(global): Handling of SSO profiles and CA bundles inconsistent with AWS CLI (and error message unhelpful)

[crbunney]

Describe the bug

I use the SSO token provider configuration and aws sso login to authenticate when using the AWS CLI in conjunction with the --profile option or AWS_PROFILE environment variable.

The CDK CLI fails to connect to AWS when I use it with the same configuration that works with the AWS CLI.

This appears related to the self-signed certificates used by my organisation's webproxy and due to CDK CLI handling CA bundles and related config differently than AWS CLI.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

I expect parity between AWS CLI and the CDK CLI. I.e., if the credentials & config work for for AWS CLI, then they should also work for the CDK CLI.

Additionally, the error output from CDK CLI should be clearer about what the issue is, as the current output is misleading. For example, the Unable to determine the default AWS account (CredentialsProviderError): Error: self-signed certificate in certificate chain from the detailed logging would be much more likely to help users understand what's going wrong.

Current Behavior

The standard output:

✨  Synthesis time: 8.51s

Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

The error message suggests a credential issue, which is confusing when the same profile and credentials work fine with the aws command.

Debugging output:

cdk -vv deploy --profile xxx-dev-dev
[14:24:57] CDK Toolkit CLI version: 2.1124.1 (build 791408c)
[14:24:57] Command line arguments: {
  _: [ 'deploy' ],
  v: 2,
  verbose: 2,
  profile: 'xxx-dev-dev',
  app: undefined,
  a: undefined,
  build: undefined,
  trace: undefined,
  strict: undefined,
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  region: undefined,
  proxy: undefined,
  'ca-bundle-path': undefined,
  caBundlePath: undefined,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  telemetry: undefined,
  versionReporting: undefined,
  'path-metadata': undefined,
  pathMetadata: undefined,
  'asset-metadata': undefined,
  assetMetadata: undefined,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  output: undefined,
  o: undefined,
  notices: undefined,
  'no-color': false,
  noColor: false,
  color: undefined,
  ci: false,
  unstable: [],
  'telemetry-file': undefined,
  telemetryFile: undefined,
  yes: false,
  y: false,
  all: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  exclusively: undefined,
  e: undefined,
  'require-approval': undefined,
  requireApproval: undefined,
  execute: undefined,
  'change-set-name': undefined,
  changeSetName: undefined,
  method: undefined,
  m: undefined,
  'import-existing-resources': false,
  importExistingResources: false,
  force: false,
  f: false,
  parameters: [ {} ],
  'outputs-file': undefined,
  O: undefined,
  outputsFile: undefined,
  'previous-parameters': true,
  previousParameters: true,
  'toolkit-stack-name': undefined,
  toolkitStackName: undefined,
  progress: undefined,
  rollback: undefined,
  hotswap: undefined,
  'hotswap-fallback': undefined,
  hotswapFallback: undefined,
  'hotswap-ecs-minimum-healthy-percent': undefined,
  hotswapEcsMinimumHealthyPercent: undefined,
  'hotswap-ecs-maximum-healthy-percent': undefined,
  hotswapEcsMaximumHealthyPercent: undefined,
  'hotswap-ecs-stabilization-timeout-seconds': undefined,
  hotswapEcsStabilizationTimeoutSeconds: undefined,
  watch: undefined,
  logs: true,
  concurrency: 1,
  'asset-parallelism': undefined,
  assetParallelism: undefined,
  'asset-build-concurrency': 1,
  assetBuildConcurrency: 1,
  'asset-prebuild': true,
  assetPrebuild: true,
  'ignore-no-stacks': false,
  ignoreNoStacks: false,
  'revert-drift': false,
  revertDrift: false,
  '$0': '..\\..\\..\\..\\AppData\\Roaming\\npm\\node_modules\\aws-cdk\\bin\\cdk',
  language: undefined
}
[14:24:57] cdk.json: {
  "app": "python app.py"
}
[14:24:57] merged settings: {
  versionReporting: true,
  assetMetadata: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'python app.py',
  context: {},
  debug: false,
  profile: 'xxx-dev-dev',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '**' ],
  lookups: true,
  assetBuildConcurrency: 1,
  assetPrebuild: true,
  ignoreNoStacks: false,
  hotswap: { ecs: {} },
  unstable: []
}
[14:24:57] Endpoint Telemetry connected
[14:24:57] Could not get CDK Library Version: require.resolve("aws-cdk-lib") did not return a file path
[14:24:57] Starting Command ...
[14:24:57] Could not refresh notices: NoConnectivity: No internet connectivity detected
[14:24:57] Toolkit stack: CDKToolkit
[14:24:57] Starting Synthesis ...
[14:24:57] context: {
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '**' ]
}
[14:24:57] Setting "CDK_DEFAULT_REGION" environment variable to eu-west-2
[14:24:57] Could not refresh notices: NoticesFetchFailed: Failed to load CDK notices. Please try again later.
[14:24:57] [SDK error] SSO.GetRoleCredentials({"roleName":"DeveloperAccess","accountId":"xxxxxxxxxx","accessToken":"***SensitiveInformation***"}) -> Error: self-signed certificate in certificate chain
[14:24:57] Unable to determine the default AWS account (CredentialsProviderError): Error: self-signed certificate in certificate chain
[14:24:57] Not a file: 'python app.py'. Using 'python app.py as command-line
[14:24:57] outdir: cdk.out
[14:24:57] env: {
  CDK_DEFAULT_REGION: 'eu-west-2',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '53.0.0',
  CDK_CLI_VERSION: '2.1124.1',
  CDK_ERROR_FILE: 'cdk.out\\error.txt',
  CDK_PERF_COUNTERS_FILE: 'cdk.out\\performance-counters.json'
}
[14:25:07] 
✨  Synthesis time: 10.72s


