chore(release): 2.173.1 (#32523)

mergify[bot] · web-flow · commit 4eac9596dc0a · 2024-12-14T12:31:14.000Z
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/patch/v2.173.1/CHANGELOG.v2.md).
diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.173.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.173.0-alpha.0...v2.173.1-alpha.0) (2024-12-14)
+
 ## [2.173.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.172.0-alpha.0...v2.173.0-alpha.0) (2024-12-11)
 
 
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.173.1](https://github.com/aws/aws-cdk/compare/v2.173.0...v2.173.1) (2024-12-14)
+
+
+### Bug Fixes
+
+* **cli:** getting credentials via SSO fails when the region is set in the profile ([#32520](https://github.com/aws/aws-cdk/issues/32520)) ([01fec04](https://github.com/aws/aws-cdk/commit/01fec04ea8c0e33a406e6727801f8bc133a21196))
+
 ## [2.173.0](https://github.com/aws/aws-cdk/compare/v2.172.0...v2.173.0) (2024-12-11)
 
 
diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -34,6 +34,19 @@ export class AwsCliCompatible {
       requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
       customUserAgent: 'aws-cdk',
       logger: options.logger,
+    };
+
+    // Super hacky solution to https://github.com/aws/aws-cdk/issues/32510, proposed by the SDK team.
+    //
+    // Summary of the problem: we were reading the region from the config file and passing it to
+    // the credential providers. However, in the case of SSO, this makes the credential provider
+    // use that region to do the SSO flow, which is incorrect. The region that should be used for
+    // that is the one set in the sso_session section of the config file.
+    //
+    // The idea here: the "clientConfig" is for configuring the inner auth client directly,
+    // and has the highest priority, whereas "parentClientConfig" is the upper data client
+    // and has lower priority than the sso_region but still higher priority than STS global region.
+    const parentClientConfig = {
       region: await this.region(options.profile),
     };
     /**
@@ -51,6 +64,7 @@ export class AwsCliCompatible {
         ignoreCache: true,
         mfaCodeProvider: tokenCodeFn,
         clientConfig,
+        parentClientConfig,
         logger: options.logger,
       }));
     }
@@ -83,6 +97,7 @@ export class AwsCliCompatible {
     const nodeProviderChain = fromNodeProviderChain({
       profile: envProfile,
       clientConfig,
+      parentClientConfig,
       logger: options.logger,
       mfaCodeProvider: tokenCodeFn,
       ignoreCache: true,
diff --git a/version.v2.json b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.173.0",
-  "alphaVersion": "2.173.0-alpha.0"
+  "version": "2.173.1",
+  "alphaVersion": "2.173.1-alpha.0"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "version": "2.173.0",`
`3`		`- "alphaVersion": "2.173.0-alpha.0"`
	`2`	`+ "version": "2.173.1",`
	`3`	`+ "alphaVersion": "2.173.1-alpha.0"`
`4`	`4`	`}`