aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.64k stars 3.91k forks source link

cdk <command> --profile <named profile> tries default regardless #5053

Open dxunix opened 4 years ago

dxunix commented 4 years ago

cdk commands does not pick up the named profile from .aws/credential and ./aws/config. the profile is configured thru aws configure and in the format as specified in the aws doc. (two files, [<profile name>] in credential file and [profile <profile name>] in config file.

Reproduction Steps

create the profile specify account number and region in the stack env. run cdk synth or cdk deploy with --profile <profile name>

Error Log

[Error at /test-stack] Need to perform AWS calls for account ************, but no credentials found. Tried: default credentials.
Found errors

Environment

Other

Also tried to remove the [default] blocks in the .aws/ files, still same error.


This is :bug: Bug Report

dxunix commented 4 years ago

this problem seems to be triggered when i try to import existing resource of the account into to the stack. Such as when I make ec2.Vpc.from_lookup(...) call

dxunix commented 4 years ago

Any updates @SomayaB and @shivlaks ? Thanks!

shivlaks commented 4 years ago

@dxunix have you taken a look at #1656

dxunix commented 4 years ago

@shivlaks Yes I did. My case is ok to deploy with profile. So that works. But the problem is I am using methods such as ec2.Vpc.from_lookup(), so cdk will need to login to aws to get the existing resource info. That's where the problem came up.

I didnt try the plug-in.. Thought the CDK should work natively with the profile....

shivlaks commented 4 years ago

@dxunix I see what you mean. I'll have to give that a repro, but please let me know if the plugin works for you.

dxunix commented 4 years ago

@shivlaks: Ok. i have a feeling this something to do with vpc only

without specify the account id works in other from*** methods for other resources. vpc needs account id. thus i got the error.

jsii.errors.JSIIError: Cannot retrieve value from context provider vpc-provider since account/region are not specified at the stack level. Either configure "env" with explicit account and region when you define your stack, or use the environment variables "CDK_DEFAULT_ACCOUNT" and "CDK_DEFAULT_REGION" to inherit environment information from the CLI (not recommended for production stacks)
Subprocess exited with error 1

add account to env

$ cdk synth --profile sbx
vpc is vpc-12345
vpc is vpc-12345
[Error at /ecs-test-stack] Need to perform AWS calls for account ************, but no credentials found. Tried: default credentials.

also worth noting is: we are using saml to get the keys. therefore, there is a token as well. I dont know if this is the reason it is off.

shivlaks commented 4 years ago

@dxunix does running the command with --verbose provide any additional information. Thanks for mentioning SAML, it might be a detail of significance but I'm not sure at this point.

dxunix commented 4 years ago

@shivlaks , see the verbose output. The credential is fed in from the env variables including TOKEN.

cdk synth --verboseCDK toolkit version: 1.17.1 (build fa4cb1f)Command line arguments: {
  _: [ 'synth' ],
  verbose: true,
  v: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  '$0': '/usr/local/bin/cdk'
}
Determining whether we're on an EC2 instance.
Does not look like EC2 instance.
cdk.json: {
  "app": "python3 app.py"
}
cdk.context.json: {
  "@aws-cdk/core:enableStackNameDuplicates": "true"
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'python3 app.py',
  context: {},
  tags: [],
  assetMetadata: true,
  toolkitBucket: {},
  staging: true
}
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Looking up default account ID from STS
Default account ID: ------------6
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ------------6
context: {
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: '------------6',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:enableStackNameDuplicates":"true","aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.17.1'
}
vpc is vpc-12345
Some context information is missing. Fetching...
Setting "vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true" context to {"$providerError":"Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ------------6
context: {
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true': {
    '$providerError': 'Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.',
    '$dontSaveContext': true
  },
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: '------------6',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:enableStackNameDuplicates":"true","vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true":{"$providerError":"Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.","$dontSaveContext":true},"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.17.1'
}
vpc is vpc-12345
Not making progress trying to resolve environmental context. Giving up.
[Error at /ecs-test-stack] Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.
  ConstructNode.addError (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/core/lib/construct.js:285:14)
  Function.getValue (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/core/lib/context-provider.js:50:28)
  Function.fromLookup (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/aws-ec2/lib/vpc.js:375:51)
  /Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7603:51
  Kernel._wrapSandboxCode (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8202:20)
  /Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7603:25
  Kernel._ensureSync (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8178:20)
  Kernel.sinvoke (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7602:26)
  KernelHost.processRequest (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7293:28)
  KernelHost.run (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7233:14)
  Immediate._onImmediate (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7236:37)
  processImmediate (internal/timers.js:439:21)
Found errors
Error: Found errors
    at AppStacks.processMetadata (/usr/local/lib/node_modules/aws-cdk/lib/api/cxapp/stacks.ts:316:13)
    at cliSynthesize (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:309:15)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at main (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:232:16)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:160:9)
dxunix commented 4 years ago

