Unable to retrieve credentials AWS Identity Center role when name contains an "@"

[mkillik-wayspring]

Describe the bug

I'm unable to use the C++ SDK if I'm using a AWS Identity Center role that contains an @ (at) symbol.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Able to retrieve credentials using the SSOCredentialsProvider

Current Behavior

It appears that the codebase is double HTML encoding the URL which turns the sso_role_name from Example@AccountName to Example%2540AccountName, rather than Example%40AccountName. This causes the request to get the federated credentials to fail.

[DEBUG] 2025-07-12 05:36:50.024 Aws::Config::ConfigFileProfileFSM [140737453699840] Found region us-east-1
[DEBUG] 2025-07-12 05:36:50.024 Aws::Config::ConfigFileProfileFSM [140737453699840] Found sso_account_id <SCRUBBED_ACCOUNT_ID>
[DEBUG] 2025-07-12 05:36:50.024 Aws::Config::ConfigFileProfileFSM [140737453699840] Found sso_role_name Example@AccountName
[INFO] 2025-07-12 05:36:50.024 Aws::Config::ConfigFileProfileFSM [140737453699840] Unknown property: sso_session in the profile: example
<SNIP>
[TRACE] 2025-07-12 05:36:50.054 SSOCredentialsProvider [140737453699840] Requesting credentials with AWS_ACCESS_KEY: 
[TRACE] 2025-07-12 05:36:50.056 SSOResourceClient [140737453699840] Retrieving credentials from https://portal.sso.us-east-1.amazonaws.com/federation/credentials?account_id=<SCRUBBED_ACCOUNT_ID>&role_name=Example%2540AccountName
[TRACE] 2025-07-12 05:36:50.057 CurlHttpClient [140737453699840] Making request to https://portal.sso.us-east-1.amazonaws.com/federation/credentials?account_id=<SCRUBBED_ACCOUNT_ID>&role_name=Example@AccountName

Reproduction Steps

I was able to reproduce this using the https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/cpp/example_code/s3/hello_s3/hello_s3.cpp file.

Possible Solution

It looks like the role name is being url encoded here:

aws-sdk-cpp/src/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp

Line 665 in 10aeebc

httpRequest->AddQueryStringParameter("role_name", Aws::Utils::StringUtils::URLEncode(request.m_ssoRoleName.c_str()));

As well as here:

aws-sdk-cpp/src/aws-cpp-sdk-core/source/http/URI.cpp

Line 369 in 10aeebc

m_queryString.append(StringUtils::URLEncode(key) + "=" + StringUtils::URLEncode(value.c_str()));

When I update the following line

httpRequest->AddQueryStringParameter("role_name", Aws::Utils::StringUtils::URLEncode(request.m_ssoRoleName.c_str()));

to remove the URLEncode

httpRequest->AddQueryStringParameter("role_name", request.m_ssoRoleName.c_str());

everything then works, and I'm able to retrieve the credentials and use them to list my buckets.

I'm just not confident enough in my C++ skills to be positive that's how the code is flowing, or the other impacts of that change.

Additional Information/Context

No response

AWS CPP SDK version used

1.11.603

Compiler and Version used

gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5)

Operating System and version

Amazon Linux 2023.7.20250623

[sbaluja]

fix has been made and is apart of release 1.11.609. Also, great investigation and well documented ticket. Cheers.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.