no longer possible to run "yarn validate-config" with external pipeline #1005
Description
Describe the bug
Up until v1.13.1 we could run the validate-config yarn target outside of the pipeline which saved us tons of time.
As we are using the external pipeline deployment option, we had to set 3 extra environment variables:
export MANAGEMENT_ACCOUNT_EMAIL="##################"
export MANAGEMENT_ACCOUNT_ID="###################"
export MANAGEMENT_ACCOUNT_ROLE_NAME="##################"
After upgrading to v1.14.2 this no longer works. Please let us know how we can instrument this with v1.14+
To Reproduce
Deploy LZA with external pipeline
From the pipeline account, run yarn validate-config with the additional environment variables
Validating configuration...
yarn run v1.22.22
$ ts-node ./packages/@aws-accelerator/accelerator/lib/config-validator.ts ###################
2026-01-12 09:40:47.451 | info | config-validator | homeRegion set to
2026-01-12 09:40:47.458 | info | config-validator | Found replacement variables in network-config.yaml
2026-01-12 09:40:47.458 | info | config-validator | Config source directory - ########################
2026-01-12 09:40:48.799 | info | accounts-config-validator | accounts-config.yaml file validation started
2026-01-12 09:40:48.800 | info | customizations-config-validator | customizations-config.yaml file validation started
2026-01-12 09:40:48.801 | info | global-config-validator | global-config.yaml file validation started
2026-01-12 09:40:48.806 | info | global-config-validator | email count: 1
2026-01-12 09:40:48.807 | info | iam-config-validator | iam-config.yaml file validation started
2026-01-12 09:40:48.810 | info | network-config-validator | network-config.yaml file validation started
2026-01-12 09:40:49.018 | info | organization-config-validator | organization-config.yaml file validation started
2026-01-12 09:40:49.027 | info | security-config-validator | security-config.yaml file validation started
2026-01-12 09:40:49.029 | info | replacement-config-validator | replacements-config.yaml file validation started
2026-01-12 09:40:49.035 | warn | config-validator | Config file validation failed !!!
2026-01-12 09:40:49.036 | warn | config-validator | AccessDeniedException: You don't have permissions to access this resource. in accounts-config.yaml config file
error Command failed with exit code 1.
Expected behavior
The same output as when the pipeline's prepare stage validates the config:
Validating configuration...
yarn run v1.22.22
$ ts-node ./packages/@aws-accelerator/accelerator/lib/config-validator.ts /codebuild/output/src2011/src/s3/01
2026-01-13 09:11:46.438 | info | config-validator | homeRegion set to
2026-01-13 09:11:46.440 | info | config-validator | Found replacement variables in network-config.yaml
2026-01-13 09:11:46.440 | info | config-validator | Config source directory - /codebuild/output/src2011/src/s3/01
2026-01-13 09:11:46.531 | info | utils-common-functions | set management account credentials
2026-01-13 09:11:46.532 | info | utils-common-functions | managementAccountId => ############
2026-01-13 09:11:46.532 | info | utils-common-functions | management account role name => AcceleratorPipelineDeploymentRole
2026-01-13 09:11:46.587 | info | utils-common-functions | management account role name => AWSAccelerator-Management-Deployment-Role
Please complete the following information about the solution:
- Version: v1.14.2
To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.
- Region: [e.g. us-east-1]
- Was the solution modified from the version published on this repository? No
- If the answer to the previous question was yes, are the changes available on GitHub?
- Have you checked your service quotas for the services this solution uses?
- Were there any errors in the CloudWatch Logs? Not that I could find
Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).
Additional context
Add any other context about the problem here.