aws login fails at CreateOAuth2Token with ValidationException - Starting 4/29

[Pachwenko]

Describe the bug

As of 2026-04-29, I have been unable to use aws login for any purpose. Before then, it worked perfectly fine. The browser successfully authenticates, but the CLI instantly fails at the token exchange with an INVALID_REQUEST error.

Troubleshooting steps already taken:

• Removed login_session lines from ~/.aws/config to ensure a clean state.
• Cleared SSO cache files (rm -rf ~/.aws/sso/cache/*) and the main CLI cache.
• Uninstall and re-install aws cli, install with node instead of python, also with homebrew
• Tested aws login both with and without the --remote flag. Both successfully retrieve the auth code but fail at the CLI exchange.
• Logged in and out of the AWS Console in my browser to ensure a fresh session. Tried both Chrome and Firefox, including Private/Incognito windows.
• Checked my computer clock is synced and valid
• Confirmed multiple coworkers tried this and are getting the exact same error.

Environment and Account Context:

• CLI Version: aws-cli/2.34.38 Python/3.14.4 Darwin/25.4.0 exe/arm64
• Account Type: Standard IAM user logging in at https://imtapps.signin.aws.amazon.com/console/ with username/password and YubiKey MFA.
• Permissions: All affected users have the SignInLocalDevelopmentAccess managed policy, and I have tested this with full AdministratorAccess ("Action": "*", "Resource": "*") to rule out any permission denials.

Debug Logs

Last login: Wed Apr 29 15:36:34 on ttys029
aws%
/Users/me → aws login --remote --debug                                                                                                                                                                                                                                                                                                                                                           7:27
2026-04-30 07:27:09,737 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.34.38 Python/3.14.4 Darwin/25.4.0 exe/arm64
2026-04-30 07:27:09,737 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['login', '--remote', '--debug']
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x10bb317a0>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x10b83ef00>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x10b773740>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x10b78b5e0>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x10b9d8510>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.login.login.LoginCommand'>>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.login.logout.LogoutCommand'>>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x10bb4d430>
2026-04-30 07:27:09,783 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x10bbf0590>>
2026-04-30 07:27:09,783 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/data/cli.json
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x10b98be20>
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x10b9ac250>
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x10b9ac1a0>
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x10b9ac3b0>
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x10b9ac300>
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x10bbeea00>
2026-04-30 07:27:09,784 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.34.38 Python/3.14.4 Darwin/25.4.0 exe/arm64
2026-04-30 07:27:09,784 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['login', '--remote', '--debug']
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x10bb4c9e0>
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x10a492980>
2026-04-30 07:27:09,784 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x10b5dc5c0>
2026-04-30 07:27:09,785 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x10b576a30>
2026-04-30 07:27:09,785 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x10b5dc040>
2026-04-30 07:27:09,787 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: [http://169.254.169.254/](http://169.254.169.254/)
2026-04-30 07:27:09,790 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x10b9ac7d0>
2026-04-30 07:27:09,790 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x10b835c70>
2026-04-30 07:27:09,791 - MainThread - botocore.hooks - DEBUG - Event building-command-table.login: calling handler <function add_waiters at 0x10bb4d430>
2026-04-30 07:27:09,791 - MainThread - botocore.hooks - DEBUG - Event building-command-table.login: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x10bbf0590>>
2026-04-30 07:27:09,791 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.login.remote: calling handler <awscli.paramfile.URIArgumentHandler object at 0x10bbf1010>
2026-04-30 07:27:09,791 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.login: calling handler <awscli.argprocess.ParamShorthandParser object at 0x10ba9a120>
2026-04-30 07:27:09,792 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/botocore/data/endpoints.json
2026-04-30 07:27:09,798 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x109af8d50>
2026-04-30 07:27:09,826 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/botocore/data/signin/2023-01-01/service-2.json
2026-04-30 07:27:09,844 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/botocore/data/signin/2023-01-01/endpoint-rule-set-1.json
2026-04-30 07:27:09,844 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/botocore/data/partitions.json
2026-04-30 07:27:09,844 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.signin: calling handler <function add_generate_presigned_url at 0x10a157b60>
2026-04-30 07:27:09,844 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for signin via: environment_service
2026-04-30 07:27:09,844 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for signin via: environment_global
2026-04-30 07:27:09,844 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for signin via: config_service
2026-04-30 07:27:09,844 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for signin via: config_global
2026-04-30 07:27:09,844 - MainThread - botocore.configprovider - DEBUG - No configured endpoint found.
2026-04-30 07:27:09,845 - MainThread - botocore.regions - DEBUG - Creating a regex based endpoint for signin, us-west-2
2026-04-30 07:27:09,845 - MainThread - botocore.endpoint - DEBUG - Setting signin timeout as (60, 60)
2026-04-30 07:27:09,895 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.signin.CreateOAuth2Token: calling handler <function base64_decode_input_blobs at 0x10b5dc930>
2026-04-30 07:27:09,895 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.signin.CreateOAuth2Token: calling handler <function generate_idempotent_uuid at 0x10a1e5900>
2026-04-30 07:27:09,895 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.signin.CreateOAuth2Token: calling handler <function _handle_request_validation_mode_member at 0x10a208930>
2026-04-30 07:27:09,896 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'UseDualStack': False, 'UseFIPS': False, 'Region': 'us-west-2'}
2026-04-30 07:27:09,896 - MainThread - botocore.regions - DEBUG - Endpoint provider result: [https://us-west-2.signin.aws.amazon.com](https://us-west-2.signin.aws.amazon.com)
2026-04-30 07:27:09,896 - MainThread - botocore.hooks - DEBUG - Event before-call.signin.CreateOAuth2Token: calling handler <function inject_api_version_header_if_needed at 0x10a1e7690>
2026-04-30 07:27:09,896 - MainThread - botocore.hooks - DEBUG - Event before-call.signin.CreateOAuth2Token: calling handler functools.partial(<function _extract_resolved_endpoint at 0x10ba4c7d0>, result={})
2026-04-30 07:27:09,896 - MainThread - botocore.hooks - DEBUG - Event after-call.signin.CreateOAuth2Token: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x10c360c20>>
Browser will not be automatically opened.
Please visit the following URL:

