Please add your +1 👍 to let us know you have encountered this

Status: RESOLVED

Overview:

In version 2.167.0 CLI commands, including deployments, fail with authentication errors.

This main cause is with authentication configurations that do not use AWS_SESSION_TOKEN, like IAM User credentials.
A second cause is related to the location of the region configuration, see #32130

Complete Error Message:

The security token included in the request is invalid

Workaround:

Revert to 2.166.0

Solution:

Upgrade to 2.167.1

Related Issues:

#32130

Original issue

Since version 2.167.0, deployments fail due to the inability to get the AWS account ID. The following error occurs in the verbose output of cdk synthesize/deploy:

[01:50:17] Resolving default credentials
[01:50:17] Looking up default account ID from STS
[01:50:18] Unable to determine the default AWS account (InvalidClientTokenId): The security token included in the request is invalid

This is despite having correct AWS environment variables set (AWS_DEFAULT_REGION, AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID) and aws sts get-caller-identity works correctly.

Rolling back to 2.166.0 with:

npm install -g [email protected]

resolves the issue and deployments resume as per normal.

Regression Issue

Confirmed Regression.

Last Known Working CDK Version

No response

Expected Behavior

CDK should function correctly and retrieve the account ID via the AWS credentials.

Current Behavior

CDK throws an error stating that it cannot retrieve the account ID due to security token issues.

Reproduction Steps

Upgrade to 2.167.0, use AWS environment variable credentials but don't specify the account ID, and run cdk synthesize.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.167.0 (build 677e108)

Framework Version

No response

Node.js Version

v22.6.0

OS

Ubuntu 22.04.4 LTS

Language

.NET

Language Version

No response

Other information

No response