@shivlaks Is there a plan to fix bugs like these?

vzakharchenko commented 4 years ago

This solution is works for me:

~/.aws/config

[profile testProfile] region = us-east-1

~/.aws/credentials

[testProfile] role_arn = arn:aws:iam::... aws_access_key_id = ***** aws_secret_access_key = ********* source_profile=testProfile

command to deploy: cdk deploy --profile=testProfile

Environment

shivlaks commented 4 years ago

@dxunix yes, but i'm still a little unclear on the repro steps... what does your stack code look like (particularly environment setup and where you're attempting to use the fromLookup). I'm also curious what your cdk.context.json looks like. please redact information as needed.

tomassommar commented 4 years ago

@shivlaks I have the same issue. It seems that the source_profile in ~/.aws/config does not use the corresponding credentials in ~/.aws/credentials.

foscraig commented 4 years ago

@shivlaks I am also seeing this error. It is coming from the context. However, I've destroyed context continuously; i.e. used cdk context --clear, manually deleted cdk.context.json. I have followed the workaround suggested by @vzakharchenko above but to no avail. I see similar behavior pasted above by @dxunix. The CDK gets the proper credentials for my profile's account, but it fetches context for stuff in the default profile account and therefore finds VPC info that I'm not looking for. Where's it getting this if there's no local context?

ACCOUNT_A == default profile ACCOUNT_B == new target profile

<snip/>
Does not look like EC2 instance.
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to us-west-2
Resolving default credentials
Retrieved account ID ACCOUNT_B from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ACCOUNT_B
context: {
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-west-2',
  CDK_DEFAULT_ACCOUNT: 'ACCOUNT_B',
  CDK_CONTEXT_JSON: '{"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '5.0.0',
  CDK_CLI_VERSION: '1.51.0'
}

I expect the above.

I don't expect the below.

<snip/>
Some context information is missing. Fetching...
Reading AZs for ACCOUNT A:us-west-2
Setting "availability-zones:account=ACCOUNT_A:region=us-west-2" context to {"$providerError":"Need to perform AWS calls for account ACCOUNT_A, but the current credentials are for ACCOUNT_B.","$dontSaveContext":true}
Setting "vpc-provider:account=ACCOUNT_A:filter.tag:Name=infraStack/CodeBuild VPC:region=us-west-2:returnAsymmetricSubnets=true" context to {"$providerError":"Need to perform AWS calls for account ACCOUNT_A, but the current credentials are for ACCOUNT_B.","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to us-west-2
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ACCOUNT_B

Environment:

CDK_CLI_VERSION: '1.51.0' Mac OS 10.14.6 Language: Java

aw-huit commented 4 years ago

Same or similar issue here with cdk 1.57.0. Running cdk synth --profile <profile name>.