[https://us-west-2.signin.aws.amazon.com/v1/authorize?response_type=code&client_id=arn%3Aaws%3Asignin%3A%3A%3Adevtools%2Fcross-device&state=](https://us-west-2.signin.aws.amazon.com/v1/authorize?response_type=code&client_id=arn%3Aaws%3Asignin%3A%3A%3Adevtools%2Fcross-device&state=)<REDACTED>&code_challenge_method=SHA-256&scope=openid&redirect_uri=https%3A%2F%2Fus-west-2.signin.aws.amazon.com%2Fv1%2Fsessions%2Fconfirmation&code_challenge=<REDACTED>

Enter the authorization code displayed in your browser: <REDACTED>
2026-04-30 07:27:24,676 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.signin.CreateOAuth2Token: calling handler <function base64_decode_input_blobs at 0x10b5dc930>
2026-04-30 07:27:24,677 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.signin.CreateOAuth2Token: calling handler <function generate_idempotent_uuid at 0x10a1e5900>
2026-04-30 07:27:24,677 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.signin.CreateOAuth2Token: calling handler <function _handle_request_validation_mode_member at 0x10a208930>
2026-04-30 07:27:24,677 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'UseDualStack': False, 'UseFIPS': False, 'Region': 'us-west-2'}
2026-04-30 07:27:24,677 - MainThread - botocore.regions - DEBUG - Endpoint provider result: [https://us-west-2.signin.aws.amazon.com](https://us-west-2.signin.aws.amazon.com)
2026-04-30 07:27:24,677 - MainThread - botocore.hooks - DEBUG - Event before-call.signin.CreateOAuth2Token: calling handler <function build_add_dpop_header_handler.<locals>._add_dpop_header_handler at 0x10bbd6560>
2026-04-30 07:27:24,682 - MainThread - botocore.hooks - DEBUG - Event before-call.signin.CreateOAuth2Token: calling handler <function inject_api_version_header_if_needed at 0x10a1e7690>
2026-04-30 07:27:24,682 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=CreateOAuth2Token) with params: {'url_path': '/v1/token', 'query_string': {}, 'method': 'POST', 'headers': {'Content-Type': 'application/json', 'User-Agent': 'aws-cli/2.34.38 md/awscrt#0.32.2 ua/2.1 os/macos#25.4.0 md/arch#arm64 lang/python#3.14.4 md/pyimpl#CPython m/Z,AB,E,b cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#login', 'DPoP': '<REDACTED>'}, 'body': b'{"clientId": "arn:aws:signin:::devtools/cross-device", "grantType": "authorization_code", "code": "<REDACTED>", "codeVerifier": "<REDACTED>", "redirectUri": "[https://us-west-2.signin.aws.amazon.com/v1/sessions/confirmation](https://us-west-2.signin.aws.amazon.com/v1/sessions/confirmation)"}', 'url': '[https://us-west-2.signin.aws.amazon.com/v1/token](https://us-west-2.signin.aws.amazon.com/v1/token)', 'context': {'client_region': 'us-west-2', 'client_config': <botocore.config.Config object at 0x10bc2d950>, 'has_streaming_input': False, 'auth_type': 'none', 'unsigned_payload': None, 'auth_options': ['aws.auth#sigv4']}}
2026-04-30 07:27:24,683 - MainThread - botocore.hooks - DEBUG - Event request-created.signin.CreateOAuth2Token: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x10bc2b4d0>>
2026-04-30 07:27:24,683 - MainThread - botocore.hooks - DEBUG - Event choose-signer.signin.CreateOAuth2Token: calling handler <function set_operation_specific_signer at 0x10a1e5640>
2026-04-30 07:27:24,683 - MainThread - botocore.hooks - DEBUG - Event request-created.signin.CreateOAuth2Token: calling handler <bound method UserAgentString.rebuild_and_replace_user_agent_handler of <botocore.useragent.UserAgentString object at 0x10bc2e990>>
2026-04-30 07:27:24,683 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=[https://us-west-2.signin.aws.amazon.com/v1/token](https://us-west-2.signin.aws.amazon.com/v1/token), headers={'Content-Type': b'application/json', 'User-Agent': b'...', 'DPoP': b'<REDACTED>', 'Content-Length': '1819'}>
2026-04-30 07:27:24,684 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/awscli/botocore/cacert.pem
2026-04-30 07:27:24,684 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): us-west-2.signin.aws.amazon.com:443
2026-04-30 07:27:25,021 - MainThread - urllib3.connectionpool - DEBUG - [https://us-west-2.signin.aws.amazon.com:443](https://us-west-2.signin.aws.amazon.com:443) "POST /v1/token HTTP/1.1" 400 None
