Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to perform AWS calls for account XXX, but no credentials have been configured but they are #20935

Closed
jedrekdomanski opened this issue Jun 30, 2022 · 27 comments
Closed

Need to perform AWS calls for account XXX, but no credentials have been configured but they are #20935

jedrekdomanski opened this issue Jun 30, 2022 · 27 comments
Assignees
@corymhall
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. guidance Question that needs advice or information. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@jedrekdomanski
Copy link
Contributor

Describe the bug

I have aws CLI configured, I have ~/.aws/config

[jedrek]
region = eu-central-1

and ~/.aws/credentials

[jedrek]
aws_access_key_id = XXXXXXXX
aws_secret_access_key = XXXXXX

Configured my Stack for my account and region

const app = new cdk.App();
new Ec2NatInstanceStack(app, 'Ec2NatInstanceStack', {
  env: { region: 'eu-central-1', account: 'XXXXXXXXXXX' }
});

But cdk synth still raises an error Need to perform AWS calls for account XXX, but no credentials have been configured

import * as cdk from '@aws-cdk/core';
import { Construct } from 'constructs';
import * as ec2 from '@aws-cdk/aws-ec2';

export class Ec2NatInstanceStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    //===========================================================
    // NAT Instance
    //===========================================================
    const natGatewayProvider = ec2.NatProvider.instance({
      instanceType: new ec2.InstanceType('t3.small'),
    });

    //===========================================================
    // VPC
    //===========================================================
    const vpc = new ec2.Vpc(this, 'MyVpc', {
      natGatewayProvider,
      natGateways: 1,
    });
  }
}

Expected Behavior

cdk-synth works fine

Current Behavior

Need to perform AWS calls for account XXX, but no credentials have been configured

Reproduction Steps

Create Stack as above and try to cdk synth

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.29.1 (build c42e961)

Framework Version

No response

Node.js Version

v18.4.0

OS

MacOS 12.3.1

Language

Typescript

Language Version

No response

Other information

No response
@jedrekdomanski jedrekdomanski added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 30, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jun 30, 2022
@corymhall
Copy link
Contributor

@jedrekdomanski can you provide the verbose logs from running cdk synth --verbose?

@corymhall corymhall added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 30, 2022
@jedrekdomanski
Copy link
Contributor Author

@jedrekdomanski can you provide the verbose logs from running cdk synth --verbose?

Oh, it looks related to the bug I reported earlier #20875 because in verbose logs I can see the same message:

Unable to determine the default AWS account: TypeError: Cannot redefine property: my-other-aws-profile

It looks like aws-cdk doesn't like multiple AWS profiles.

@jedrekdomanski
Copy link
Contributor Author

I have mulitple AWS profiles

[default]
aws_access_key_id =XXXXXX
aws_secret_access_key = XXXXXX

[my-other-profile]
aws_access_key_id =XXXXXX
aws_secret_access_key = XXXXXX

[yet-another-profile]
aws_access_key_id =XXXXXX
aws_secret_access_key = XXXXXX

[jedrek]
aws_access_key_id =XXXXXX
aws_secret_access_key = XXXXXX

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 30, 2022
@corymhall
Copy link
Contributor

@jedrekdomanski do you have multiple profiles that share the same name? For example

[profile my-other-profile]

[my-other-profile]

@jedrekdomanski
Copy link
Contributor Author

@jedrekdomanski do you have multiple profiles that share the same name? For example

[profile my-other-profile]

[my-other-profile]

Yes, I do. In ~/.aws/config

[profile my-other-profile]

[my-other-profile]

In ~/.aws/credentials

[my-other-profile]

@corymhall
Copy link
Contributor

Can you remove the entry that does not contain profile (i.e. [my-other-profile])? It looks like the behavior of the SDK is to automatically strip the "profile" from the name so you end up with duplicates.

@peterwoodworth
Copy link
Contributor

Coming from the other thread, I've reached the same conclusion as cory. let us know if this works!

