Describe the bug

When using an IAM profile/role that requires multi-factor authentication in the AWS_PROFILE envar, the CDK CLI is not prompting for the MFA code, resulting in a missing credentials error.

[09:26:47] Error: Need to perform AWS calls for account ***, but no credentials have been configured

Regression Issue

• Select this option if this issue appears to be a regression.
  To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel.

Last Known Working CDK Version

2.166

Expected Behavior

The CDK CLI should prompt for a MFA code when a profile that requires MFA is set in the AWS_PROFILE envar

Current Behavior

The CDK CLI is unable to prompt because it does not have a MFA callback handler:

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

Reproduction Steps

in ~/.aws/.config, create a profile that requires MFA

[profile mfa-test]
duration_seconds = 43200
mfa_serial = arn:aws:iam::***:mfa/***
output = json
region = us-east-1
role_arn = arn:aws:iam::***:role/***
source_profile = ***

then export that profile to the AWS_PROFILE envar

> export AWS_PROFILE=mfa-test

now run any cdk command that performs AWS calls:

> cdk bootstrap
 ⏳  Bootstrapping environment aws://***/us-east-1...
 ❌  Environment aws://***/us-east-1 failed bootstrapping: Error: Need to perform AWS calls for account ***, but no credentials have been configured

Possible Solution

No response

Additional Information/Context

passing the --profile argument to the CDK CLI does prompt for MFA credentials

> cdk bootstrap --profile=infra
MFA token for arn:aws:iam::***:mfa/***: 

The logs when using --profile

[10:29:07] Resolving default credentials
[10:29:07] Require MFA token for serial ARN arn:aws:iam::***:mfa/***

vs. logs when using AWS_PROFILE

[09:49:12] Resolving default credentials
[09:49:12] Unable to determine the default AWS account (CredentialsProviderError): Profile *** requires multi-factor authentication, but no MFA code callback was provided.

when using AWS_PROFILE the log message does identify the correct profile

CDK CLI Version

2.171.0 (build 4957967)

Framework Version

No response

Node.js Version

v20.12.2

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response