us-east-2.amazonaws.com/authorize?(snip)
The only AWS account available to you is: xxxxxxxxxxxx
Using the account ID xxxxxxxxxxxx
The only role available to you is: ReadOnly
Using the role name "ReadOnly"
Default client Region [None]: ap-northeast-1
CLI default output format (json if not specified) [None]:
Profile name [ReadOnly-xxxxxxxxxxxx]: example-cli
To use this profile, specify the profile name using --profile, as shown:

aws sts get-caller-identity --profile example-cli

> aws sts get-caller-identity --profile example-cli
{
    "UserId": "xxxxxxxxxxxx",
    "Account": "xxxxxxxxxxxx",
    "Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/(snip)"
}

The following script will generate an error.

> Import-Module AWSPowerShell.NetCore
> Initialize-AWSSSOConfiguration
SSO start URL: https://example.awsapps.com/start
SSO Region: us-east-2
SSO registration scopes [sso:account:access]:
SessionName [sso-session-example]: example-session-posh

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://example.awsapps.com/start/#/device/?user_code=XXXX-XXXX

Verification code:

XXXX-XXXX

SSO authentication successful for the sso-session example-session-posh.

The only AWS account Id available to you is: xxxxxxxxxxxx
Using the account Id: xxxxxxxxxxxx
The only AWS role name available to you is: ReadOnly
Using the role name : ReadOnly
Profile region [None]: ap-northeast-1
ProfileName [xxxxxxxxxxxx-ReadOnly]: example-posh

To use this profile, specify the profile name using -ProfileName, as shown:


Get-S3Bucket -ProfileName 'example-posh'

> Get-STSCallerIdentity -ProfileName example-posh
Get-STSCallerIdentity: No region specified or obtained from persisted/shell defaults.

Possible Solution

It works by supplementing the -Region parameter as follows

Get-STSCallerIdentity -ProfileName example-posh -Region ap-northeast-1

Additional Information/Context

No response

AWS Tools for PowerShell version used

AWSPowerShell.NetCore 4.1.843

PowerShell version used

Name Value

PSVersion 7.5.1
PSEdition Core
GitCommitId 7.5.1
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Operating System and version

Windows 11

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue is a bug.module/powershell-cmdletsneeds-triageThis issue or PR still needs to be triaged.p2This is a standard priority issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions