Serverless config credentials not working when serverless.yml file present

Question

We're trying to deploy our lambda using serverless on BitBucket pipelines, but we're running into an issue when running the serverless config credentials command. This issue also happens in docker containers, and locally on our machines.

This is the command we're running:

serverless config credentials --stage staging --provider aws --key $AWS_ACCESS_KEY --secret $AWS_ACCESS_SECRET

And it gives us the error:

Error: Profile default does not exist

The profile is defined in our serverless.yml file. If we rename the serverless file before running the command, it works, and then we can then put the serverless.yml file back and successfully deploy.

e.g.

            - mv serverless.yml serverless.old
            - serverless config credentials --stage beta --provider aws --key $AWS_ACCESS_KEY --secret $AWS_ACCESS_SECRET
            - mv serverless.old serverless.yml

We've tried adding the --profile default switch on there, but it makes no difference.

It's worth noting that this wasn't an issue until we started to use the SSM Parameter Store within the serverless file, the moment we added that, it started giving us the Profile default does not exist error.

serverless.yml (partial)

service: our-service

provider:
  name: aws
  runtime: nodejs12.x
  region: eu-west-1
  profile: default
  stage: ${opt:stage, 'dev'}

  iamRoleStatements:
    - Effect: 'Allow'
      Action: 'ssm:GetParameter'
      Resource:
        - 'arn:aws:ssm:eu-west-1:0000000000:parameter/our-service-launchdarkly-key-dev'
        - 'arn:aws:ssm:eu-west-1:0000000000:parameter/our-service-launchdarkly-key-beta'
        - 'arn:aws:ssm:eu-west-1:0000000000:parameter/our-service-launchdarkly-key-staging'
        - 'arn:aws:ssm:eu-west-1:0000000000:parameter/our-service-launchdarkly-key-live'
    - Effect: 'Allow'
      Action: 'kms:Decrypt'
      Resource:
        - 'arn:aws:kms:eu-west-1:0000000000:key/alias/aws/ssm'

  environment:
    LAUNCH_DARKLY_SDK_KEY: ${self:custom.launchDarklySdkKey.${self:provider.stage}}

custom:
  stages:
    - dev
    - beta
    - staging
    - live

  launchDarklySdkKey:
    dev: ${ssm:/our-service-launchdarkly-key-dev~true}
    beta: ${ssm:/our-service-launchdarkly-key-beta~true}
    staging: ${ssm:/our-service-launchdarkly-key-staging~true}
    live: ${ssm:/our-service-launchdarkly-key-live~true}

plugins:
  - serverless-offline
  - serverless-stage-manager

...

TLDR: serverless config credentials only works when serverless.yml isn't present, otherwise it complains about profile default not existing, only an issue when using SSM Param store in the serverless file.

Answer 1

The profile attribute in your serverless.yaml refers to saved credentials in ~/.aws/credentials. If a [default] entry is not present in that file, serverless will complain. I can think of 2 possible solutions to this:

1. Try removing profile from your serverless.yaml completely and using environment variables only.

2. Leave profile: default in your serverless.yaml but set the credentials in ~/.aws/credentials like this:

[default]
aws_access_key_id=***************
aws_secret_access_key=***************

If you go with #2, you don't have to run serverless config credentials anymore.