fix(auth): SSO source profile authentication fails with invalid token error

packages/core/src/auth/providers/sharedCredentialsProvider.ts

@@ -408,10 +408,23 @@ export class SharedCredentialsProvider implements CredentialsProvider {
             }
             // Use source profile to assume IAM role based on role ARN provided.
             const sourceProfile = iniData[profile.source_profile!]
-            const stsClient = new DefaultStsClient(this.getDefaultRegion() ?? 'us-east-1', {
-                accessKeyId: sourceProfile.aws_access_key_id!,
-                secretAccessKey: sourceProfile.aws_secret_access_key!,
-            })
+
+            // Check if source profile has static credentials
+            let sourceCredentials: AWS.Credentials
+            if (sourceProfile.aws_access_key_id && sourceProfile.aws_secret_access_key) {
+                // Source profile has static credentials
+                sourceCredentials = {
+                    accessKeyId: sourceProfile.aws_access_key_id,
+                    secretAccessKey: sourceProfile.aws_secret_access_key,
+                    sessionToken: sourceProfile.aws_session_token,
+                }
+            } else {
+                // Source profile needs to be resolved (e.g., SSO profile)
+                const sourceProvider = new SharedCredentialsProvider(profile.source_profile!, this.sections)
+                sourceCredentials = await sourceProvider.getCredentials()
+            }
+
+            const stsClient = new DefaultStsClient(this.getDefaultRegion() ?? 'us-east-1', sourceCredentials)
             // Prompt for MFA Token if needed.
             const assumeRoleReq = {
                 RoleArn: profile.role_arn,

packages/core/src/test/credentials/provider/sharedCredentialsProvider.test.ts

@@ -516,6 +516,47 @@ describe('SharedCredentialsProvider', async function () {
             assert.strictEqual(creds.sessionToken, 'token')
         })
 
+        it('assumes role with SSO source profile', async function () {
+            const sections = await createTestSections(`
+                [profile default]
+                sso_account_id = 012345678910
+                sso_role_name = admin
+                sso_region = us-east-1
+                sso_registration_scopes = sso:account:access
+                sso_start_url = https://d-xxxxxxxxx.awsapps.com/start
+                region = us-east-1
+                output = json
+
+                [profile test]
+                source_profile = default
+                role_arn = testarn
+                region = us-east-1
+                `)
+
+            // Mock SSO credentials for the source profile
+            const ssoClient = stub(SsoClient, { region: 'us-east-1' })
+            ssoClient.getRoleCredentials.callsFake(async (request) => {
+                assert.strictEqual(request.accountId, '012345678910')
+                assert.strictEqual(request.roleName, 'admin')
+
+                return {
+                    accessKeyId: 'sso-access-key',
+                    secretAccessKey: 'sso-secret-key',
+                    sessionToken: 'sso-session-token',
+                    expiration: new Date(Date.now() + oneDay),
+                }
+            })
+            sandbox.stub(SsoClient, 'create').returns(ssoClient)
+            sandbox.stub(SsoAccessTokenProvider.prototype, 'getToken').resolves()
+            sandbox.stub(SsoAccessTokenProvider.prototype, 'createToken').resolves()
+
+            const sut = new SharedCredentialsProvider('test', sections)
+            const creds = await sut.getCredentials()
+            assert.strictEqual(creds.accessKeyId, 'id')
+            assert.strictEqual(creds.secretAccessKey, 'secret')
+            assert.strictEqual(creds.sessionToken, 'token')
+        })
+
         it('does not assume role when no roleArn is present', async function () {
             const sut = new SharedCredentialsProvider('default', await createTestSections(defaultSection))
             const creds = await sut.getCredentials()

packages/toolkit/.changes/next-release/sso-source-profile-fix.json

@@ -0,0 +1,4 @@
+{
+	"type": "Bug Fix",
+	"description": "Profiles sourced from SSO profiles fail to authenticate with 'invalid security token' error"
+}