CDK CLI: assuming a doubly-chained role fails since 2.167.0

[Joe-Zer0]

Describe the bug

This may be related to #32120, but it's different enough I decided to create a separate issue.
2.166.0 works. 2.167.0 and 2.167.2 do not work.
Credentials File

[role0]
aws_access_key_id        = XXXXX
aws_secret_access_key    = XXXXX
aws_session_token        = XXXXX
aws_security_token       = XXXXX
x_principal_arn          = XXXXX
x_security_token_expires = XXXXX

[role1]
source_profile = role0
role_arn       = arn:aws:iam::12345:role/Role1

[role2]
source_profile = role1
role_arn       = arn:aws:iam::12345:role/Role2

Not sure if it's relevant, but role0 is for Account A and role1 and role2 are for Account B.
Using version 2.167.0, cdk synth --profile role1 works correctly, the CDK_DEFAULT_ACCOUNT environment variable is populated. The issue happens when running cdk synth --profile role2, CDK_DEFAULT_ACCOUNT is not populated. But CDK_DEFAULT_REGION is still populated correctly.

Please let me know if there is any additional information I can provide.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.166.0

Expected Behavior

I would expect cdk synth --profile role2 to populate CDK_DEFAULT_ACCOUNT with the account number.

Current Behavior

cdk synth --profile role2 does not populate CDK_DEFAULT_ACCOUNT with the account number.

Reproduction Steps

Run cdk synth on any stack with a profile that is "double assumed".

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.167.2

Framework Version

No response

Node.js Version

v20.17.0

OS

Windows 10

Language

Python

Language Version

No response

Other information

No response

[pahud]

but role1 is for Account A and role1 and role2 are for Account B.

I presume role0 for Account A and both role1,2 for Account B right?

[Joe-Zer0]

Apologies, you are correct. I'll update the initial comment as well.

[pahud]

This is my test

[profile role1]
role_arn = arn:aws:iam::ACCOUNT_ID:role/AdminRole4Switch
source_profile = default

[profile role2]
role_arn = arn:aws:iam::ACCOUNT_ID:role/AdminRole4Switch2
source_profile = role1

CLI Test

I can run the following commands using AWS CLI correctly

% aws --profile role1 sts get-caller-identity
% aws --profile role2 sts get-caller-identity

CDK Test

const app = new App();

const env = { region: process.env.CDK_DEFAULT_REGION, account: process.env.CDK_DEFAULT_ACCOUNT };

const stack = new Stack(app, 'issue-triage-stack', { env } )

new CfnOutput(stack, 'cdk_default_account', { value: process.env.CDK_DEFAULT_ACCOUNT || 'not found'  });
new CfnOutput(stack, 'cdk_default_region', { value: process.env.CDK_DEFAULT_REGION || 'not found'  });

I can run this correctly

% npx cdk --profile role1 diff

And see the Outputs

Outputs
[+] Output cdk_default_account cdkdefaultaccount: {"Value":"ACCOUNT"}
[+] Output cdk_default_region cdkdefaultregion: {"Value":"us-east-1"}

But it won't resolve using role2 profile in 1.166.0

% npx cdk --profile role2 diff               
Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

I don't think CDK 2.166.0 supports this. But if I change the config of role2 using role0 as the source

[profile role2]
role_arn = arn:aws:iam::ACCOUNT:role/AdminRole4Switch2
source_profile = default

cdk diff works pretty great!

Can you provide a minimal sample as above that works in 166 but not in 167?

[pahud]

by the way, we don't specify these in ~/.aws/config

are you sure they are configured in ~/.aws/config ?

aws_access_key_id        = XXXXX
aws_secret_access_key    = XXXXX

[Joe-Zer0]

Those are specified in ~/.aws/credentials. All 3 roles are in ~/.aws/credentials. Although I believe it is possible to move role1 and role2 to ~/.aws/config.

[Joe-Zer0]

Here's some more detailed reproduction steps, similar to what you have.
Using the same credentials file as I specified above:

⟫ aws sts get-caller-identity --profile role1
{
    "UserId": "XXXXX",
    "Account": "XXXXX",
    "Arn": "arn:aws:sts::XXXXX:assumed-role/Role1/botocore-session-XXXXX"
}

⟫ aws sts get-caller-identity --profile role2
{
    "UserId": "XXXXX",
    "Account": "XXXXX",
    "Arn": "arn:aws:sts::XXXXX:assumed-role/Role2/botocore-session-XXXXX"
}

cdk.json

{
  "app": "python app.py"
}

app.py

from aws_cdk import App
import os

print(f"CDK_DEFAULT_ACCOUNT = {os.environ.get('CDK_DEFAULT_ACCOUNT')}")
print(f"CDK_DEFAULT_REGION = {os.environ.get('CDK_DEFAULT_REGION')}")

app = App()
app.synth()

⟫ npm install aws-cdk@2.166.0 -g

⟫ cdk synth --profile role1
CDK_DEFAULT_ACCOUNT = XXXXX
CDK_DEFAULT_REGION = us-east-1
This app contains no stacks

⟫ cdk synth --profile role2
CDK_DEFAULT_ACCOUNT = XXXXX
CDK_DEFAULT_REGION = us-east-1
This app contains no stacks

⟫ npm install aws-cdk@2.167.0 -g

⟫ cdk synth --profile role1
CDK_DEFAULT_ACCOUNT = XXXXX
CDK_DEFAULT_REGION = us-east-1
This app contains no stacks

⟫ cdk synth --profile role2
CDK_DEFAULT_ACCOUNT = None          <-- This is the issue
CDK_DEFAULT_REGION = us-east-1
This app contains no stacks

Hopefully that helps. Let me know if there's any other info I can provide.