CDK_DEFAULT_ACCOUNT: No longer defined as of 2.167

[shawnbucholtz]

Describe the bug

Quote:

The AWS CDK provides two environment variables that you can use within your CDK code: CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION.

As of version 2.167 CDK no longer sets the CDK_DEFAULT_ACCOUNT variable in Node JS runtime.

Synthesis is successful in 2.166 without any changes to the code. Upgrading to anything beyond that breaks and the variable is missing.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.166

Expected Behavior

CDK_DEFAULT_ACCOUNT should be set like it was before.

Current Behavior

CDK_DEFAULT_ACCOUNT is undefined.

Reproduction Steps

Running cdk <command> --profile <AWS_PROFILE> results in an error about environment agnostic templates and account ID needing to be set. I've narrowed it down to the CDK_DEFAULT_ACCOUNT variable being undefined.

Simply try to access CDK_DEFAULT_ACCOUNT variable in a working version <=2.166.

Upgrade to >=2.167 and the variable is no longer found in process.env (completely gone)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.166.0 (build 7bb9203)

Framework Version

No response

Node.js Version

v20.12.0

OS

WSL2 (Ubuntu)

Language

TypeScript

Language Version

Typescript (5.6.2)

Other information

My usage:

const app = new App();
const config = await lib.loadConfig(app); // irrelevant
const account = process.env.CDK_DEFAULT_ACCOUNT || app.node.tryGetContext('account'); // <-- Problem starts here
const region = process.env.CDK_DEFAULT_REGION || app.node.tryGetContext('region') || 'us-west-2';

Generally I do not use the context "account" because we have 3 possible accounts to use (dev, test, prod) - hence if I want to deploy dev then test I used to just be able to pass a different --profile flag because I'm lazy.

Now it's basically requiring me to hardcode my account in context.

This appears to be regression since there are no change notes about it.

[pahud]

it should still work.

In 2.174.0

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';

const app = new cdk.App();
const env = {
  account: process.env.CDK_DEFAULT_ACCOUNT || '123456789012',
  region: process.env.CDK_DEFAULT_REGION || 'us-east-1'
}

export class DummyStack extends cdk.Stack {  
  constructor(scope: Construct, id: string, props: cdk.StackProps) {
     super(scope, id);
     console.log("CDK_DEFAULT_ACCOUNT is", process.env.CDK_DEFAULT_ACCOUNT);
   }
};

new DummyStack(app, 'DummyStack', { env });


app.synth();

 % npx cdk --version
2.174.0 (build 9604329)
issue-triage % npx cdk diff     
CDK_DEFAULT_ACCOUNT is 903********* <-- my account ID
Stack DummyStack

and npx cdk --profile PROFILENAME diff works too

Can you verify using my provided code and let me know the results?

[shawnbucholtz]

Does not work for me. :(

Reproduction setup

Created a brand new project with the following and using the code you've provided:

package.json

{
  "name": "aws-sandbox",
  "version": "1.0.0",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "devDependencies": {
    "@types/node": "^22.10.5",
    "aws-cdk": "^2.174.0",
    "aws-cdk-lib": "^2.174.0",
    "constructs": "^10.4.2",
    "ts-node": "^10.9.2",
    "typescript": "^5.7.2"
  }
}

cdk.json

{
    "app": "npx ts-node --prefer-ts-exts bin/cdk.ts"
}

bin/cdk.ts

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';

const app = new cdk.App();
const env = {
  account: process.env.CDK_DEFAULT_ACCOUNT || '123456789012',
  region: process.env.CDK_DEFAULT_REGION || 'us-east-1'
}

export class DummyStack extends cdk.Stack {  
  constructor(scope: Construct, id: string, props: cdk.StackProps) {
     super(scope, id);
     console.log("CDK_DEFAULT_ACCOUNT is", process.env.CDK_DEFAULT_ACCOUNT);
   }
};

new DummyStack(app, 'DummyStack', { env });


app.synth();

Reproduction output

Copied directly from my terminal:

$ npx cdk --version
2.174.0 (build 9604329)

$ npx cdk  --profile dev diff
CDK_DEFAULT_ACCOUNT is undefined
Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

Downgrade

I downgraded to 2.166 as I've suggested and get good outputs.

Commands to downgrade:

$ npm i -D [email protected]

changed 1 package, and audited 64 packages in 1s

3 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ npm i -D [email protected]

changed 4 packages, and audited 64 packages in 4s

3 packages are looking for funding
  run `npm fund` for details

Downgrade output

Then running the same command I get:

$ npx cdk  --profile dev diff
CDK_DEFAULT_ACCOUNT is 5************
Stack DummyStack
Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value<String>","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Conditions
[+] Condition CDKMetadata/Condition CDKMetadataAvailable: {"Fn::Or":[{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"af-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-east-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-northeast-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-northeast-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-northeast-3"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-south-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-southeast-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-southeast-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-southeast-3"]}]},{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"ap-southeast-4"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ca-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"ca-west-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"cn-north-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"cn-northwest-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-central-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-north-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-south-2"]}]},{"Fn::Or":[{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-west-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-west-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"eu-west-3"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"il-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"me-central-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"me-south-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"sa-east-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"us-east-1"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"us-east-2"]},{"Fn::Equals":[{"Ref":"AWS::Region"},"us-west-1"]}]},{"Fn::Equals":[{"Ref":"AWS::Region"},"us-west-2"]}]}

[pahud]

@shawnbucholtz thank you for your very detailed report. Not sure if it's related to #32195 which should have been fixed but I will bring this up to the team for further investigation. Meanwhile, can you share what your ~/.aws/config looks like? Thanks.