@peterwoodworth peterwoodworth added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Jul 1, 2022
@ishanjain28
Copy link

I have this same problem. I have configured all the correct credentials in ~/.aws/credentials. There is no ~/.aws/config and ~/.aws/credentials only contains profiles with unique names.

It's just failing with, Need to perform AWS calls for account <x>, but no credentials have been configured

@corymhall
Copy link
Contributor

@ishanjain28 can you provide the verbose output? cdk deploy -v (or whatever command you are running)?

@ishanjain28
Copy link 

emerald :: hobby/serverless » npx cdk deploy --all  --verbose
CDK toolkit version: 2.4.0 (build 993f14d)
Command line arguments: {
  _: [ 'deploy' ],
  all: true,
  verbose: 1,
  v: 1,
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  'build-exclude': [],
  E: [],
  buildExclude: [],
  ci: false,
  execute: true,
  force: false,
  f: false,
  parameters: [ {} ],
  'previous-parameters': true,
  previousParameters: true,
  '$0': '/home/ishan/hobby/serverless/node_modules/.bin/cdk'
}
cdk.json: {
  "app": "npx ts-node -P tsconfig.json --prefer-ts-exts bin/main.ts",
  "output": "cdk.out",
  "build": "cd src/constructs/lambda/accepter-account-updater && env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o handler && zip handler.zip handler && cd ../../../../",
  "watch": {
    "include": [
      "src/**/*.ts",
      "test/**/*.ts"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules"
    ]
  },
  "//": "~~ Generated by projen. To modify, edit .projenrc.js and run \"npx projen\"."
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node -P tsconfig.json --prefer-ts-exts bin/main.ts',
  build: 'cd src/constructs/lambda/accepter-account-updater && env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o handler && zip handler.zip handler && cd ../../../../',
  watch: {
    include: [ 'src/**/*.ts', 'test/**/*.ts' ],
    exclude: [
      'README.md',
      'cdk*.json',
      '**/*.d.ts',
      '**/*.js',
      'tsconfig.json',
      'package*.json',
      'yarn.lock',
      'node_modules'
    ]
  },
  '//': '~~ Generated by projen. To modify, edit .projenrc.js and run "npx projen".',
  context: {},
  debug: false,
  assetMetadata: true,
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '*' ],
  lookups: true
}
Determining if we're on an EC2 instance.
Does not look like an EC2 instance.
Unable to determine AWS region from environment or AWS configuration (profile: "default"), defaulting to 'us-east-1'
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile default not found
    at ProcessCredentials.load (/home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials/process_credentials.js:80:11)
    at ProcessCredentials.coalesceRefresh (/home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext (/home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials.js:124:23
    at /home/ishan/hobby/serverless/node_modules/aws-sdk/lib/credentials.js:212:15
    at processTicksAndRejections (node:internal/process/task_queues:78:11) {
  code: 'ProcessCredentialsProviderFailure',
  time: 2022-07-02T03:33:43.408Z
}
context: {
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_CONTEXT_JSON: '{"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '15.0.0',
  CDK_CLI_VERSION: '2.4.0'
}
Some context information is missing. Fetching...
Setting "vpc-provider:account=599195156563:filter.vpc-id=vpc-9a55e7e3:region=eu-west-1:returnAsymmetricSubnets=true" context to {"$providerError":"Need to perform AWS calls for account 599195156563, but no credentials have been configured","$dontSaveContext":true}
Reading AZs for 707747165294:eu-west-1
Setting "availability-zones:account=707747165294:region=eu-west-1" context to {"$providerError":"Need to perform AWS calls for account 707747165294, but no credentials have been configured","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
context: {
  'vpc-provider:account=599195156563:filter.vpc-id=vpc-9a55e7e3:region=eu-west-1:returnAsymmetricSubnets=true': {
    '$providerError': 'Need to perform AWS calls for account 599195156563, but no credentials have been configured',
    '$dontSaveContext': true
  },
  'availability-zones:account=707747165294:region=eu-west-1': {
    '$providerError': 'Need to perform AWS calls for account 707747165294, but no credentials have been configured',
    '$dontSaveContext': true
  },
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
Not making progress trying to resolve environmental context. Giving up.
