(credentials): assume role credentials in aws/config do not work since 2.167.0

[otbe]

Describe the bug

In ~/.aws/config I have the following:

[default]
region=eu-central-1
credential_source=Ec2InstanceMetadata
role_arn=my-role-arn
duration_seconds=3600
role_session_name=my-session-name

This setup works fine in 2.166.0 and is broken in 2.167.0. I think its related to: https://github.com/aws/aws-cdk/issues/32120

The same ~/.aws/config works fine with aws cli, aws sdk js v3 and boto3

Regression Issue

• [X] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.166.0

Expected Behavior

It should work :)

Current Behavior

32120   cli: commands fail with authentication error 'The security token included in the request is invalid'
    Overview: When using IAM user credentials, or when the region is
              defined in `~/.aws/credentials` but not `~/.aws/config`, the
              CLI is unable to authenticate and to determine the AWS
              account and region to be used.

Reproduction Steps

[default]
region=eu-central-1
credential_source=Ec2InstanceMetadata
role_arn=my-role-arn
duration_seconds=3600
role_session_name=my-session-name

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.167.0

Framework Version

No response

Node.js Version

22

OS

al2023

Language

TypeScript

Language Version

No response

Other information

No response

[ashishdhingra]

@otbe The issue https://github.com/aws/aws-cdk/issues/32120 has been actively being worked upon. Please follow that issue for any updates. If you think this issue is duplicate, please close this one.

Thanks, Ashish

[otbe]

Indeed I was confused by the message and thought that assume role credentials also do not work (and not only user credentails :))

[github-actions[bot]]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.