  Error: Cannot retrieve value from context provider vpc-provider since account/region are not specified at the stack level. Either configure "env" with explicit account and region when you define your stack, or use the environment variables "CDK_DEFAULT_ACCOUNT" and "CDK_DEFAULT_REGION" to inherit environment information from the CLI (not recommended for production stacks)
      at Function.getValue (/private/var/folders/vk/ztyb56817vx3n12hzcjpfv1r0000gp/T/jsii-kernel-jLl9SS/node_modules/@aws-cdk/core/lib/context-provider.js:42:19)
      at Function.fromLookup (/private/var/folders/vk/ztyb56817vx3n12hzcjpfv1r0000gp/T/jsii-kernel-jLl9SS/node_modules/@aws-cdk/aws-ec2/lib/vpc.js:460:51)
      at /Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7768:51
      at Kernel._wrapSandboxCode (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8398:19)
      at /Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7768:25
      at Kernel._ensureSync (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8371:20)
      at Kernel.sinvoke (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7767:26)
      at KernelHost.processRequest (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7446:28)
      at KernelHost.run (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7384:14)
      at Immediate._onImmediate (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7387:37)
      at processImmediate (internal/timers.js:458:21)

What I did was follow the example provided by AWS: https://docs.aws.amazon.com/cdk/latest/guide/ecs_example.html. But since I want to use an existing VPC, I added this in my_ecs_construct_stack.py:

        vpc = ec2.Vpc.from_lookup(self, "VPC",
             vpc_id='vpc-xxxxxxxxx', is_default=False)

Maybe there is something else I need to do first?

Hard code the account number in the code, or set environment variables is not an acceptable solution for us since we have over 40 accounts to manage.

shivlaks commented 4 years ago

@foscraig @aw-huit have you tried using the cdk credential plugin ? It might be useful in simplifying your cross-account usage.

can you give that a try and let me know how it goes?

aw-huit commented 4 years ago

Is the plugin what is officially supported to manage multiple accounts? What does --profile actually do then?

RichardScottOZ commented 3 years ago

This solution is works for me:

~/.aws/config

[profile testProfile] region = us-east-1

~/.aws/credentials

[testProfile] role_arn = arn:aws:iam::... aws_access_key_id = ***** aws_secret_access_key = ********* source_profile=testProfile

command to deploy: cdk deploy --profile=testProfile

Environment

  • CDK_CLI_ASM_VERSION: '1.16.0',
  • CDK_CLI_VERSION: '1.18.0'
  • OS : mac os
  • Language : java

Didn't when I tried it a couple of ways - Windows 10/ Python CDK Version: 1.86.0 (build a10cfcf)

seekayel commented 3 years ago

Similar problem for cdk deploy --profile named-profile. Perhaps related, perhaps red herring:

Fails with ~/.aws/config

[profile named-profile]
sso_start_url = https://example.awsapps.com/start
sso_region = us-east-2
sso_account_id = 123412341234
sso_role_name = AWSAdministratorAccess

Works with ~/.aws/config

[profile named-profile]
role_arn = arn:aws:iam::123412341234:role/role-assumable-by-named-profile-with-user
source_profile = profile-with-user

and ~/.aws/credentials

[profile-with-user]
aws_access_key_id = ADEADBEEFDEADBEEFABC
aws_secret_access_key = SuperSecretKeyThatIsNotRealAbcEfg

Not sure why it would succeed with one assumed role from user w/keys vs SSO assumed role.

polothy commented 3 years ago

We just switched to AWS SSO and ran into this same problem. Our profiles looked similar to what @seekayel posted (but no access keys). Then switched to AWS SSO and getting this same error everyone is reporting, EG:

Need to perform AWS calls for account 11111111, but no credentials have been configured

Maybe this is helpful (from cdk diff --verbose):

Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile MY_PROFILE did not include credential process
    at ProcessCredentials.load (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:102:11)
    at ProcessCredentials.coalesceRefresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:124:23
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:212:15
    at processTicksAndRejections (node:internal/process/task_queues:76:11) {
  code: 'ProcessCredentialsProviderFailure',
polothy commented 3 years ago

Sorry for the noise, looks like there is another issue tracking AWS SSO: https://github.com/aws/aws-cdk/issues/5455

erwinverdonk commented 2 years ago

What @tomassommar said is the correct cause of this issue: "It seems that the source_profile in ~/.aws/config does not use the corresponding credentials in ~/.aws/credentials."