2026-04-30 07:27:25,022 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Thu, 30 Apr 2026 14:27:25 GMT', 'Content-Type': 'application/json', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'X-Amzn-RequestId': 'X-Amzn-Trace-Id=Root=1-69f366cc-7243f0791749365a37901e8a;RequestId=ee218d1c-5b07-42de-8a61-9cc31bbc04ab', 'Set-Cookie': '<REDACTED>', 'X-Frame-Options': 'DENY', 'X-UA-Compatible': 'IE=Edge', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'X-XSS-Protection': '1; mode=block', 'Cache-Control': 'no-store', 'Content-Security-Policy': "default-src 'none' https://*.monitoring.iam.signin.aws [https://aws.amazon.com](https://aws.amazon.com) https://*.signin.aws.amazon.com [https://signin.aws.amazon.com](https://signin.aws.amazon.com) https://*.analytics.console.aws.a2z.com https://*.feedback.console.aws.dev 'nonce-bsa+wJC5SEgjEbFBaj0Nww=='; script-src 'self' [https://aws.amazon.com](https://aws.amazon.com) https://*.signin.aws.amazon.com [https://signin.aws.amazon.com](https://signin.aws.amazon.com) [https://d1dgtfo2wk29o4.cloudfront.net/fwcim.js](https://d1dgtfo2wk29o4.cloudfront.net/fwcim.js) [https://m.media-amazon.com](https://m.media-amazon.com) [https://l0.awsstatic.com](https://l0.awsstatic.com) [https://images-na.ssl-images-amazon.com](https://images-na.ssl-images-amazon.com) 'report-sample' [https://cdn.us-west-2.threat-mitigation.aws.amazon.com](https://cdn.us-west-2.threat-mitigation.aws.amazon.com) 'nonce-bsa+wJC5SEgjEbFBaj0Nww=='; style-src 'self' [https://aws.amazon.com](https://aws.amazon.com) https://*.signin.aws.amazon.com [https://signin.aws.amazon.com](https://signin.aws.amazon.com) [https://aws-signin-website-assets.s3.amazonaws.com](https://aws-signin-website-assets.s3.amazonaws.com) [https://l0.awsstatic.com](https://l0.awsstatic.com) [https://images-na.ssl-images-amazon.com](https://images-na.ssl-images-amazon.com) 'unsafe-inline'; font-src data: 'self';; img-src 'self' data: https://*.signin.aws.amazon.com [https://signin.aws.amazon.com](https://signin.aws.amazon.com) [https://opfcaptcha-prod.s3.amazonaws.com](https://opfcaptcha-prod.s3.amazonaws.com) [https://amcs-captcha-prod-us-west-2.s3.us-west-2.amazonaws.com](https://amcs-captcha-prod-us-west-2.s3.us-west-2.amazonaws.com) [https://images-na.ssl-images-amazon.com](https://images-na.ssl-images-amazon.com) [https://d1.awsstatic.com](https://d1.awsstatic.com) [https://internal-cdn.amazon.com](https://internal-cdn.amazon.com) [https://media.amazonwebservices.com](https://media.amazonwebservices.com) [https://d36cz9buwru1tt.cloudfront.net](https://d36cz9buwru1tt.cloudfront.net) [https://d0.awsstatic.com](https://d0.awsstatic.com); media-src 'self' https://*.signin.aws.amazon.com [https://signin.aws.amazon.com](https://signin.aws.amazon.com) [https://media.amazonwebservices.com](https://media.amazonwebservices.com) [https://d36cz9buwru1tt.cloudfront.net](https://d36cz9buwru1tt.cloudfront.net) [https://opfcaptcha-prod.s3.amazonaws.com](https://opfcaptcha-prod.s3.amazonaws.com) [https://amcs-captcha-prod-us-west-2.s3.us-west-2.amazonaws.com](https://amcs-captcha-prod-us-west-2.s3.us-west-2.amazonaws.com); frame-src 'self' [https://aws.amazon.com](https://aws.amazon.com) https://*.signin.aws.amazon.com [https://signin.aws.amazon.com](https://signin.aws.amazon.com) https://*.analytics.console.aws.a2z.com [https://cdn.us-west-2.threat-mitigation.aws.amazon.com](https://cdn.us-west-2.threat-mitigation.aws.amazon.com); report-uri /metrics/cspreport; base-uri 'none'; upgrade-insecure-requests;", 'X-Amzn-Errortype': 'ValidationException', 'vary': 'accept-encoding', 'Server': 'Server'}
2026-04-30 07:27:25,022 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"error":"INVALID_REQUEST","message":"The provided authorization grant is invalid, expired, revoked, or malformed"}'
2026-04-30 07:27:25,024 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli/clidriver.py", line 550, in main
  File "awscli/customizations/commands.py", line 207, in __call__
  File "awscli/customizations/login/login.py", line 135, in _run_main
  File "awscli/customizations/login/utils.py", line 304, in fetch_token
  File "awscli/customizations/login/utils.py", line 112, in _exchange_auth_code_for_access_token
  File "awscli/botocore/client.py", line 442, in _api_call
  File "awscli/botocore/context.py", line 124, in wrapper
  File "awscli/botocore/client.py", line 932, in _make_api_call
botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the CreateOAuth2Token operation: The provided authorization grant is invalid, expired, revoked, or malformed

