Unable to access SSO credentials due to msimatch in hashing behavior compared to the AWS CLI

[justinpombrio]

Describe the bug

If the sso_start_url ends with /#, then there's a difference in the hashes computed by aws sso login (which includes the #) and this CPP client (which excludes the #). These hashes are used as the filenames in ~/.aws/sso/cache/*.json, so the CPP client can't find the sso cache file, so it fails to connect and prints a 403 error.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

After I run aws sso login and aws s3 ls (both successful), I can also access S3 resources using this CPP client.

Current Behavior

Despite aws sso login and aws s3 ls both succeeding, the CPP client reports the error:

[ERROR] 2025-05-07 16:24:48.374 AWSXmlClient [131720638338688] HTTP response code: 403
Resolved remote host IP address: 52.219.93.58
Request ID: TPGTKY5PXV0B0BRG
Exception name: AccessDenied
Error message: AccessDenied

Reproduction Steps

Use a sso_start_url that ends with # in ~/.aws/config.

(If you already have cached credentials for that start url without the #, also delete the caches.)

Possible Solution

From the behavior I've seen, I suspect that GetCachedConfigProfile is normalizing the url (removing the trailing #) before its hashed by SSOCredentialsProvider. It should be normalizing after hashing, instead.

Additional Information/Context

No response

AWS CPP SDK version used

1.11.555

Compiler and Version used

clang v16.0.6

Operating System and version

Linux Mint 22.1 (essentially equivalent to Ubuntu 24.04)

[sbiscigl]

Dug into this a little bit root cause is INI format, and whether or not a # can live in a INI file.

according to some docs on INI comments

Some INI dialects furthermore allow use of the number sign (#, ASCII 0x23) to denote a comment, mirroring Unix shell comments.

So in a INI file that looks like

[profile MyTestProfile]
sso_start_url = https://some-start-url.com#this is technically a comment

we interpret the hash symbol as a comment ignoring everything after it.

The aws cli documentation on the subject says

Lines can be commented out by starting the line with a hash character

we accept it anywhere in the line and ignore after. let me sync with the CLI team to get a consensus on whos doing it right and wrong, and accept a standard way going forward.

note: go also saw this a bit ago will likely propose their same soluition

[sbiscigl]

merged now, should be working as expected, give a shot and let us know if you see any issues!

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.