[Error at /redis-peering-stack-dev] Need to perform AWS calls for account 599195156563, but no credentials have been configured
  Annotations.addMessage (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/core/lib/annotations.ts:64:25)
  Annotations.addError (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/core/lib/annotations.ts:36:10)
  Function.getValue (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/core/lib/context-provider.ts:83:31)
  Function.fromLookup (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/aws-ec2/lib/vpc.ts:654:66)
  new RedisPeeringStack (/home/ishan/hobby/serverless/src/redis-peering-stack.ts:30:21)
  Object.<anonymous> (/home/ishan/hobby/serverless/bin/main.ts:73:32)
  Module._compile (node:internal/modules/cjs/loader:1105:14)
  Module.m._compile (/home/ishan/hobby/serverless/node_modules/ts-node/src/index.ts:1597:23)
  Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
  Object.require.extensions.<computed> [as .ts] (/home/ishan/hobby/serverless/node_modules/ts-node/src/index.ts:1600:12)
  Module.load (node:internal/modules/cjs/loader:981:32)
  Function.Module._load (node:internal/modules/cjs/loader:822:12)
  Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
  phase4 (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:579:12)
  bootstrap (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:85:10)
  main (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:54:10)
  Object.<anonymous> (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:729:3)
  Module._compile (node:internal/modules/cjs/loader:1105:14)
  Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
  Module.load (node:internal/modules/cjs/loader:981:32)
  Function.Module._load (node:internal/modules/cjs/loader:822:12)
  Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
  node:internal/main/run_main_module:17:47
[Error at /server-api-infra] Need to perform AWS calls for account 707747165294, but no credentials have been configured
  Annotations.addMessage (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/core/lib/annotations.ts:64:25)
  Annotations.addError (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/core/lib/annotations.ts:36:10)
  Function.getValue (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/core/lib/context-provider.ts:83:31)
  ApiInfraStack.get availabilityZones [as availabilityZones] (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/core/lib/stack.ts:336:35)
  new Vpc (/home/ishan/hobby/serverless/node_modules/aws-cdk-lib/aws-ec2/lib/vpc.ts:779:36)
  new ApiInfraStack (/home/ishan/hobby/serverless/src/server-api-infra-stack.ts:184:17)
  Object.<anonymous> (/home/ishan/hobby/serverless/bin/main.ts:85:20)
  Module._compile (node:internal/modules/cjs/loader:1105:14)
  Module.m._compile (/home/ishan/hobby/serverless/node_modules/ts-node/src/index.ts:1597:23)
  Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
  Object.require.extensions.<computed> [as .ts] (/home/ishan/hobby/serverless/node_modules/ts-node/src/index.ts:1600:12)
  Module.load (node:internal/modules/cjs/loader:981:32)
  Function.Module._load (node:internal/modules/cjs/loader:822:12)
  Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
  phase4 (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:579:12)
  bootstrap (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:85:10)
  main (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:54:10)
  Object.<anonymous> (/home/ishan/hobby/serverless/node_modules/ts-node/src/bin.ts:729:3)
  Module._compile (node:internal/modules/cjs/loader:1105:14)
  Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
  Module.load (node:internal/modules/cjs/loader:981:32)
  Function.Module._load (node:internal/modules/cjs/loader:822:12)
  Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:77:12)
  node:internal/main/run_main_module:17:47
Found errors
Error: Found errors
    at StackCollection.processMetadataMessages (/home/ishan/hobby/serverless/node_modules/aws-cdk/lib/api/cxapp/cloud-assembly.ts:270:13)
    at CdkToolkit.validateStacks (/home/ishan/hobby/serverless/node_modules/aws-cdk/lib/cdk-toolkit.ts:549:12)
    at CdkToolkit.selectStacksForDeploy (/home/ishan/hobby/serverless/node_modules/aws-cdk/lib/cdk-toolkit.ts:509:10)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at CdkToolkit.deploy (/home/ishan/hobby/serverless/node_modules/aws-cdk/lib/cdk-toolkit.ts:121:20)
    at initCommandLine (/home/ishan/hobby/serverless/node_modules/aws-cdk/bin/cdk.ts:267:9)

@ishanjain28
Copy link

I also just upgraded CDK Cli to 2.30.0 and I can still replicate this issue.

