AWS CDK destroy fails to delete secret

Question

I have a CDK script that creates an S3 bucket, VPC, and an RDS instance. Deploy is working, but the destroy fails with an error that my user is not authorized to secretsmanager:DeleteSecret.

I used the IAM policy testing tool to check and it passes. I am able to delete the secret via the UI. The CDK destroy command continues to fail though. Any thoughts?

CDK script:

class AcmeCdkStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // create a general purpose bucket for use with the app
    new s3.Bucket(this, 'app-bucket', {
      versioned: true
    });

    // create a vpc for our application
    const vpc = new ec2.Vpc(this, 'app-vpc, {
      cidr: "10.0.0.0/16",
    });

    // create a database instance
    const db = new rds.DatabaseInstance(this, `app-db`, {
      engine: rds.DatabaseInstanceEngine.POSTGRES,
      instanceClass: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
      vpc,
      masterUsername: `dbadmin`,
      deleteAutomatedBackups: false,
      deletionProtection: false,
      // https://github.com/aws/aws-cdk/issues/4036
      removalPolicy: cdk.RemovalPolicy.DESTROY,
    });
  }
}

const app = new cdk.App();

new AcmeCdkStack(app, 'app-stack;);

Error:

User: arn:aws:iam::0000000000:user/user@acme.com is not authorized to perform: secretsmanager:DeleteSecret on resource: arn:aws:secretsmanager:us-east-1:0000000000:secret:appdbdemoSecret0261-mjgIXOsp5rLL-HxFng1 (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 000000000)

Answer 1

Based on the comments, the problem was that the CDK was using different credentials than expected. The solution was to use correct AWS_PROFILE.