Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

cli: does not support SSO authentication

See original GitHub issue

I am following the blog post here.

When issuing the command :

cdk bootstrap aws://<account>/<region> --profile my-profile

I get a KeyError: 'CDK_DEFAULT_ACCOUNT' in my

In order to try to understand the error I also ran :

cdk synth --trace --verbose --profile my-profile

and I see :

Setting "CDK_DEFAULT_REGION" environment variable to eu-west-1
Resolving default credentials
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile my-profile did not include credential process
    at ProcessCredentials.load (C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\process_credentials.js:102:11)
    at ProcessCredentials.coalesceRefresh (C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:205:12)
    at ProcessCredentials.refresh (C:\Users\DAA426\XXX\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\process_credentials.js:163:10)
    at ProcessCredentials.get (C:\Users\DAA426\XXX\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:122:12)
    at resolveNext (C:\Users\DAA426\XXX\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\credential_provider_chain.js:125:17)
    at C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials\credential_provider_chain.js:126:13
    at C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:124:23
    at C:\Users\XXX\AppData\Roaming\npm\node_modules\aws-cdk\node_modules\aws-sdk\lib\credentials.js:212:15
    at processTicksAndRejections (internal/process/task_queues.js:77:11) {
  code: 'ProcessCredentialsProviderFailure',
  time: 2021-06-25T08:07:47.744Z

The region is correct so somehow the profile is taken into account but not the credentials. Note that the credentials work perfectly fine if I do for example :

aws s3 ls --profile my-profile

Reproduction Steps

Copy the project :

git clone

Create a virtual environment with Python and install the dependencies e.g. using virtualenv and virtualenvwrapper :

mkvirtualenv cdk-test -p path/to/python/3.8/executable
work on cdk-test
pip install -r requirements.txt

finally, run the bootstrap command using your profile (and having performed whatever logging process this requires beforehand)

cdk bootstrap aws://<account>/<region> --profile my-profile

Note: If you have an error with "can't find python executable" change "app": "python3", in cdk.json to "app": "python",

What did you expect to happen?

The command should work without any issue

What actually happened?

The command throws an error when reading the Python file because it can’t find the account because it can’t find the credentials process.


  • CDK CLI Version : 1.109.0
  • Framework Version: ??
  • Node.js Version: v14.17.1
  • OS : Windows 10
  • Language (Version): Python 3.8.3


I am behind a company proxy (Zscaler)

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:13
  • Comments:17 (5 by maintainers)

github_iconTop GitHub Comments

cacackcommented, Dec 27, 2021

Hmm, looks like this might be a duplicate of #5455

dan-lindcommented, Oct 7, 2021

Some more info, if it helps. I’m using my default profile

$ aws sso login
$ aws s3 ls    <-- works fine
$ cdk diff mystack -v -v -v
Using proxy server: http://<redacted>.com:8080
Determining if we're on an EC2 instance.
Does not look like an EC2 instance.
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to eu-west-1
Resolving default credentials
Retrieved account ID <redacted> from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to <redacted>
context: { .... }
env: {
  CDK_DEFAULT_REGION: 'eu-west-1',
  CDK_DEFAULT_ACCOUNT: '<redacted>',
  CDK_CONTEXT_JSON: '{ ... }
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '14.0.0',
  CDK_CLI_VERSION: '2.0.0-rc.23'
Stack mystack
Reading existing template for stack mystack.
[AWS cloudformation 403 593.955s 10 retries] describeStacks({ StackName: 'dev-pmd-app' })
Call failed: describeStacks({"StackName":"mystack"}) => The security token included in the request is expired (code=ExpiredToken)
The security token included in the request is expired

As you can see, besides the fact that it fails, it retries once every minute for 10 minutes to do so

I’m happy to provide more details if it helps.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Configuring the AWS CLI to use AWS IAM Identity Center ...
This topic describes how to configure the AWS CLI to authenticate users with AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM...
Read more >
1827374 – CLI login not working when Openshift idp is ...
Login of oauth users with the OpenID Connect identity provider via oc login, but without the redirection to the console and copying back...
Read more >
Authenticating ServiceNow CLI for SSO customers
The ServiceNow CLI only seems to support Basic Authentication and OAuth. We auth to our instance using SSO and a third ... We...
Read more >
AWS CLI Access With Google SSO Using 'AWS-Google-Auth'
In this post we explore how to set up a flexible and secure way to access the AWS CLI using Cevo's Open Source...
Read more >
How to setup AWS CLI with AWS SSO - CloudQuery
AWS CLI added support for SSO late 2019 so you can use it ... On your local machine, if you don't already have...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found