How to resolve: 'Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment'

Question

I am trying to run CDK commands to check the diff of my local and remote stack.

I am using the following command.

cdk diff --profile saml

I am getting the following error message

Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

I am looking for ways to resolve this issue.

Answer 1

Elias Schoof provides the best answer. You will presumably have an AWS user and associated sso profile setup via IAM Identity Center.

Then from your terminal type;

export AWS_PROFILE=<my-profile-name> 

Afterwards, cdk commands work as expected. This profile will be used for duration of shell.

Answer 2

These days, CDK Does support SSO, but when your SSO token expires it can get in a funny spot.

I was stuck on this for quite a bit today. Ended up deleting everything in ~/.aws/sso/cache, ~/.aws/cli/cache, and ~/.cdk/cache and then did another aws sso login and it started working again.

Update: Got stuck in this state again today.

find ~/.aws ~/.cdk -path '*/cache/*' -delete

Answer 3

The moment I added -v (verbose) in the command then I see the real root cause of my problem.

I am using company laptop, and we are using zscaler certificate, this is causing the actual issue.

Here I added -v

It will spit out lots of messages, then I can finally see the root cause of the error. Could not refresh notices: Error: unable to get local issuer certificate

Answer 4

If you're using aws sso as your login method, once you source .venv/bin/active , execute the following to setup your session:

aws sso login --profile profile_name

Then execute:

cdk deploy --profile profile_name

Answer 5

If you have multiple profiles in your ~/.aws/config, for instance,

[profile prod]
sso_start_url = https://sso.com
sso_region = us-east-1
sso_account_id = <account_id>
sso_role_name = <role_name>
region = us-east-1
output = json


[profile dev]
sso_start_url = https://sso.com
sso_region = us-east-1
sso_account_id = <account_id>
sso_role_name = <role_name>
region = us-east-1
output = json

Then run your CDK command specifying the profile you want to use in an environment variable.

AWS_PROFILE=dev cdk diff 

Answer 6

For me this was caused by a discrepancy in the system time. As others have said, running

cdk diff -v

And carefully reading through the output helped. I found a message like this:

Unable to determine the default AWS account (SignatureDoesNotMatch): Signature expired: 20230412T092243Z is now earlier than 20230412T100504Z (20230412T102004z - 15 mins)

When I checked my laptop time had not updated with daylight savings.

Answer 7

Only when I explicitly exported my creds did it work:

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...

Answer 8

AWS will give you the same error if you don't provide a valid aws_access_key_id and aws_secret_access_key.

Answer 9

I use AWS SSO and sometimes experience this issue when my session has expired. Calling aws sso login will still seem like it's working fine for a minute or two, but calling cdk deploy (or something similar) already fails.

Answer 10

in my case, i change region name to region code

from: Asia Pacific (Singapore) to: ap-southeast-1

Answer 11

For me it seemed the CDK had cached a bad session and wouldn't clear it. I deleted the following directory in my home directory

    rm -Rf ~/.cdk/cache

That worked for me as it forced creation of a new cache. (be careful you're deleting the correct dir :)

Answer 12

I tried everything and in the end it was the unadjusted clock of WSL2

Fixed with

sudo ntpdate pool.ntp.org

Answer 13

In my case, when I specified my credentials using aws configure, when I pasted the apiKey it included an special character in the beginning of the credential causing this issue. So I edited the ./aws/credentials file and removed it.

Answer 14

sudo was killing me...

I was getting the same error for cdk deploy. I kept running:

$ sudo cdk deploy --profile default

and getting the same error. I eventually used -v and read every line and realized it wasn't using my .aws/credentials file, but was looking for /root/.aws/credentials.

Removed sudo and everything worked just fine.

$ cdk deploy --profile default

Answer 15

I just created a new profile.

aws configure --profile profile2

aws_access_key_id=XXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXX
region = us-west-2
output=text

cdk deploy --profile profile2

I tried various things and this finally helped. Just a quick note, I never added an output until the last one. Maybe a completely filled out profile helped as well.

reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html

Answer 16

In my case I was running the command:

npm run cdk diff my-stack --profile MyProfile

However it worked when I changed to use

npx cdk diff my-stack --profile MyProfile

This is because npm run x does not pass through --parameters to child processes.

Answer 17

AWS CLI v2 is capable of using AWS SSO to acquire credentials natively; however the SDK that was used to develop AWS CDK is not capable of using AWS SSO natively to acquire the credentials. Hence, "credential_process" must be configured in ~/.aws/config to acquire credentials.

While configuring "credential_process", I found they python package "aws2-wrap" (pip install aws2-wrap) as simple and straightforward. The other package "aws-sso-credential-process" required pipx which itself installed python@3.10 on my Mac.

