I am trying to run CDK commands to check the diff of my local and remote stack.
I am using the following command.
cdk diff --profile saml
I am getting the following error message
Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment
I am looking for ways to resolve this issue.
Removing [profile default] from ~/.aws/config solved it for me.
In my case it had nothing to do with the proposed solutions.
If you add the -v (verbose) argument to cdk command, you will see the actual error:
Unable to determine the default AWS account: TypeError [ERR_INVALID_PROTOCOL]: Protocol "https:" not supported. Expected "http:"
I tried different versions of CDK and nothing, still the same error. After many tries I ended up with the root cause: node version. With v15.2.1 I got that error, but after downgrading to v14.15.1 the issue was solved.
Finally I used following in C:\XXXX.aws\credentials
[default]
aws_access_key_id=XXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXX
and cmd:> cdk deploy --profile default
However this didn't work.
[project1]
aws_access_key_id = ANOTHER_AWS_ACCESS_KEY_ID
aws_secret_access_key = ANOTHER_AWS_SECRET_ACCESS_KEY
and cmd:> cdk deploy --profile project1
Error: AWS region must be configured either when you configure your CDK stack or through the environment
You need to specify your credentials. Check out this article: https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html#getting_started_credentials
It gives details on how to do this:
Specifying Your Credentials and Region
You must specify your credentials and an AWS Region to use the AWS CDK CLI. The CDK looks for credentials and region in the following order:
Using the --profile option to cdk commands.
Using environment variables.
Using the default profile as set by the AWS Command Line Interface (AWS CLI).
You can set up a profile using the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html for details on how to do this. You can specify named profiles, such as a profile for each account, and then specify the profile name to use for your CDK call.
The error is produced by CDK because it can't resolve valid AWS CLI credentials which allows it to resolve the account by making a call similar to
aws sts get-caller-identity --profile profile_name
There are multiple ways to configure the AWS CLI with valid credentials so that CDK can interact with the CLI configuration to obtain credentials
[default]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
In ~/.aws/config
[profile developer]
credential_process = /opt/bin/awscreds-custom --username helen
Using a more secure tool like https://github.com/99designs/aws-vault
Using AWS CLI integration with AWS SSO. This setup allows for SSO across multiple accounts and supports multiple MFA strategies including biometric. The problem with this is that the current version of the CDK has not been updated to use the latest version of the Node AWS SDK so it does not know how to retrieve credentials. Hopefully a future release of CDK will resolve this but its been almost 2 years
In ~/.aws/config
[profile sso_profile]
sso_start_url = https://sso_url.awsapps.com/start
sso_region = us-east-2
sso_account_id =
sso_role_name = AWSAdministratorAccess
region = us-east-2
output=json
Fortunately there is a decent workaround which works seamlessly once configured. This involves utilizing a python lib that can expose an SSO profile as a credentials process which is supported by current CDK. Install https://pypi.org/project/aws2-wrap/
pip3 install aws2-wrap==1.2.7
Then in ~/.aws/config add a wrapper profile that uses aws2-wrap to exposes as a credentials process
[profile wrapped_sso_profile]
region = us-east-2
credential_process = aws2-wrap --process --profile sso_profile
You should explicitly set your account and region when initializing your stacks. AWS CDK CLI provides two environment variables, CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION, to determine the target at synthesis time.
new MyDevStack(app, 'dev', {
env: {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION
}});
If you use these environment variables, the target account and region are fetched from your active AWS profile, e.g. --profile option.
https://docs.aws.amazon.com/cdk/latest/guide/environments.html
sudo was killing me...
I was getting the same error for cdk deploy. I kept running:
$ sudo cdk deploy --profile default
and getting the same error. I eventually used -v and read every line and realized it wasn't using my .aws/credentials file, but was looking for /root/.aws/credentials.
Removed sudo and everything worked just fine.