aws: [ERROR]: An error occurred (ValidationException) when calling the CreateOAuth2Token operation: The provided authorization grant is invalid, expired, revoked, or malformed

Additional error details:
error: INVALID_REQUEST

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

aws login does not error out unexpectedly

Current Behavior

-> /usr/local/bin/aws login
Attempting to open your default browser. If the browser does not open, open the following URL.
If you are unable to open the URL on this device, run this command again with the '--remote' option.

https://us-west-2.signin.aws.amazon.com/v1/authorize?response_type=code&client_id=arn%3Aaws%3Asignin%3A%3A%3Adevtools%2Fsame-device&state=e1ec3aa7-a6d4-417b-924e-94413bfdcb73&code_challenge_method=SHA-256&scope=openid&redirect_uri=http%3A%2F%2F127.0.0.1%3A56920%2Foauth%2Fcallback&code_challenge=d-xH1BtwXYo78jGKvfawi8hA3qLt6o4pOXxU0ZFR2qU

aws: [ERROR]: An error occurred (ValidationException) when calling the CreateOAuth2Token operation: The provided authorization grant is invalid, expired, revoked, or malformed

Additional error details:
error: INVALID_REQUEST

My browser session is valid and new, it does not seem to matter what browser I use. I click the link and the button in under a minute so it shouldn't be a timing issue

Reproduction Steps

Execute aws login with a regular IAM user. Open the link, click on "Continue with an active session", now the terminal shows the error I showed.

Possible Solution

I'm guessing a team changed the AWS verification code format but the CLI is not updated to support it yet

Additional Information/Context

No response

CLI version used

2.34.38

Environment details (OS name and version, etc.)

Darwin/25.4.0 exe/arm64

[henry145145]

I am having the same issue. I was on a call with an AWS support person and while we were debugging, this github issue opened so he is sending it over to the internal team.

[RyanFitzSimmonsAK]

Thanks for reporting this, we are currently investigating the root cause and will update this issue when we know more.

[RyanFitzSimmonsAK]

I am having the same issue. I was on a call with an AWS support person and while we were debugging, this github issue opened so he is sending it over to the internal team.

@henry145145 Could you verify what region you are using?

[henry145145]

I am having the same issue. I was on a call with an AWS support person and while we were debugging, this github issue opened so he is sending it over to the internal team.

@henry145145 Could you verify what region you are using?

I am using us-west-2

[RyanFitzSimmonsAK]

I was able to reproduce the behavior you described. The root cause is a service deployment that failed in us-west-2, and the service team is actively working on a rollback. In the meantime, aws login is working for all other regions.