aws dsql generates invalid tokens instead of erroring when credentials are missing

[dhunganabibek]

Describe the bug

Issue: aws dsql generates invalid tokens instead of erroring when credentials are missing

Description
The aws dsql command silently fails by generating a token (which is functionally invalid) when the default AWS profile is unset. Standard commands (like s3) correctly raise an error immediately.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

The DSQL command should validate credentials and raise an error (e.g., InvalidAccessKeyId or ProfileNotFound) instead of outputting a silent, useless token. This ensures users are aware their authentication has failed before they attempt to use the invalid token.

Current Behavior

Provide an invalid token that does not work.

Reproduction Steps

Reproduction Steps

1. Ensure the default AWS profile or environment variables are unset.

Command 1: S3 (Expected Behavior)

aws s3 ls

Output:
An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation...

Command 2: DSQL (Confusing Behavior) in macOS: 26.2 (have not checked in Windows or Linux)*

aws dsql generate-db-connect-admin-auth-token --expire 3600 --hostname example.dsql.us-east-1.on.aws

Output:
Returns a token string (It gives a token, but does not work)

I know if you use --profile <profile_name>, it works. It's just super confusing when you forget to set up the default profile.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.28.21 Python/3.13.7 Darwin/25.2.0 exe/x86_64

Environment details (OS name and version, etc.)

macOS: 26.2

[RyanFitzSimmonsAK]

Hi @dhunganabibek, thanks for reaching out. It looks like in your testing, your credentials weren't missing, they were invalid.

If credentials are missing entirely, aws dsql throws an error as expected.

C:\Users\rtsfitz>aws s3 ls

Unable to locate credentials. You can configure credentials by running "aws login".

C:\Users\rtsfitz>aws dsql generate-db-connect-admin-auth-token --expire 3600 --hostname example.dsql.us-east-1.on.aws

Unable to locate credentials. You can configure credentials by running "aws login".

Could you add --debug to your command, and verify if the CLI is finding credentials anywhere? The credentials resolution looks like the following:

2026-01-15 15:34:00,234 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2026-01-15 15:34:00,234 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2026-01-15 15:34:00,234 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2026-01-15 15:34:00,234 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2026-01-15 15:34:00,234 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2026-01-15 15:34:00,235 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: login
2026-01-15 15:34:00,235 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: custom-process
2026-01-15 15:34:00,235 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: config-file
2026-01-15 15:34:00,236 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: ec2-credentials-file
2026-01-15 15:34:00,236 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: boto-config
2026-01-15 15:34:00,236 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: container-role
2026-01-15 15:34:00,236 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role

[dhunganabibek]

@RyanFitzSimmonsAK
Right, sorry for the confusion. Yes, they were invalid or expired, located in cat ~/.aws/credentials.

something like this:
[default]
aws_access_key_id = ***************
aws_secret_access_key = ********************

I ran this command, and it output something is wrong, which is nice.

aws s3 ls  

An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.

AWS dsql silently gave me a wrong token. I think a valid error message(like in S3) would be meaningful.

aws dsql generate-db-connect-admin-auth-token --expire 3600 --hostname example.dsql.us-east-1.on.aws 

example.dsql.us-east-1.on.aws/?Action=DbConnectAdmin&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAUN23WIZDHAGYPTMW%2F20260116%2Fus-east-1%2Fdsql%2Faws4_request&X-Amz-Date=20260116T000927Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e305bc70b9c5ad255ce674b8ee36bdbd29dc0bb2b5a9a3022bf41aa3724335c