Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Need to perform AWS calls for account XXX, but no credentials have been configured but they are

See original GitHub issue

Describe the bug

I have aws CLI configured, I have ~/.aws/config

[jedrek]
region = eu-central-1

and ~/.aws/credentials

[jedrek]
aws_access_key_id = XXXXXXXX
aws_secret_access_key = XXXXXX

Configured my Stack for my account and region

const app = new cdk.App();
new Ec2NatInstanceStack(app, 'Ec2NatInstanceStack', {
  env: { region: 'eu-central-1', account: 'XXXXXXXXXXX' }
});

But cdk synth still raises an error Need to perform AWS calls for account XXX, but no credentials have been configured

import * as cdk from '@aws-cdk/core';
import { Construct } from 'constructs';
import * as ec2 from '@aws-cdk/aws-ec2';

export class Ec2NatInstanceStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    //===========================================================
    // NAT Instance
    //===========================================================
    const natGatewayProvider = ec2.NatProvider.instance({
      instanceType: new ec2.InstanceType('t3.small'),
    });

    //===========================================================
    // VPC
    //===========================================================
    const vpc = new ec2.Vpc(this, 'MyVpc', {
      natGatewayProvider,
      natGateways: 1,
    });
  }
}

Expected Behavior

cdk-synth works fine

Current Behavior

Need to perform AWS calls for account XXX, but no credentials have been configured

Reproduction Steps

Create Stack as above and try to cdk synth

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.29.1 (build c42e961)

Framework Version

No response

Node.js Version

v18.4.0

OS

MacOS 12.3.1

Language

Typescript

Language Version

No response

Other information

No response

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:17 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
corymhallcommented, Jul 5, 2022

@ishanjain28 the CDK CLI does not have the capability to automatically pick the correct profile for the configured stack environment. The CLI needs some set of credentials to start with, and if you do not provide the --profile then it will assume that you are using the default profile.

If you have bootstrapped your accounts then there will be a set of IAM roles that have been created in those accounts. When you run a CDK command, the CLI will use your configured credentials to assume the bootstrapped roles in each account.

So for example if you run npx cdk synth --profile=dev --all it will use the credentials from your dev profile and will first assume a specific role in the target account.

0reactions
vramirezcommented, Oct 5, 2022

having same error here, even though I’m using --profile

I have multiple accounts configured. All of. them as [profile profile-name]


[16:22:04] CDK toolkit version: 2.44.0 (build bf32cb1)
[16:22:04] Command line arguments: {
  _: [ 'diff' ],
  profile: 'ci-dev',
  verbose: 1,
  v: 1,
  lookups: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  debug: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  ci: false,
  'context-lines': 3,
  contextLines: 3,
  strict: false,
  'security-only': false,
  securityOnly: false,
  processed: false,
  '$0': 'cdk'
}
[16:22:04] cdk.json: {
  "app": "npx ts-node bin/cdk.ts",
  "context": {}
}
[16:22:04] merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'npx ts-node bin/cdk.ts',
  context: {},
  debug: false,
  assetMetadata: true,
  profile: 'ci-dev',
  toolkitBucket: {},
  staging: true,
  bundlingStacks: [ '*' ],
  lookups: true
}
[16:22:04] Toolkit stack: CDKToolkit
[16:22:04] Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
[16:22:04] Resolving default credentials
[16:22:04] Reading cached notices from /Users/victor.ramirez/.cdk/cache/notices.json
[16:22:04] Retrieved account ID G00D4CC0UN71D from disk cache
[16:22:04] Setting "CDK_DEFAULT_ACCOUNT" environment variable to G00D4CC0UN71D
[16:22:04] context: {
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true,
  'aws:cdk:version-reporting': true,
  'aws:cdk:bundling-stacks': [ '*' ]
}
[16:22:04] outdir: cdk.out
[16:22:04] env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: 'G00D4CC0UN71D',
  CDK_CONTEXT_JSON: '{"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true,"aws:cdk:version-reporting":true,"aws:cdk:bundling-stacks":["*"]}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '21.0.0',
  CDK_CLI_VERSION: '2.44.0'
}
No environment passed in, Defaulting to platform-development
Default repositoryName is liquibase-service-repository. Are you sure you want to override?
Stack LiquibaseEcrRepo
[16:22:07] Retrieved account ID G00D4CC0UN71D from disk cache
[16:22:07] Assuming role 'arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1'.
[16:22:07] Assuming role failed: User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1
[16:22:07] Error: Could not assume role in target account using current credentials (which are for account G00D4CC0UN71D) User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
    at _SDK.forceCredentialRetrieval (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk.ts:261:13)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at SdkProvider.forEnvironment (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:199:7)
    at prepareSdkWithLookupRoleFor (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:74:22)
    at CloudFormationDeployments.prepareSdkWithLookupOrDeployRole (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:462:22)
    at CloudFormationDeployments.readCurrentTemplateWithNestedStacks (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:346:18)
    at CdkToolkit.diff (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:119:33)
    at initCommandLine (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cli.ts:357:12)
Could not assume arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-lookup-role-WR0NG4CC0UN71D-us-east-1, proceeding anyway.
(To get rid of this warning, please upgrade to bootstrap version >= 8)
[16:22:07] Retrieved account ID G00D4CC0UN71D from disk cache
[16:22:07] Assuming role 'arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1'.
[16:22:07] Assuming role failed: User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1
[16:22:07] Reading cached notices from /Users/victor.ramirez/.cdk/cache/notices.json

Could not assume role in target account using current credentials (which are for account G00D4CC0UN71D) User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
[16:22:07] Error: Could not assume role in target account using current credentials (which are for account G00D4CC0UN71D) User: arn:aws:sts::G00D4CC0UN71D:assumed-role/AWSReservedSSO_Developer_39f6bf919eaecdf0/victor.ramirez is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::WR0NG4CC0UN71D:role/cdk-hnb659fds-deploy-role-WR0NG4CC0UN71D-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
    at _SDK.forceCredentialRetrieval (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk.ts:261:13)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at SdkProvider.forEnvironment (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/aws-auth/sdk-provider.ts:199:7)
    at CloudFormationDeployments.prepareSdkFor (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:502:22)
    at CloudFormationDeployments.readCurrentTemplateWithNestedStacks (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:346:18)
    at CdkToolkit.diff (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:119:33)
    at initCommandLine (/Users/victor.ramirez/.nvm/versions/node/v16.16.0/lib/node_modules/aws-cdk/lib/cli.ts:357:12)
Read more comments on GitHub >

github_iconTop Results From Across the Web

Need to perform AWS calls for account xxx, but no credentials ...
I have run aws configure and inserted the correct keys for the IAM user im using. So again, it only works when im...
Read more >
awslabs/aws-cdk - Gitter
I keep getting: Need to perform AWS calls for account XXXX-XXXX-XXXX, but no credentials found. Tried: default credentials. I've tried ENV variables: ...
Read more >
Troubleshooting - AWS Control Tower
If you encounter issues while using AWS Control Tower, you can use the following information to resolve them according to our best practices....
Read more >
Detailed AWS setup - Architect documentation - Arc Codes
If you haven't yet set it up, here's a useful guide for Configuring the AWS CLI. In the context of a deployment tool,...
Read more >
AWS CDKで "but no credentials have been configured ... - Qiita
AWS CDKに入門してbootstrapしようとしたら、"but no credentials have been configured" みたいなエラーが出てきて詰まったので、解決策をメモして ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

aws-cdk: init python is not working

Next page

aws-cdk-lib: CfnInclude "parameters" description misleading