AWS Java SDK
AWS SSO
profile configuration
authentication issue
cloud development

AWS Java SDK not finding profile when using AWS SSO

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

When the AWS Java SDK cannot find or use an AWS SSO profile, the problem is usually one of four things: the code is using the wrong profile name, the application is using an SDK version or modules that do not support IAM Identity Center credentials properly, the SSO login session was never established, or the program is not reading the shared AWS config profile you expected. The fix is to make the profile explicit, use the Java SDK v2 credential providers, and confirm the CLI SSO login completed before the SDK runs.

Understand Where SSO Profiles Live

AWS SSO profiles are typically stored in ~/.aws/config, not just in ~/.aws/credentials. A profile might look like this:

ini
1[profile my-sso]
2sso_session = my-sso-session
3sso_account_id = 123456789012
4sso_role_name = DeveloperAccess
5region = us-east-1
6
7[sso-session my-sso-session]
8sso_start_url = https://example.awsapps.com/start
9sso_region = us-east-1
10sso_registration_scopes = sso:account:access

If your code asks for my-profile but the config defines my-sso, the SDK is not going to guess your intent.

Use the AWS SDK for Java 2.x

Modern SSO profile support belongs in the Java SDK v2 credential chain. A straightforward client setup looks like this:

java
1import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
2import software.amazon.awssdk.regions.Region;
3import software.amazon.awssdk.services.s3.S3Client;
4
5public class Demo {
6    public static void main(String[] args) {
7        S3Client s3 = S3Client.builder()
8            .region(Region.US_EAST_1)
9            .credentialsProvider(ProfileCredentialsProvider.create("my-sso"))
10            .build();
11
12        System.out.println(s3.listBuckets().buckets().size());
13    }
14}

This is clearer than depending on whatever happens to be the current default profile.

Make Sure the SSO Session Exists

The SDK cannot use an SSO profile until you have logged in through the AWS CLI.

bash
aws sso login --profile my-sso

If the cached SSO token is missing or expired, the SDK may fail with a profile or credential-loading error even though the config file looks correct.

Let the Default Chain Use the Right Profile

If you do not want to hard-code the profile name, set it through environment or system properties.

bash
export AWS_PROFILE=my-sso

Or with Java:

bash
java -Daws.profile=my-sso -jar app.jar

Then the default credentials provider chain can resolve that profile.

Check Your Dependencies

For SSO-backed profiles in SDK v2, make sure the relevant auth modules are on the classpath. In practice that usually means your build includes the normal SDK auth pieces and the SSO support modules alongside the service client you are using.

If you are still on SDK v1, this is often the real reason the profile is “not found.” The old profile providers were built around static keys and role-based profiles, not today’s IAM Identity Center flow.

Troubleshoot the Actual Failure Mode

A few checks isolate the problem quickly:

  • verify the profile name in code matches the config file exactly
  • run aws sso login --profile my-sso
  • confirm the app uses Java SDK v2 credentials support
  • set AWS_PROFILE or use ProfileCredentialsProvider.create("my-sso")
  • inspect whether the process is running under a different home directory than you expected

The last point matters in containers and CI, where ~/.aws/config may not exist at all.

Common Pitfalls

  • Using an SSO profile name in code that does not match the config file.
  • Expecting ~/.aws/credentials alone to contain all SSO configuration.
  • Forgetting to run aws sso login before launching the Java application.
  • Using older SDK patterns that do not support IAM Identity Center credentials properly.
  • Debugging the Java code first when the real issue is a missing or expired CLI SSO session.

Summary

  • AWS SSO profiles are usually defined in the shared AWS config file.
  • Use AWS SDK for Java 2.x credential providers for SSO-backed profiles.
  • Log in first with aws sso login --profile ....
  • Make the profile explicit with ProfileCredentialsProvider, AWS_PROFILE, or aws.profile.
  • If the app still cannot load the profile, check the runtime home directory and SDK dependencies next.

Course illustration
Course illustration

All Rights Reserved.