Packer with AWS SSO Profile

I'm trying to use packer with the "profile" variable (without needing to supply static access keys) which I am configuring using the aws configure sso command - but when trying to run the packer command I get the error:

Error: NoCredentialProviders: no valid providers in chain. Deprecated. For verbose messaging see aws.Config.CredentialsChainVerboseErrors

in my packer variables.json I have "aws_profile": "sandbox" and in my environment.json I have

"builders": [
        {
            "type": "amazon-ebs",
            "profile": "{{user `aws_profile`}}"

Am I missing something or is it not possible to do this?

as per the source

// profile returns the AWS shared credentials profile.  If empty will read
// environment variable "AWS_PROFILE". If that is not set profile will
// return "default".
func (p *SharedCredentialsProvider) profile() string {
    if p.Profile == "" {
        p.Profile = os.Getenv("AWS_PROFILE")
    }
    if p.Profile == "" {
        p.Profile = "default"
    }

    return p.Profile
}

similar issue Use of AWS credentials profile ignored #7427

Quoting from the issue:

I found out what my issue was: my build.json was configured to use a specific profile ("profile": "default"), and that takes precedence over AWS_PROFILE. Once I removed the line everything was fine.

If those are correct then it might be the variable name itself.

{
  "variables": {
    "aws_profile": "{{env `AWS_PROFILE`}}"
  },
  "builders": [{
    "type": "amazon-ebs",
    "region": "eu-central-1",
    "profile": "{{ user `aws_profile`}}"
[...]