Cannot authenticate using SSO/Identity Center: "missing required scope: sso:account:access"

[alencar]

Problem

AWS Toolkit for VSCode fails to use AWS Identity Center SSO

Log

2025-03-08 11:31:59.102 [info] auth: Updating connection state of profile:awsicsso to authenticating
2025-03-08 11:31:59.102 [info] auth: Handling validation error of connection: profile:awsicsso
2025-03-08 11:31:59.102 [info] auth: Updating connection state of profile:awsicsso to invalid
2025-03-08 11:31:59.103 [error] _aws.toolkit.auth.reauthenticate: Error: Unable to authenticate connection
	 -> Error: Session for "awsicsso" is missing required scope: sso:account:access

Configuration

~/.aws/config (redacted)

[sso-session sso]
sso_region = us-east-2
sso_start_url = https://d-123example.awsapps.com/start
sso_registration_scope = sso:account:access

[profile awsicsso]
sso_session = sso
sso_account_id = 123456789012
sso_role_name = DeveloperAccess
region = ca-central-1
output = json

Steps to reproduce the issue

Expected behavior

Credential is accepted and plugin works

System details (run AWS: About and/or Amazon Q: About)

• OS: Darwin x64 24.3.0
• Visual Studio Code version: 1.97.0
• AWS Toolkit version: 3.46.0
• Amazon Q version: N/A

[justinmk3]

AWS Toolkit for VSCode currently doesn't support [sso-session] profile types:

• support sso-session in aws credentials config, for IdC (IAM Identity Center) profiles #3820

so that part of your config will be ignored. However, AWS Toolkit already requests sso:account:access scope by default:

aws-toolkit-vscode/packages/core/src/auth/connection.ts

Lines 98 to 101 in 1d79df7

	export function createSsoProfile(
	startUrl: string,
	region = 'us-east-1',
	scopes = [...scopesSsoAccountAccess]

Can you say a bit more about the exact steps you performed to login to IdC from AWS Toolkit?