aws-cdk: incorrect region resolution for explicitly passed profiles

[wuhkuh]

Describe the bug

Following the documentation:

To make the stack deployable to a different target, but to determine the target at synthesis time, your stack can use two environment variables provided by the AWS CDK CLI: CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION. These variables are set based on the AWS profile specified using the --profile option, or the default AWS profile if you don't specify one.

However, despite specifying the profile using the --profile option, a different AWS region is selected, which happened to be (accidentally) exposed by our CI runners, which are running in a different region.
We could of course fall back on setting the region using alternate manners, but the profile resolution allows us to centralize the configuration relatively low in effort.

Expected Behavior

We expected the ini configuration files to be read, based on the explicitly passed profile.
CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION would then be set according to these.

Current Behavior

CDK_DEFAULT_ACCOUNT is correctly based on the passed profile, but CDK_DEFAULT_REGION is taken from a pre-existing AWS_REGION.

Reproduction Steps

Reproduction repository, with instructions available at:
https://github.com/wuhkuh/aws-cdk-repro

Possible Solution

Something like this would resolve it (please excuse the automatic linter, sorry!):

packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

  public static async region(options: RegionOptions = {}): Promise<string> {
    const profile =
      options.profile ||
      process.env.AWS_PROFILE ||
      process.env.AWS_DEFAULT_PROFILE ||
      "default";

    // Defaults inside constructor
    const toCheck = [
      { filename: credentialsFileName(), profile },
      { isConfig: true, filename: configFileName(), profile },
      { isConfig: true, filename: configFileName(), profile: "default" },
    ];

    let region;

    if (!options.profile) {
      region = undefined;
    } else {
      region = regionEnvVars();
    } 

    while (!region && toCheck.length > 0) {
      const opts = toCheck.shift()!;
      if (await fs.pathExists(opts.filename)) {
        const configFile = new SharedIniFile(opts);
        const section = await configFile.getProfile(opts.profile);
        region = section?.region;
      }
    }

    if (!region && !options.profile) {
      region = regionEnvVars();
    }

function regionEnvVars() {
  return (
    process.env.AWS_REGION ||
    process.env.AMAZON_REGION ||
    process.env.AWS_DEFAULT_REGION ||
    process.env.AMAZON_DEFAULT_REGION
  );
}

Additional Information/Context

No response

CDK CLI Version

2.114.1

Framework Version

No response

Node.js Version

20.10.0

OS

Manjaro Linux (64-bit)

Language

TypeScript

Language Version

TypeScript (5.3.2)

Other information

No response

[wuhkuh]

Turns out to be a misunderstanding of the documentation. Sorry!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.