$ cdk deploy --profile default
If you're using aws sso as your login method, once your source .venv/bin/active execute the following to setup your session:
aws sso login --profile profile_name
Then execute:
cdk deploy --profile profile_name
You might be suffering from https://github.com/aws/aws-cdk/issues/5455
To work around, don't use a profile, grab access keys (your org should have a way) and export these to the environment
Not sure if this help, but in my organization we use AWS SSO, with over 90 AWS Accounts, with MFA, so it was impossible to manage CDK without AWS CLIv2 with profiles, and AWS SSO support.
I found a way to solve it, so till its officially relesed, you can use this, it works quite all right: MatsCloud blog - CDK with AWS SSO multi account multi profile
in ~/.aws/config the tag [default] must be alone in a new row
Example:
[someBasicUser]
[default]
aws_access_key_id = XXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXX
I my case I created new access key's in AWS fist, which I used then as descruped above.
aws configure aws_access_key_id aws_secret_access_key then enter your region
Then it worked. So I assume when the error is "Unable to resolve AWS account" you have the issue new access keys, as the current one is obviously not valid anymore.
I just came across this, because I had the same issue...
using THE SAME profile idenitiefer fixed it for my :D
I was using an _ where as the profile name contained a -...
AWS CLI v2 is capable of using AWS SSO to acquire credentials natively; however the SDK that was used to develop AWS CDK is not capable of using AWS SSO natively to acquire the credentials. Hence, "credential_process" must be configured in ~/.aws/config to acquire credentials.
While configuring "credential_process", I found they python package "aws2-wrap" (pip install aws2-wrap) as simple and straightforward. The other package "aws-sso-credential-process" required pipx which itself installed python@3.10 on my Mac.
In my case I was running the command:
npm run cdk diff my-stack --profile MyProfile
However it worked when I changed to use
npx cdk diff my-stack --profile MyProfile
This is because npm run x does not pass through --parameters to child processes.
I just created a new profile.
aws configure --profile profile2
aws_access_key_id=XXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXX
region = us-west-2
output=text
cdk deploy --profile profile2
I tried various things and this finally helped. Just a quick note, I never added an output until the last one. Maybe a completely filled out profile helped as well.
reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html
In my case, when I specified my credentials using aws configure, when I pasted the apiKey it included an special character in the beginning of the credential causing this issue. So I edited the ./aws/credentials file and removed it.
I tried everything and in the end it was the unadjusted clock of WSL2
Fixed with
sudo ntpdate pool.ntp.org
For me it seemed the CDK had cached a bad session and wouldn't clear it. I deleted the following directory in my home directory
rm -Rf ~/.cdk/cache
That worked for me as it forced creation of a new cache. (be careful you're deleting the correct dir :)
in my case, i change region name to region code
from: Asia Pacific (Singapore) to: ap-southeast-1
I use AWS SSO and sometimes experience this issue when my session has expired. Calling aws sso login will still seem like it's working fine for a minute or two, but calling cdk deploy (or something similar) already fails.
AWS will give you the same error if you don't provide a valid aws_access_key_id and aws_secret_access_key.
Only when I explicitly exported my creds did it work:
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
For me this was caused by a discrepancy in the system time. As others have said, running
cdk diff -v
And carefully reading through the output helped. I found a message like this:
Unable to determine the default AWS account (SignatureDoesNotMatch): Signature expired: 20230412T092243Z is now earlier than 20230412T100504Z (20230412T102004z - 15 mins)
When I checked my laptop time had not updated with daylight savings.
If you have multiple profiles in your ~/.aws/config, for instance,
[profile prod]
sso_start_url = https://sso.com
sso_region = us-east-1
sso_account_id = <account_id>
sso_role_name = <role_name>
region = us-east-1
output = json
[profile dev]
sso_start_url = https://sso.com
sso_region = us-east-1
sso_account_id = <account_id>
sso_role_name = <role_name>
region = us-east-1
output = json
Then run your CDK command specifying the profile you want to use in an environment variable.
AWS_PROFILE=dev cdk diff
Just type
aws configure
in your shell and then type
aws_access_key_id
aws_secret_access_key
then enter your region
if you are not confirm with your region sign in to Console
then have a look at the end of url-bar im sure you find it.
