'AWS CDK deploy from circleCi fails with credential error but other aws services do not

I am running a cdk deploy build on circleCi, and when the step CDK deploy comes it gives me "Need to perform AWS calls for account ************, but no credentials have been configured".

But for the troubleshooting i tried other commands as well like aws s3 ls aws aws cloudformation list-stacks

These above commands we working fine, also able to run command to create a cloudformation with same config but not able to run cdk deploy. the access key and secret i am using has Admin access.

aws-cdk


Solution 1:[1]

Set the creds with a profile name using aws-cli Orb in CircleCI and try using the below command to deploy with CDK

cdk deploy --all --profile cdkprofile

For reference, in CircleCI

orbs:
  aws-cli: circleci/[email protected]

commands:
  env-setup:
    description: AWS Env Setup
    steps:
      - aws-cli/setup:
          profile-name: cdkprofile
          aws-access-key-id: AWS_ACCESS_KEY_ID 
          aws-secret-access-key: AWS_SECRET_ACCESS_KEY

And assumption is AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set as CircleCI env variables

Solution 2:[2]

As a starting note: The best way to troubleshoot is with cdk [command] --verbose (see CLI ref)

CDK has an internal mechanism for finding credentials not directly using AWS CLI (AWS CLI is not a requirement for CDK ro tun)

In a similar situation with a CI tool, the issue was simply that the ~/.aws/credentials file did not exist (not that you need it with AWS CLI, but in the situation for CDK, it was required)

Credit to this issue reporting: https://github.com/aws/aws-cdk/issues/6947#issue-586402006

Solution tested for above:

For an EC2 running CI tool, with EC2 IAM role

Where ~/.aws/config exists and defined profile(s) with:

  • credential_source = Ec2InstanceMetadata
  • role_arn = arn:aws:iam:::role/role-to-assume-in-acctId

Create empty ~/.aws/credentials file

Example error for the problem solved above (from verbose output)

Resolving default credentials
Notices refreshed
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile myprofile did not include credential process

Other causes found in other issues/comments could relate to:

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 omuthu
Solution 2 Efren

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function