Need to perform AWS calls for account xxx, but no credentials have been configured

Question

I'm trying to deploy my stack to aws using cdk deploy my-stack. When doing it in my terminal window it works perfectly, but when im doing it in my pipeline i get this error: Need to perform AWS calls for account xxx, but no credentials have been configured. I have run aws configure and inserted the correct keys for the IAM user im using.

So again, it only works when im doing manually in the terimal but not when the pipeline is doing it. Anyone got a clue to why I get this error?

Answer 1

I encountered the same error message on my Mac. I had ~/.aws/config and credentials files set up. My credentials file had a user that didn't exist in IAM. For me, the solution was to go back into IAM in the AWS Console; create a new dev-admin user and add AdministratorAccess privileges like this .. Then update my ~/.aws/credentials file with the new [dev-admin] user and added the keys which are available under the "Security Credentials" tab on the Summary page shown above. The credentials entry looks like this..

[dev-admin]
aws_access_key_id=<your access key here>
aws_secret_access_key=<your sevret access key here>

I then went back into my project root folder and ran

cdk deploy --profile dev-admin -v

Not sure if this is the 'correct' approach but it worked for me.

Answer 2

If you are using a named profile other than 'default', you might want to pass the name of the profile with the --profile flag.

For example:

cdk deploy --all --profile mynamedprofile

If you are deploying a stack or a stage you can explicitly specify the environment you are deploying resources in. This is important for cdk-pipelines because the AWS Account where the Pipeline construct is created can be different from where the resources get dployed. For example (C#):

Env = new Amazon.CDK.Environment()
{
    Account = "123456789",
    Region = "us-east-1"
}

See the docs

Answer 3

If you get this error you might need to bootstrap the account in question. And if you have a tools/ops account you need to trust this from the "deployment" accounts.

Here is an example with dev, prod and tools:

cdk bootstrap <tools-account-no>/<region> --profile=tools;
cdk bootstrap <dev-account-no>/<region> --profile=dev;
cdk bootstrap <prod-account-no>/<region> --profile=prod;

cdk bootstrap --trust <tools-account-no> --profile=dev --cloudformation-execution-policies 'arn:aws:iam::aws:policy/    AdministratorAccess';
cdk bootstrap --trust <tools-account-no> --profile=prod --cloudformation-execution-policies 'arn:aws:iam::aws:policy/   AdministratorAccess';
cdk bootstrap --trust <tools-account-no> --profile=tools --cloudformation-execution-policies 'arn:aws:iam::aws:policy/  AdministratorAccess';

Note that you need to commit the changes to cdk.context.json