What happened?
Trying to connect to DynamoDB using SSO + a profile that uses an sso-session block in ~/.aws/config. Right after running aws sso login --profile my-profile successfully, TablePro errors with:
Authentication failed: SSO cache file not found for profile 'my-profile' at /Users/<me>/.aws/cli/cache/<sha1>.json. Run 'aws sso login --profile my-profile' first.
But I just did. Turns out aws sso login only writes the OIDC token to ~/.aws/sso/cache/. The ~/.aws/cli/cache/ file the plugin is looking for only gets created lazily once some AWS CLI/SDK command actually does the GetRoleCredentials exchange. So directly after aws sso login that directory doesn't even exist yet.
If I then run aws sts get-caller-identity --profile my-profile, the cache file does show up, with exactly the sha1 filename the plugin computes, so that part is right. But now I get a different error:
Authentication failed: SSO cache file for profile 'my-profile' is missing credential fields. Run 'aws sso login --profile my-profile' first.
The file is there and looks fine. Contents:
{
"ProviderType": "sso",
"Credentials": {
"AccessKeyId": "...",
"SecretAccessKey": "...",
"SessionToken": "...",
"Expiration": "...",
"AccountId": "..."
}
}In resolveSsoCredentials() (in Plugins/DynamoDBDriverPlugin/DynamoDBConnection.swift) the parse reads json["AccessKeyId"], json["SecretAccessKey"], json["SessionToken"] at the top level, but they live under Credentials. So the parse can never succeed against a real AWS CLI cache file.
Steps to reproduce
~/.aws/config with a modern sso-session profile:
[sso-session my-sso]
sso_start_url = https://<org>.awsapps.com/start#/
sso_region = eu-west-1
sso_registration_scopes = sso:account:access
[profile my-profile]
sso_session = my-sso
sso_account_id = 111111111111
sso_role_name = AWSAdministratorAccess
region = eu-west-1
rm -rf ~/.aws/cli/cache && aws sso login --profile my-profile- Connect in TablePro → "SSO cache file not found".
aws sts get-caller-identity --profile my-profile to force the cache to be populated.- Reconnect → "SSO cache file ... is missing credential fields".
Expected behavior
aws sso login --profile <p> should be enough to connect
Database type
N/A
TablePro version
0.43.0
macOS version & chip
macOS 26.3.1 / Apple Silicon
Screenshots / Logs
No response
What happened?
Trying to connect to DynamoDB using SSO + a profile that uses an
sso-sessionblock in~/.aws/config. Right after runningaws sso login --profile my-profilesuccessfully, TablePro errors with:But I just did. Turns out
aws sso loginonly writes the OIDC token to~/.aws/sso/cache/. The~/.aws/cli/cache/file the plugin is looking for only gets created lazily once some AWS CLI/SDK command actually does theGetRoleCredentialsexchange. So directly afteraws sso loginthat directory doesn't even exist yet.If I then run
aws sts get-caller-identity --profile my-profile, the cache file does show up, with exactly the sha1 filename the plugin computes, so that part is right. But now I get a different error:The file is there and looks fine. Contents:
{ "ProviderType": "sso", "Credentials": { "AccessKeyId": "...", "SecretAccessKey": "...", "SessionToken": "...", "Expiration": "...", "AccountId": "..." } }In
resolveSsoCredentials()(inPlugins/DynamoDBDriverPlugin/DynamoDBConnection.swift) the parse readsjson["AccessKeyId"],json["SecretAccessKey"],json["SessionToken"]at the top level, but they live underCredentials. So the parse can never succeed against a real AWS CLI cache file.Steps to reproduce
~/.aws/configwith a modernsso-sessionprofile:rm -rf ~/.aws/cli/cache && aws sso login --profile my-profileaws sts get-caller-identity --profile my-profileto force the cache to be populated.Expected behavior
aws sso login --profile <p>should be enough to connectDatabase type
N/A
TablePro version
0.43.0
macOS version & chip
macOS 26.3.1 / Apple Silicon
Screenshots / Logs
No response