@corymhall
Copy link
Contributor

@ishanjain28 do you have a default profile? That is what it is attempting to use since you are not passing the --profile option. You mention that your ~/.aws/credentials only contain profiles with unique names, can you try running passing one of those to the --profile option?

@corymhall corymhall added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 5, 2022
@ishanjain28
Copy link

@corymhall There is no default profile in ~/.aws/credentials.

I can run, npx cdk synth --profile=dev --all. This operation will successfully synthesize dev stacks but it fails to synthesize stacks for other accounts. (Stack uses Vpc.fromLookup amongst other things and does a look up which needs working credentials)

@corymhall
Copy link
Contributor

@ishanjain28 the CDK CLI does not have the capability to automatically pick the correct profile for the configured stack environment. The CLI needs some set of credentials to start with, and if you do not provide the --profile then it will assume that you are using the default profile.

If you have bootstrapped your accounts then there will be a set of IAM roles that have been created in those accounts. When you run a CDK command, the CLI will use your configured credentials to assume the bootstrapped roles in each account.

So for example if you run npx cdk synth --profile=dev --all it will use the credentials from your dev profile and will first assume a specific role in the target account.

@ishanjain28
Copy link

hey @corymhall thanks for the detailed response! I had a fundamental misunderstanding of how this worked and made incorrect assumptions.
Part of this stack is deployed to a cicd account which is trusted by other accounts so to fix this problem, I can use the cicd account credentials and deploy the stacks in target accounts.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 5, 2022
@corymhall corymhall added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. guidance Question that needs advice or information. and removed bug This issue is a bug. needs-reproduction This issue needs reproduction. labels Jul 7, 2022
@github-actions
Copy link

github-actions bot commented Jul 7, 2022

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jul 7, 2022
@vramirez
Copy link

vramirez commented Oct 5, 2022

having same error here, even though I'm using --profile

I have multiple accounts configured. All of. them as [profile profile-name]


[16:22:04] CDK toolkit version: 2.44.0 (build bf32cb1)
[16:22:04] Command line arguments: {
  _: [ 'diff' ],
  profile: 'ci-dev',
  verbose: 1,
  v: 1,
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  'context-lines': 3,
  contextLines: 3,
  strict: false,
  'security-only': false,
  securityOnly: false,
  processed: false,
  '$0': 'cdk'
}
[16:22:04] cdk.json: {
  "app": "npx ts-node bin/cdk.ts",
  "context": {}
}
[16:22:04] merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node bin/cdk.ts',
  context: {},
  debug: false,
  assetMetadata: true,
  profile: 'ci-dev',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '*' ],
  lookups: true
}
[16:22:04] Toolkit stack: CDKToolkit
[16:22:04] Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
[16:22:04] Resolving default credentials
[16:22:04] Reading cached notices from /Users/victor.ramirez/.cdk/cache/notices.json
[16:22:04] Retrieved account ID G00D4CC0UN71D from disk cache
[16:22:04] Setting "CDK_DEFAULT_ACCOUNT" environment variable to G00D4CC0UN71D
[16:22:04] context: {
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
[16:22:04] outdir: cdk.out
[16:22:04] env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: 'G00D4CC0UN71D',
  CDK_CONTEXT_JSON: '{"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '21.0.0',
  CDK_CLI_VERSION: '2.44.0'
}
No environment passed in, Defaulting to platform-development
Default repositoryName is liquibase-service-repository. Are you sure you want to override?
Stack LiquibaseEcrRepo
[16:22:07] Retrieved account ID G00D4CC0UN71D from disk cache
[16:22:07] Assuming role 'arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1'.
[16:22:07] Assuming role failed: User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1
[16:22:07] Error: Could not assume role in target account using current credentials (which are for account G00D4CC0UN71D) User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
    at _SDK.forceCredentialRetrieval (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk.ts:261:13)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at SdkProvider.forEnvironment (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:199:7)
    at prepareSdkWithLookupRoleFor (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:74:22)
    at CloudFormationDeployments.prepareSdkWithLookupOrDeployRole (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:462:22)
    at CloudFormationDeployments.readCurrentTemplateWithNestedStacks (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:346:18)
    at CdkToolkit.diff (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:119:33)
    at initCommandLine (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cli.ts:357:12)
Could not assume arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1, proceeding anyway.
(To get rid of this warning, please upgrade to bootstrap version >= 8)
[16:22:07] Retrieved account ID G00D4CC0UN71D from disk cache
[16:22:07] Assuming role 'arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1'.
[16:22:07] Assuming role failed: User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1
[16:22:07] Reading cached notices from /Users/victor.ramirez/.cdk/cache/notices.json

