What is the correct way to set up AWS credentials to work with MFA and be able to assume roles as named profiles via AWS Toolkit in VScode?

Question

When using a simple AWS credentials file like this on Ubuntu Linux with credentials file: ~/.aws/credentials

[leigh.m] # let's call this account ID: 1000 for simplicity
AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key

AWS Toolkit in VSCode works perfectly and I can access AWS resources via VSCode.

However I need to assume roles cross-accounts (with a source 'root' profile controlling access to the other accounts via roles) which all have MFA set.

My ~/.aws/config file that facilitates this looks like:

[profile my-assumed-role-1] # let's say this has account ID: 2000
role_arn=arn:aws:iam::2000:role/AdminRole
source_profile=leigh.m
role_session_name=my-assumed-role-1-session-name
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
duration_seconds=3600

This setup works perfectly well now and I can assume the role for example via CLI I can list buckets in account 2000 by passing that profile, like: aws s3api list-buckets --profile my-assumed-role-1

However, when I try to access that named profile via AWS Toolkit in VSCode I get the error message in AWS toolkit logs:

Shared Credentials Profile leigh.m is not valid. It will not be used by the toolkit.

Failed to connect with "profile:my-assumed-role-1": Profile leigh.m is not a valid Credential Profile: Profile leigh.m is not supported by the Toolkit.

It appears to be looking for a Profile 'leigh.m', so I have tried adding to ~/.aws/config this section:

[profile leigh.m]
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
region=eu-west-1
output=json

I also tried to not use the config file and place everything in credentials file (as it appears to suggest here: https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/mfa-credentials.html)

But still the same issue. Anything I have missed?

(I did have a look to see if there were any questions already on S/O on correct setup of AWS credentials for AWS Toolkit and MFA (as my AWS credentials and config files work correctly for all other requirements), this was the only question from ~5 years ago: Visual Studio AWS toolkit with multifactor authentication? but did not answer and no questions/ answers on AWS Toolkit, MFA and assuming roles with names profiles)

Answer 1

This is a VSCode AWS Toolkit bug who are releasing a fix for this: https://github.com/aws/aws-toolkit-vscode/issues/2394

Summary: AWS Toolkit only works with lowercase keys, so this will not work:

AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key

When the fix is released it will work with caps & lowercase, of course in the short term just change credentials file to:

aws_access_key_id=some_access_key_id
aws_secret_access_key=some_secret_access_key

It will work as expected