The CDK CLI seems to search for both the config and credentials with the same name as the profile provided. When the credentials are under a different name than the config, but referenced with "source_profile", it does not work.

ann8ty commented 2 years ago

cdk bootstrap aws://ACCOUNT/REGION --profile PROFILENAME

seems pretty straightforward that this should just work but it doesnt

failed bootstrapping: Error: Need to perform AWS calls for account 475466387505, but no credentials have been configured

i have three profiles configured in ~/.aws/config but no default (removed per debug steps) I deleted and then recreated empty ~/.aws/credential

my credential is an AWS SSO type I am sso logged in and aws commands work with --profile

cdk --version 2.11.0 (build f7148c5)

rafzei commented 2 years ago

Try with the --verbose flag to get the error. In my case, it was Unable to determine the default AWS account: InvalidClientTokenId: The security token included in the request is invalid. And it turned out that aws_secret_access_key contains the plus (+) sign that causes the issue.

RajasGujarathi commented 2 years ago

I am facing exactly the same issue. When passing --profile with cdk bootstrap

node --version v16.15.0 npm --version 8.10.0 cdk --version 2.28.1 (build d035432)

My command looks something like this cdk bootstrap --termination-protection --profile=$AWS_PROFILE aws://<AWS_ACCOUNT>/<AWS_REGION>

praneetloke commented 1 year ago

Another case when the credential lookup fails. If you used upper-case for the access key id and secret key in your credentials file, CDK seems to fail. For example,

This doesn't work:

[some_profile]
AWS_ACCESS_KEY_ID=xxxxxxx
AWS_SECRET_ACCESS_KEY=xxxxxx

but this does:

[some_profile]
aws_access_key_id=xxxxxxx
aws_secret_access_key=xxxxxx

Note that the AWS CLI itself seems to be case-insensitive but CDK doesn't seem to be. That is, I am able to run aws sts get-caller-identity --profile some_profile without any issues regardless of which case the ceredentials file uses for the property names. I don't know if this is an issue with CDK or perhaps some other underlying lib that it depends on for credentials lookup.

zdev24 commented 1 year ago

Another case when the credential lookup fails. If you used upper-case for the access key id and secret key in your credentials file, CDK seems to fail. For example,

This doesn't work:

[some_profile]
AWS_ACCESS_KEY_ID=xxxxxxx
AWS_SECRET_ACCESS_KEY=xxxxxx

but this does:

[some_profile]
aws_access_key_id=xxxxxxx
aws_secret_access_key=xxxxxx

Note that the AWS CLI itself seems to be case-insensitive but CDK doesn't seem to be. That is, I am able to run aws sts get-caller-identity --profile some_profile without any issues regardless of which case the ceredentials file uses for the property names. I don't know if this is an issue with CDK or perhaps some other underlying lib that it depends on for credentials lookup.

Exactly, case sensitive problem. My code works after changing to lower case: "aws_access_key_id", etc... Thank @praneetloke We just use lower case, then cdk --profile works fine!!! Still alive!!!

johnalupton commented 1 year ago

Hi - I got this to work

~/.aws/credentials

[default]
aws_access_key_id = aaaaaaaaaaaaaaaaaaaa
aws_secret_access_key = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

[london]
aws_access_key_id = bbbbbbbbbbbbbbbbbbbb
aws_secret_access_key = bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

[paris]
aws_access_key_id = cccccccccccccccccccc
aws_secret_access_key = cccccccccccccccccccccccccccccccccccccccc