Answer 18

The error is produced by CDK because it can't resolve valid AWS CLI credentials which allows it to resolve the account by making a call similar to

aws sts get-caller-identity --profile profile_name

There are multiple ways to configure the AWS CLI with valid credentials so that CDK can interact with the CLI configuration to obtain credentials

1. In ~/.aws/credentials, which is easiest and least preferred/secure way due to using longterm creds, you can place longterm credentials assigned to an IAM user like this

    [default]
    aws_access_key_id=AKIAI44QH8DHBEXAMPLE
    aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

2. Using credential process https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

In ~/.aws/config

[profile developer]
credential_process = /opt/bin/awscreds-custom --username helen

3. Using a more secure tool like https://github.com/99designs/aws-vault

4. Using AWS CLI integration with AWS SSO. This setup allows for SSO across multiple accounts and supports multiple MFA strategies including biometric. The problem with this is that the current version of the CDK has not been updated to use the latest version of the Node AWS SDK so it does not know how to retrieve credentials. Hopefully a future release of CDK will resolve this but its been almost 2 years

In ~/.aws/config

[profile sso_profile]
sso_start_url = https://sso_url.awsapps.com/start
sso_region = us-east-2
sso_account_id =
sso_role_name = AWSAdministratorAccess
region = us-east-2
output=json
 

Fortunately there is a decent workaround which works seamlessly once configured. This involves utilizing a python lib that can expose an SSO profile as a credentials process which is supported by current CDK. Install https://pypi.org/project/aws2-wrap/

pip3 install aws2-wrap==1.2.7

Then in ~/.aws/config add a wrapper profile that uses aws2-wrap to exposes as a credentials process

[profile wrapped_sso_profile]
region = us-east-2
credential_process = aws2-wrap --process --profile sso_profile

Answer 19

I just came across this, because I had the same issue...

using THE SAME profile idenitiefer fixed it for my :D

I was using an _ where as the profile name contained a -...

Answer 20

I my case I created new access key's in AWS fist, which I used then as descruped above.

aws configure aws_access_key_id aws_secret_access_key then enter your region

Then it worked. So I assume when the error is "Unable to resolve AWS account" you have the issue new access keys, as the current one is obviously not valid anymore.

enter image description here

Answer 21

Just type

aws configure

in your shell and then type

aws_access_key_id

aws_secret_access_key

then enter your region

if you are not confirm with your region sign in to Console

then have a look at the end of url-bar im sure you find it.

Answer 22

in ~/.aws/config the tag [default] must be alone in a new row Example:

[someBasicUser]
[default]
aws_access_key_id = XXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXX

Answer 23

In my case it had nothing to do with the proposed solutions.
If you add the -v (verbose) argument to cdk command, you will see the actual error: Unable to determine the default AWS account: TypeError [ERR_INVALID_PROTOCOL]: Protocol "https:" not supported. Expected "http:"

I tried different versions of CDK and nothing, still the same error. After many tries I ended up with the root cause: node version. With v15.2.1 I got that error, but after downgrading to v14.15.1 the issue was solved.

Answer 24

In your .aws folder, create/add an empty file named credentials without the file extension.

Answer 25

Not sure if this help, but in my organization we use AWS SSO, with over 90 AWS Accounts, with MFA, so it was impossible to manage CDK without AWS CLIv2 with profiles, and AWS SSO support.

I found a way to solve it, so till its officially relesed, you can use this, it works quite all right: MatsCloud blog - CDK with AWS SSO multi account multi profile

Answer 26

Removing [profile default] from ~/.aws/config solved it for me.

Answer 27

You might be suffering from https://github.com/aws/aws-cdk/issues/5455

To work around, don't use a profile, grab access keys (your org should have a way) and export these to the environment

Answer 28

Finally I used following in C:\XXXX.aws\credentials

[default]
aws_access_key_id=XXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXX

and cmd:> cdk deploy --profile default

However this didn't work.

[project1]
aws_access_key_id = ANOTHER_AWS_ACCESS_KEY_ID
aws_secret_access_key = ANOTHER_AWS_SECRET_ACCESS_KEY

and cmd:> cdk deploy --profile project1

Error: AWS region must be configured either when you configure your CDK stack or through the environment

Answer 29

You should explicitly set your account and region when initializing your stacks. AWS CDK CLI provides two environment variables, CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION, to determine the target at synthesis time.

new MyDevStack(app, 'dev', { 
  env: { 
    account: process.env.CDK_DEFAULT_ACCOUNT, 
    region: process.env.CDK_DEFAULT_REGION 
}});

If you use these environment variables, the target account and region are fetched from your active AWS profile, e.g. --profile option.

https://docs.aws.amazon.com/cdk/latest/guide/environments.html

Answer 30

You need to specify your credentials. Check out this article: https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html#getting_started_credentials

It gives details on how to do this:

Specifying Your Credentials and Region

You must specify your credentials and an AWS Region to use the AWS CDK CLI. The CDK looks for credentials and region in the following order:

Using the --profile option to cdk commands.

Using environment variables.

Using the default profile as set by the AWS Command Line Interface (AWS CLI).

You can set up a profile using the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html for details on how to do this. You can specify named profiles, such as a profile for each account, and then specify the profile name to use for your CDK call.