[iliapolo]

As @pahud mentioned, this should have been fixed in #32195, unless there's some configuration setup we overlooked. Please share your (redacted) ~/.aws/config file so we can continue investigation.

Basically we need to know what role assumption is taking place.

[shawnbucholtz]

Thank you for investigating this. Here is my config right now with account ids and sso domain names altered. I haven't cleaned it up in a while and still have a few old blocks at the bottom.

I generally log in aws sso login - then proceed to use CDK normally passing --profile with a value from one of the blocks below.

[default]
credential_process = aws-sso-credential-process --profile default
region = us-west-2
sso_start_url = https://domain.awsapps.com/start
sso_region = us-east-1
sso_role_name = Cloud-Systems-Administrator
sso_account_id = 123456789012

[profile sandbox]
region = us-west-2
sso_start_url = https://domain.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = Sandbox-Administrator

[profile prod]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile dev]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

; [profile sandbox]
; role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
; source_profile = default
; region = us-west-2

[profile test]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile networking]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile liftshift]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile amifactory]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile security]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile devops]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile workspaces]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile researchmgmt]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = ca-central-1

[profile research]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile forensic]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile logs]
role_arn = arn:aws:iam::123456789012:role/IT-Cloud-Systems-Administrator
source_profile = default
region = us-west-2

[profile SCA]
sso_start_url = https://domain.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = Systems-Configuration-Analyst
region = us-west-2

[profile Systems-Configuration-Analyst-123456789012]
sso_start_url = https://domain.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = Systems-Configuration-Analyst
region = us-east-1
output = json

[shawnbucholtz]

Out of shear curiosity I hardcoded the account ID into an app that needs to make AWS calls and tried running the cdk diff --profile dev again with 2.174.x and get the following error:

Need to perform AWS calls for account ACCOUNT_ID, but no credentials have been configured

Without the hardcoded account ID I get an error with a stack trace:

Error: Cannot retrieve value from context provider ssm since account/region are not specified at the stack level. Configure "env" with an account and region when you define your stack.See https://docs.aws.amazon.com/cdk/latest/guide/environments.html for more details.
    at Function.getValue (/home/sbucholtz/workspace/athabascau/aws-sandbox/node_modules/aws-cdk-lib/core/lib/context-provider.js:2:562)
    at Function.valueFromLookup (/home/sbucholtz/workspace/athabascau/aws-sandbox/node_modules/aws-cdk-lib/aws-ssm/lib/parameter.js:1:7047)
    at lookupVpcFromSsm (/home/sbucholtz/workspace/athabascau/aws-sandbox/lib/Utils.ts:46:35)
    at new SecurityGroupsStack (/home/sbucholtz/workspace/athabascau/aws-sandbox/lib/stacks/SecurityGroupsStack.ts:53:36)
    at /home/sbucholtz/workspace/athabascau/aws-sandbox/bin/cdk.ts:55:27

If there is anything else I can provide please let me know.

[otaviomacedo]

@shawnbucholtz I'm not sure where the problem is yet, but I can see that in the default profile, both credential_source and SSO are configured. Is that intentional? What's the use case there?

[shawnbucholtz]

@otaviomacedo If I'm being honest, I'm not sure why I have credential_process in there now (not credential_source). Obviously I added it at some point but I cannot recall what it did for me.

So, the good news is removing that line has resolved the issue - AWS CLI continues to work as expected and now my CDK templates are synthesizing properly. In other words, the process.env.CDK_DEFAULT_ACCOUNT is defined now as expected.

Resolution (for me)

1. SSO log out
2. removed the line with credential_process from ~/.aws/config
3. log back in with sso aws sso login
4. updated back to aws-cdk@latest and aws-cdk-lib@latest
5. npx cdk --version -> 2.174.1 (build f353fc7)
6. npx cdk diff --profile dev -> CDK_DEFAULT_ACCOUNT is 5**********

---

What this means for this issue, I'm not sure(?)

I've had that line in there for at least 2 years without any issues and everything just worked. That being said, it is not something I normally see in configs and again I just can't remember why I added it originally. Given there aren't any others reporting a similar issue this could probably be closed.

[pahud]

Thank you for the report. Resolving now.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[otaviomacedo]

@shawnbucholtz up to version 2.166.0, the CDK CLI used the AWS SDK v2, that had many shortcomings. So we ended up implementing a good deal of logic on top of it. As a result of that, by accident, SSO configuration took priority over external process. So in a case like yours, given that the SSO configuration was correct, the external process configuration was always being ignored.

From version 2.167.0 on, the CDK CLI is using the AWS SDK v3, which has proper support for SSO. In v3, the order of precedence is the other way around: external process before SSO.