diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
index 20a61ed47ec77..4280ad430bc56 100644
--- a/CHANGELOG.v2.alpha.md
+++ b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.173.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.173.0-alpha.0...v2.173.1-alpha.0) (2024-12-14)
+
 ## [2.173.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.172.0-alpha.0...v2.173.0-alpha.0) (2024-12-11)
 
 
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
index 0fab8ff3b811a..c188a43ac5618 100644
--- a/CHANGELOG.v2.md
+++ b/CHANGELOG.v2.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.173.1](https://github.com/aws/aws-cdk/compare/v2.173.0...v2.173.1) (2024-12-14)
+
+
+### Bug Fixes
+
+* **cli:** getting credentials via SSO fails when the region is set in the profile ([#32520](https://github.com/aws/aws-cdk/issues/32520)) ([01fec04](https://github.com/aws/aws-cdk/commit/01fec04ea8c0e33a406e6727801f8bc133a21196))
+
 ## [2.173.0](https://github.com/aws/aws-cdk/compare/v2.172.0...v2.173.0) (2024-12-11)
 
 
diff --git a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
index 319e75e3bdb79..3c1fec2604abd 100644
--- a/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts
@@ -34,6 +34,19 @@ export class AwsCliCompatible {
       requestHandler: AwsCliCompatible.requestHandlerBuilder(options.httpOptions),
       customUserAgent: 'aws-cdk',
       logger: options.logger,
+    };
+
+    // Super hacky solution to https://github.com/aws/aws-cdk/issues/32510, proposed by the SDK team.
+    //
+    // Summary of the problem: we were reading the region from the config file and passing it to
+    // the credential providers. However, in the case of SSO, this makes the credential provider
+    // use that region to do the SSO flow, which is incorrect. The region that should be used for
+    // that is the one set in the sso_session section of the config file.
+    //
+    // The idea here: the "clientConfig" is for configuring the inner auth client directly,
+    // and has the highest priority, whereas "parentClientConfig" is the upper data client
+    // and has lower priority than the sso_region but still higher priority than STS global region.
+    const parentClientConfig = {
       region: await this.region(options.profile),
     };
     /**
@@ -51,6 +64,7 @@ export class AwsCliCompatible {
         ignoreCache: true,
         mfaCodeProvider: tokenCodeFn,
         clientConfig,
+        parentClientConfig,
         logger: options.logger,
       }));
     }
@@ -83,6 +97,7 @@ export class AwsCliCompatible {
     const nodeProviderChain = fromNodeProviderChain({
       profile: envProfile,
       clientConfig,
+      parentClientConfig,
       logger: options.logger,
       mfaCodeProvider: tokenCodeFn,
       ignoreCache: true,
diff --git a/version.v2.json b/version.v2.json
index 4e5d312a6668b..31d52cf7acfd4 100644
--- a/version.v2.json
+++ b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.173.0",
-  "alphaVersion": "2.173.0-alpha.0"
+  "version": "2.173.1",
+  "alphaVersion": "2.173.1-alpha.0"
 }
\ No newline at end of file