~/.aws/config

[default]
output = json
region = eu-west-3

[profile london]
region = eu-west-2

[profile paris]
region = eu-west-3

then

cdk bootstrap -- profile london etc work as youd hope

jedrekdomanski commented 9 months ago

I have the same problem. I have configured my named profile but when I try to cdk deploy I get an error saying Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

~/.aws/credentials

[jedrek]
AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxx

~/.aws/config

[profile jedrek]
region = eu-central-1
output = json
cli_pager =

My app is configured to look for CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION.

new AiCaptionCraftStack(app, 'AiCaptionCraftStack', {
  env: {
    account: process.env.CDK_DEFAULT_ACCOUNT,
    region: process.env.CDK_DEFAULT_REGION
  }
});

I can list files in my S3 bucket using my named profile

aws s3 ls --profile jedrek                                                                                                                                                                                                                                                               
2022-10-31 12:47:28 cdk-hnb659fds-assets-317905390022-eu-central-1
2022-10-31 13:03:11 cdk-hnb659fds-assets-317905390022-us-east-1
2023-01-22 15:36:33 elasticbeanstalk-eu-central-1-317905390022

Even without the flag --profile by export AWS_PROFILE=jedrek I can list my files in S3 bucket

aws s3 ls                                                                                                                                                                                                                                                       
2022-10-31 12:47:28 cdk-hnb659fds-assets-317905390022-eu-central-1
2022-10-31 13:03:11 cdk-hnb659fds-assets-317905390022-us-east-1
2023-01-22 15:36:33 elasticbeanstalk-eu-central-1-317905390022

I console loged environment available for the process when I run cdk deploy and I don't see CDK_DEFAULT_ACCOUNT nor CDK_DEFAULT_REGION

console.log("environment variables " + JSON.stringify(process.env));

I have two other AWS accounts configured with SSO ~/.aws/credentials

[xxxxx_NonProdDeveloperAccess]
aws_access_key_id=xxxxxxxxx
aws_secret_access_key=xxxxxxxxx
aws_session_token=xxxxxxx

~/.aws/config

[profile Prod-dev]
sso_start_url = https://xxxxxx
sso_region = us-west-2
sso_account_id = xxxxxx
sso_role_name = ProductionDeveloperAccess
region = us-west-2
output = json
cli_pager=
[profile OtherNonprod-dev]
sso_start_url = https://xxxxx
sso_region = us-west-2
sso_account_id = xxxxxxxxxx
sso_role_name = NonProdDeveloperAccess
region = us-west-2
output = json
cli_pager=

I even tried setting the environment variable explicitly in my shell but no luck.

What am I missing? Why does CDK not pick up the right profile? What am I doing wrong?

KarthikChandy commented 8 months ago

I am not sure if this will solve your problem. However, I had the same issue when I tried adding a ec2.Vpc() construct. Eventually, what worked for me is the following.

  1. Initialise a temporary CDK project.
  2. Copy any missing sections under "context" from your new cdk.json file to your old project cdk.json file. Here old project refers to your CDK project that was failing.
  3. Run cdk synth again.

I suspect either I removed some "context" sections thinking they were not needed, or over a period of time new entries were added by CDK. Good luck.

pahud commented 4 months ago

Hi @dxunix is this bug still relevant?

github-actions[bot] commented 4 months ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

mabster314 commented 4 months ago

Hello, I can confirm this issue still exists. I notice it just got closed but it is definitely still an issue

scanlonp commented 4 months ago

We should not be adding response-requested labels to issues that have not had recent responses. It is somewhat unreasonable to expect a comment within a week to keep an issue open.

TheRealAmazonKendra commented 2 weeks ago

Looks like the big issue here is the casing of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. This is an issue that appears to continue to be the case in the SDK v3 so our in-progress upgrade will not immediately alleviate it. We'll either need to add custom logic to our credential provider chain or make it explicit in the documentation that these files are case sensitive and must be in lowercase.