Checks

• I have searched github.com/aws/amazon-q-developer-cli/issues and there are no duplicates of my issue

Operating system

macOS 15.5.0 (24F74)

Expected behaviour

The tool documentation states it uses profiles "from ~/.aws/credentials" and "defaults to default profile if not specified", but:

1. SSO profiles are stored in ~/.aws/config, not ~/.aws/credentials (this is correct AWS behavior)
2. The tool should check AWS_PROFILE environment variable before defaulting to "default"
3. AWS SDK/CLI precedence should be: explicit parameter > environment variable > default profile

Workaround

Currently, the only workaround is to explicitly specify the profile in every use_aws call:

profile_name: "<profile-name>"

Impact

• Breaks expected AWS CLI behavior consistency
• Forces users to manually specify profiles instead of using standard AWS environment variables
• Particularly problematic for SSO users who rely on environment variables for profile switching

Proposed Solution

The use_aws tool should follow AWS CLI credential precedence:

1. Explicit profile_name parameter (highest priority)
2. AWS_PROFILE environment variable
3. "default" profile (lowest priority)

This would make the tool consistent with standard AWS CLI behavior and eliminate the need for explicit profile specification when environment variables are properly set.

Additional Context

• This issue specifically affects SSO authentication workflows
• Standard AWS CLI commands work perfectly with the same configuration
• The problem is reproducible with any SSO-configured profile when using environment variables

Actual behaviour

The use_aws tool ignores the AWS_PROFILE environment variable and always defaults to the "default" profile. Even with AWS_PROFILE=sandbox set in the environment, the tool shows "Profile name: default" instead of using the specified profile.

### Steps to reproduce

## Summary
The `use_aws` tool in Amazon Q Developer CLI ignores the `AWS_PROFILE` environment variable and defaults to the "default" profile, unlike the standard AWS CLI which properly respects environment variables.

## Environment
- **OS**: macOS (Darwin/24.5.0)
- **Amazon Q CLI Version**: q 1.12.1
- **AWS CLI Version**: aws-cli/2.27.40 Python/3.13.5 Darwin/24.5.0 source/arm64
- **Authentication Method**: AWS SSO (Single Sign-On)

## Current Behavior
When using AWS SSO authentication with `AWS_PROFILE=<profile-name>` environment variable set:

1. Standard AWS CLI commands work correctly:
   ```bash
   $ export AWS_PROFILE=<profile-name>
   $ aws sts get-caller-identity
   # ✅ Uses specified profile correctly

2. Amazon Q CLI use_aws tool ignores the environment variable:

   🛠️  Using tool: use_aws
   ● Running aws cli command:
   Service name: sts
   Operation name: get-caller-identity
   Profile name: default  # ❌ Should be "<profile-name>"
   Region: us-east-1
   

Expected Behavior

The use_aws tool should respect the AWS_PROFILE environment variable, just like the standard AWS CLI does.

Configuration Details

~/.aws/config (SSO Configuration)

[profile management]
sso_session = aws-sso
sso_account_id = <management-account-id>
sso_role_name = AWSAdministratorAccess
region = <region>

[profile sandbox]
sso_session = aws-sso
sso_account_id = <sandbox-account-id>
sso_role_name = AWSPowerUserAccess
region = <region>
output = json

[sso-session aws-sso]
sso_start_url = https://<your-sso-portal>.awsapps.com/start
sso_region = <region>
sso_registration_scopes = sso:account:access

Authentication Workflow

# Login and set environment
aws sso login --profile <profile-name>
export AWS_PROFILE=<profile-name>
export AWS_DEFAULT_REGION=<region>

# Verify standard AWS CLI works
aws sts get-caller-identity  # ✅ Works with specified profile

# Launch Amazon Q CLI
q chat  # ❌ use_aws tool defaults to "default" profile

Root Cause Analysis

Based on the tool's function signature, the issue appears to be:

use_aws(
    profile_name: str (optional),  # "Defaults to default profile if not specified"
    ...
)