aws-cdk: CDK errors with no credentials have been configured if credentials file does not exist

The file already exists for me with proper credentials, still not able to solve it. Anyone else facing the same issue?

The file already exists for me with proper credentials, still not able to solve it. Anyone else facing the same issue?

I got around this by adding --profile <profile-name> at the end of my cdk command with the profile name being the name in the ~/.aws/credentials file .

Contents of ~/.aws/credentials [aws-profile-name] aws_access_key_id=XXX aws_secret_access_key=XXX

Then my CLI CDK commands will be: cdk <cdk-command> --<cdk-options> --profile aws-profile-name

@trondhindenes @DioNNiS - have you checked out this blog post which gets into how to use the cdk-credential plugin. It’s a tool I’d recommend when working with cross-account actions.

I’ve found a fair amount of users who run into this message would have been saved a fair amount of grief if the plugin were used.

can you give it a go and let me know how it goes?

This issue is also coming from

Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Unable to determine the default AWS account: TypeError: Cannot redefine property: saml
    at Function.defineProperty (<anonymous>)
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:11:14
    at Array.forEach (<anonymous>)
    at IniLoader.parseFile (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:8:26)
    at IniLoader.loadFrom (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Object.getProfilesFromSharedConfig (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/util.js:969:42)
    at ProcessCredentials.load (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:75:31)
    at ProcessCredentials.coalesceRefresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:122:12)

How to check if it’s due to profile name conflicts

<original command> --profile saml -v

When can it happen when you have same entry in ~/.aws/config with profile like

[saml]
output = json
region = us-east-1
aws_access_key_id = ASIA
aws_secret_access_key = Europe


[profile saml]
region = us-east-1

Or

[someName]
output = json
region = us-east-1
aws_access_key_id = ASIA
aws_secret_access_key = Europe


[profile someName]
region = us-east-1

Notice profile saml and saml

There’s this code in /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js

Object.keys(content).forEach(function(profileName) {
      var profileContent = content[profileName];
      profileName = isConfig ? profileName.replace(/^profile\s/, '') : profileName;
      Object.defineProperty(tmpContent, profileName, {
        value: profileContent,
        enumerable: true
      });
    });

It tries to define the saml property again and that’s where it fails

How to resolve?

Remove the entry with [profile <some-name>]

The trick for cdk to pick the right profile is to have ~/.aws/config file well configured, this is how I’m doing it as

cat ~/.aws/config 
[profile sandbox]
region=us-east-1


[default]
region=ap-south-1

Any other profile apart from default should be mentioned with profile keyword followed by the profile name, for instance, [profile sandbox], then other details in next line.

using the environment variables: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION works for me.

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

cdk version 1.57.0

I ran into this today as well.

Command cdk bootstrap aws://my-account-id/my-region

Error Environment aws://my-account-id/my-region failed bootstrapping: Error: Need to perform AWS calls for account my-account-id, but no credentials have been configured

I don’t have a credential file and, as per my understanding, I should not need one if I am following the best practice of using a dedicated administrative account with temporary credentials enabled.

My config looks like:

[profile my-username]
sso_session = ...
sso_account_id = ...
sso_role_name = ...
region = ...
output = ...
[sso-session ...]
sso_start_url = ...
sso_region = ...
sso_registration_scopes = ...

[default]
region = ...

I tried adding an empty credential file but did not fix.

cdk ls -v

[18:09:34] Toolkit stack: CDKToolkit
[18:09:34] Setting "CDK_DEFAULT_REGION" environment variable to ...
[18:09:34] Resolving default credentials
[18:09:34] Unable to determine the default AWS account (ProcessCredentialsProviderFailure): Profile default did not include credential process

Removing the default profile

[18:11:20] Toolkit stack: CDKToolkit
[18:11:20] Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
[18:11:20] Resolving default credentials
[18:11:20] Unable to determine the default AWS account (ProcessCredentialsProviderFailure): Profile default not found

Why is this closed?

@shivlaks this bug (which I understand is fixed now) simply meant that a file had to exist on the filesystem for CDK to be able to work. I don’t have any issues with authentication or credentials, I just found that this file needed to exist (empty or not).

Sidenote: I had a look at the credential-plugin now. As sweet as it looks, one of CDK’s selling points is its cross-language support. This means that utilities and helpers also need to be cross-language. We’re standardized on python for all our “iac” stuff and so this plugin wouldn’t solve my issue since it seems to require a TS/JS-based cdk codebase.

What worked for me was running it with verbose option and found that one of the profiles was duplicated in config file

cdk ls -v

Setting "CDK_DEFAULT_REGION" environment variable to us-east-1 Resolving default credentials Unable to determine the default AWS account: TypeError: Cannot redefine property: my-profile-name

at Function.defineProperty (<anonymous>) at /home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:11:14 at Array.forEach (<anonymous>) at IniLoader.parseFile (/home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:8:26) at IniLoader.loadFrom (/home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30) at Object.getProfilesFromSharedConfig (/home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/util.js:969:42) at ProcessCredentials.load (/home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:75:31) at ProcessCredentials.coalesceRefresh (/home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:205:12) at ProcessCredentials.refresh (/home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10) at ProcessCredentials.get (/home/dmoreno/.nvm/versions/node/v16.3.0/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:122:12) ...

After losing a couple of hours having authentication issues with named profiles, @ajaysuwalka solution helped me. Thanks so much!

by doing cdk diff --profile "profile someName" instead of cdk diff --profile someName it worked.

By the way, I’m using the version 1.58 of the CDK.

Oh wow. Two years later and this is still not resolved 😐

You can test your credential with this command :

aws sts get-caller-identity

My system time was wrong, I update my system time and it was good.

Ran into this today, moving the accounts_partitions.json in the cdk cache worked.

mv /Users/hugo/.cdk/cache/accounts_partitions.json /Users/hugo/.cdk/cache/accounts_partitions.json.old

Not sure if this should be a new issue, but it’s certainly related. In my cases there are existing (non-empty) .aws/credentials and .aws/config files. But my deploy script defined AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_DEFAULT_REGION. Despite the fact that per the docs those should be checked first, i was getting the same error.

My workaround was setting AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE to point to new, empty files

Issue still exists in latest CLI:

$ aws --version
aws-cli/1.25.72 Python/3.10.4 Linux/5.15.0-47-generic botocore/1.27.71
$ cdk --version
2.41.0 (build 6ad48a3)
$ node --version
v18.9.0

In my case, I attempted to bootstrap using a profile with an IAM role without a ~/.aws/credentials file:

cdk --profile my-iam-role-profile bootstrap aws://xxx/xxx

Creating the credentials file for the IAM users resolved the issue.

~/.aws/config was the problem

• Ran a cdk diff -v --profile xyz, that verbosity switch -v was the key, it exposed the issue.

  Resolving default credentials
  Unable to determine the default AWS account: TypeError: Cannot redefine property: sandbox
  

• Looked at my ~/.aws/credentials file, all was in order there
• In the respective ~/.aws/config I had a typo related to my sandbox profile, unrelated to the xyz profile.

I get this issue on and off seemingly at random I’ll re set the environment variables, delete and create the creds and config files with some data, then delete again and eventually it works