✨  Synthesis time: 10.72s

Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment
[14:25:07] 
✨  Command time: 10.73s

[14:25:07] No internet connectivity detected, skipping telemetry

I believe the key lines are these:

[14:24:57] [SDK error] SSO.GetRoleCredentials({"roleName":"DeveloperAccess","accountId":"xxxxxxxxxxxx","accessToken":"***SensitiveInformation***"}) -> Error: self-signed certificate in certificate chain
[14:24:57] Unable to determine the default AWS account (CredentialsProviderError): Error: self-signed certificate in certificate chain

I have some environment variables related to the self-signed certificates deployment by my organisation. It appears that the AWS CLI is using them whereas the CDK CLI isn't.

Reproduction Steps

GIVEN a custom CA certificate bundle at C:\Program Files\Certificate Bundle\tls-ca-bundle.pem
AND the REQUESTS_CA_BUNDLE is set to C:\Program Files\Certificate Bundle\tls-ca-bundle.pem
AND the SSL_CERT_FILE is set to C:\Program Files\Certificate Bundle\tls-ca-bundle.pem
AND ~/.aws/config contains (see below)
AND aws sso login --profile xxx-dev-dev completes ok
AND a hello world CDK project exists
WHEN cdk -vv deploy --profile xxx-dev-dev is run in the hello world CDK project directory
THEN CDK CLI is "Unable to resolve AWS account to use..."

~/.aws/config contents:

[sso-session MyOrg]
sso_start_url = https://xxxxxxxxxx.awsapps.com/start
sso_region = eu-west-2
sso_registration_scopes = sso:account:access

[profile xxx-dev-dev]
sso_session = MyOrg
sso_account_id = xxxxxxxx
sso_role_name = DeveloperAccess
region = eu-west-2

Possible Solution

It appears that the AWS CLI is checking more environment variables for CA bundle config than CDK CLI.

The solution would be to ensure CDK CLI is checking the same list of environment variables.

Additional Information/Context

Workaround: Setting the AWS_CA_BUNDLE environment variable works around the issue, but is unintuitive given that the AWS CLI doesn't appear to require it.

CDK CLI Version

2.1124.1 (build 791408c)

Framework Version

No response

Node.js Version

v22.22.3

OS

Windows 11 Enterprise 25H2

Language

Python

Language Version

3.14

Other information

The No internet connectivity detected messages from the detailed command output are probably also related to the CA bundle config, as CDK probably won't be able to connect to my organisation's web proxy and access the internet without it.

[mrgrain]

Sounds like we need to align with the environment variables the AWS CLI is checking to load a custom CA bundle. Thanks for the report. 👍🏻