Service specific endpoints don't work with SSO profiles

[drjaydenm]

Describe the bug

I'm seeing an issue where specifying service specific endpoints as per the documentation is not working when using a profile with SSO.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Service specific configuration works correctly with SSO profiles.

Current Behavior

Service specific configuration like endpoint URL's aren't available to the client services (i.e. SQS) when setup on a profile using SSO.

Adding the service specific configuration to the default profile however works correctly.

Reproduction Steps

~/.aws/config file:

[default]
region = ap-southeast-2

[sso-session app-sso]
sso_start_url = https://appsso.awsapps.com/start
sso_region = ap-southeast-2

[profile app-dev]
sso_session = app-sso
sso_account_id = 1234565768
sso_role_name = AWSAdministratorAccess
services = app-services

[services app-services]
sqs = 
  endpoint_url = http://localhost:9324

appsettings.json file:

"AWS": {
  "Region": "ap-southeast-2",
  "Profile": "app-dev"
}

Program.cs file:

builder.Services.AddDefaultAWSOptions(builder.Configuration.GetAWSOptions());
builder.Services.AddAWSService<IAmazonSQS>();

Possible Solution

I've stepped through the SDK a bit and it seems like the SharedCredentialsFile for the app-dev profile initially loads (which has the services NestedProperties available), but then gets swapped to the default profile further down the line by the time it makes its way to the SQS client.

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

Targeted .NET Platform

.NET 8

Operating System and version

Windows 11

[bhoradc]

Hello @drjaydenm,

Thank you for reporting the issue. I am able to reproduce the scenario where the Service specific endpoint doesn't work with SSO profiles. Below is the minimal code sample (ASP.NET MVC web app) and configuration used for the same.

Program.cs:

using Amazon.SQS;
using Amazon.SSO;
namespace SSO_Issue
{
    public class Program
    {
        public static void Main(string[] args)
        {
            var builder = WebApplication.CreateBuilder(args);
            builder.Services.AddControllersWithViews();
            builder.Services.AddDefaultAWSOptions(builder.Configuration.GetAWSOptions());
            builder.Services.AddAWSService<IAmazonSQS>();
            builder.Services.AddAWSService<IAmazonSSO>();
            var app = builder.Build();
            if (!app.Environment.IsDevelopment())
            {
                app.UseExceptionHandler("/Service/Error");
                app.UseHsts();
            }
            app.UseHttpsRedirection();
            app.UseStaticFiles();
            app.UseRouting();
            app.UseAuthorization();
            app.MapControllerRoute(
                name: "default",
                pattern: "{controller=Service}/{action=Index}/{id?}");
            app.Run();
        }
    }
}

ServiceController.cs:

using Amazon.SQS;
using Microsoft.AspNetCore.Mvc;
using SSO_Issue.Models;
using System.Diagnostics;

namespace SSO_Issue.Controllers
{
    public class ServiceController : Controller
    {
        private IAmazonSQS SQSClient { get; set; }
        public ServiceController(IAmazonSQS sqsClient)
        {
            this.SQSClient = sqsClient;
        }
        public async Task<IActionResult> Index()
        {
            string queueName = "MyQueueName";
            var response = await SQSClient.GetQueueUrlAsync(queueName);
            string queueUrl = response.QueueUrl;
            Console.WriteLine($"The URL for {queueName} is: {response.QueueUrl}");
            this.ViewBag.QueueUrl = queueUrl;
            return View();
        }
        public IActionResult Privacy()
        {
            return View();
        }
        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
        public IActionResult Error()
        {
            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
        }
    }
}

Index.cshtml:

@{
    ViewData["Title"] = "Home Page";
}
<div class="text-center">
    <h1 class="display-4">SSO Issue page</h1>
    QueueUrl: @ViewBag.QueueUrl
</div>

appsettings.json:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "AWS": {
    "Region": "us-east-1",
    "Profile": "app-dev"
  }
}

aws config file:

[default]
region = us-east-1
#services = app-services
[sso-session app-sso]
sso_start_url = https://d-****.awsapps.com/start
sso_region = us-east-1
[profile app-dev]
sso_session = app-sso
sso_account_id = account_id
sso_role_name = Squad**
services = app-services
[services app-services]
sqs = 
    endpoint_url = https://sqs.us-east-2.amazonaws.com:443

Packages used:

AWSSDK.Extensions.NETCore.Setup - 3.7.301
AWSSDK.SQS - 3.7.400.45
AWSSDK.SSO - 3.7.400.45
AWSSDK.SSOOIDC - 3.7.400.45

As you mentioned, I can also confirm that setting the service endpoint url works with the default profile. I will review this issue with the .NET SDK team to further investigate and root cause.

Regards,
Chaitanya