Could not assume role in target account using current credentials (which are for account G00D4CC0UN71D) User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
[16:22:07] Error: Could not assume role in target account using current credentials (which are for account G00D4CC0UN71D) User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
    at _SDK.forceCredentialRetrieval (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk.ts:261:13)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at SdkProvider.forEnvironment (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:199:7)
    at CloudFormationDeployments.prepareSdkFor (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:502:22)
    at CloudFormationDeployments.readCurrentTemplateWithNestedStacks (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:346:18)
    at CdkToolkit.diff (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:119:33)
    at initCommandLine (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cli.ts:357:12)

@abjoerne
Copy link

abjoerne commented Feb 7, 2023

If the credentials-file and config-file does not align (for example you have default credentials but no default-section in config it looks like I get the same error as you @vramirez

@berzi
Copy link

berzi commented Jun 30, 2023

Why is this closed if it's not resolved?

I have the same problem even when using the --profile option. Adding a [default] section to the credentials file does not help.

CDK shouldn't require a specific layout of AWS configuration files, and ideally it should behave the same as AWS CLI when a profile is not explicitly given (i.e. reading the AWS_PROFILE environment variable if set, instead of defaulting to default).

@Fyb3roptik
Copy link

Same issue here. THIS SHOULD NOT BE CLOSED!!! Please have the CDK use AWS_PROFILE like AWS CLI does

@Adaendra
Copy link

Same issue here

@berzi
Copy link

berzi commented Aug 14, 2023

Mentioning @corymhall as it seems this won't be seen otherwise. Please see the three comments above.

@qianyangcassie
Copy link

I have the same issue. But I solved this by my self.
The root cause is I have a [profile default] profile in ~/.aws/config. The name conflicts with the cdk inner property, which leads to the following:

[16:45:03] Unable to determine the default AWS account (undefined): Cannot redefine property: default

The solutions is to rename [profile default] into [profile dev]. Hope this can help!

@marcusirgens marcusirgens mentioned this issue Sep 24, 2023
Open
@bissli82
Copy link

bissli82 commented Oct 1, 2023

@qianyangcassie Thanks!! this solved it for me... crazy, I can't believe I spent time on this nonsense bug

@awbacker
Copy link

awbacker commented Jun 14, 2024
edited
Loading

FWIW, setting this also allows cdk synth to work, but not deploy, while keeping the default profile name:

export NODE_TLS_REJECT_UNAUTHORIZED=0

Something ugly is happening under the hood.

@jcode-hub
Copy link

@awbacker thanks! you are legend 👍

@bhargav2550
Copy link

Can anyone help me with the same. It is working in the local cli, but getting this error in github actions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. guidance Question that needs advice or information. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests