Error: Need to perform AWS calls for account 000, but no credentials have been configured

[rcbyron]

Error running cdklocal bootstrap & deploy

Environment aws://000/us-west-2 failed bootstrapping: Error: Need to perform AWS calls for account 000, but no credentials have been configured

I am running localstack start in one powershell and cdklocal bootstrap/deploy in another. I also tried once with localstack started in a docker container and mapped to my computer's "localhost:4566"

Everything works fine when I actually deploy to AWS/CDK but does not work when I try localstack/CDK.

Troubleshooting

I feel like I've tried just about everything to get this to work, but no luck yet (including solutions from the other issues like #36 (comment) & #38). Here's what I've tried:

• Deleting node_modules and cdk.out, then combinations of installing aws-cdk-local 1.65.3 & aws-cdk 1.86.0/1.89.0, globally/locally

• Executing locally installed packages via "npx" command (e.g. npx cdklocal bootstrap)

• Using cdklocal --profile flag with my actual account name and also with "default"

Setup

I can start my localstack just fine on Windows 10 and also in docker:
http://localhost:4566/health

"services": {
"cloudwatch": "running",
"iam": "running",
"lambda": "running",
"logs": "running",
"apigateway": "running"
}

C:/Users/me/.aws/config

[default]
sso_start_url = https://________.com/start
sso_region = us-west-2
sso_account_id = 9999999
sso_role_name = 9999999_MyRoleName
region = us-west-2
ca_bundle = C:\Program Files\Amazon\AWSCLIV2\mycert.pem
output = json[default]

C:/Users/me/.aws/credentials

[default]
aws_access_key_id=test
aws_secret_access_key=test
region=us-west-2

[(my account id)]
aws_access_key_id=(my key id)
aws_secret_access_key=(my access key)
aws_session_token=(my token)
region=us-west-2

package.json

"devDependencies": {
  ...
  "aws-cdk": "1.86.0",
  "aws-cdk-local": "^1.65.3",
  "typescript": "~3.9.7"
},
"dependencies": {
  "@aws-cdk/aws-ec2": "1.86.0",
  "@aws-cdk/aws-apigateway": "1.86.0",
  "@aws-cdk/aws-lambda": "1.86.0",
  "@aws-cdk/aws-logs": "1.86.0",
  "@aws-cdk/core": "1.86.0",
  ...
}

[whummer]

Thanks for reporting @rcbyron . Can you please try including sts in the list of SERVICES as well? CDK seems to require STS to determine the test account ID to be used locally. Thanks

[rcbyron]

I am still receiving the same error after enabling STS and all services

[whummer]

Thanks for the update @rcbyron . Any updates for this - can you please try again after removing any relevant metadata in ~/.cdk, cdk.out or other local folders? Also, is there a way to find out where the 000 account ID is coming from - can it be found in any of the local metadata/cache files? Thanks for your help.

[rcbyron]

@whummer I tried deleting cdk.out with no luck. The 000 account ID comes from my environment file when creating my root stack. I've tried with my actual account ID but the result is the same.

const app = new cdk.App();
new MyRootCdkStack(app, 'MyRootCdkStack', process.env.boundaryPolicyArn, {
	env: { region: process.env.region, account: process.env.account }, // <-- 000 account ID gets set here from environment file
});

export class MyRootCdkStack extends cdk.Stack {
	constructor(scope: cdk.Construct, id: string, boundaryPolicyArn: string | undefined, props?: cdk.StackProps) {
		super(scope, id, props);

		Aspects.of(scope).add(new PermissionsBoundary(boundaryPolicyArn));

		const lambdaStack = new LambdaStack(this, 'MyLambdaStack', { env: props?.env }); // <-- fails here
		const apiGatwayStack = new ApiGatewayStack(this, 'MyApiGatewayStack', lambdaStack.lambdaFunctions, { env: props?.env });
	}
}

This stack creates the PermissionsBoundary (custom class) successfully, and then tries to create a lambda/API gateway stack. It shows the Need to perform AWS calls for account 000 error message after trying to create the lambda stack.

[rcbyron]

Output from cdklocal deploy MyRootStack --profile my_profile

Successfully made it to the end of the permission boundary class <-- console.log
Successfully made it to the end of the lambda stack class <-- console.log
Successfully made it to the end of the api gateway stack class <-- console.log
Need to perform AWS calls for account 000, but no credentials have been configured

Output from cdklocal deploy MyApiGatewayStack --profile my_profile

Successfully made it to the end of the permission boundary class <-- console.log
Successfully made it to the end of the lambda stack class <-- console.log
Successfully made it to the end of the api gateway stack class <-- console.log
Including dependency stacks: MyRootCdkStackMyLambdaStackAB192434
MyRootCdkStackMyLambdaStackAB192434
Need to perform AWS calls for account 000, but no credentials have been configured

[ajaysuwalka]

This issue is also coming from

Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Unable to determine the default AWS account: TypeError: Cannot redefine property: saml
    at Function.defineProperty ()
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:11:14
    at Array.forEach ()
    at IniLoader.parseFile (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:8:26)
    at IniLoader.loadFrom (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js:56:30)
    at Object.getProfilesFromSharedConfig (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/util.js:969:42)
    at ProcessCredentials.load (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:75:31)
    at ProcessCredentials.coalesceRefresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:122:12)

How to check if it's due to profile name conflicts

<original command> --profile saml -v

When can it happen when you have same entry in ~/.aws/config with profile like

[saml]
output = json
region = us-east-1
aws_access_key_id = ASIA
aws_secret_access_key = Europe


[profile saml]
region = us-east-1

Or

[someName]
output = json
region = us-east-1
aws_access_key_id = ASIA
aws_secret_access_key = Europe


[profile someName]
region = us-east-1

Notice
profile saml and saml

There's this code in /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/shared-ini/ini-loader.js

Object.keys(content).forEach(function(profileName) {
      var profileContent = content[profileName];
      profileName = isConfig ? profileName.replace(/^profile\s/, '') : profileName;
      Object.defineProperty(tmpContent, profileName, {
        value: profileContent,
        enumerable: true
      });
    });

It tries to define the saml property again and that's where it fails

How to resolve?

Remove the entry with [profile <some-name>]

[moltar]

Same issue here. Even bootstrapping does not work.

❯ cdklocal bootstrap            
'@aws-cdk/core:newStyleStackSynthesis' context set, using new-style bootstrapping
 ⏳  Bootstrapping environment aws://708XXXXXXXXX/ap-northeast-1...
 ❌  Environment aws://708XXXXXXXXX/ap-northeast-1 failed bootstrapping: Error: Need to perform AWS calls for account 708XXXXXXXXX, but the current credentials are for 000000000000

My stacks are configured to deploy to specific environments with hard-coded account IDs.

[whummer]

Thanks for the updated @moltar @ajaysuwalka . Can you please share the detailed log output with verbose logging enabled:

$ cdklocal -vvv --debug bootstrap

(Please make sure that no sensitive details from the logs get shared here.) Thanks!

[ajaysuwalka]

@whummer Sorry but that's really outdated stuff now, but the method that I had specified, works fine.

[edible-programs]

Getting the error Need to perform AWS calls for account 7------------, but no credentials have been configured. I checked on localhost:4566 that Localstack is running.
These are the relevant logs

Looking up default account ID from STS
[AWS sts undefined 7.014s 6 retries] getCallerIdentity({})
Unable to determine the default AWS account: UnknownEndpoint: Inaccessible host: `localhost' at port `4566'. This service may not be available in the `us-west-2' region.
    at Request.ENOTFOUND_ERROR ([--]/node_modules/aws-cdk/node_modules/aws-sdk/lib/event_listeners.js:529:46)
    at Request.callListeners ([--]/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit ([--]/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit ([--]/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:686:14)
    at error ([--]/node_modules/aws-cdk/node_modules/aws-sdk/lib/event_listeners.js:361:22)
    at ClientRequest.<anonymous> ([--]/node_modules/aws-cdk/node_modules/aws-sdk/lib/http/node.js:99:9)
    at ClientRequest.emit (node:events:390:28)
    at ClientRequest.emit (node:domain:475:12)
    at Socket.socketErrorListener (node:_http_client:447:9)
    at Socket.emit (node:events:390:28) {
  code: 'UnknownEndpoint',
  region: 'us-west-2',
  hostname: 'localhost',
  retryable: true,
  originalError: Error: connect ECONNREFUSED ::1:4566
      at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1161:16) {
    errno: -61,
    code: 'NetworkingError',
    syscall: 'connect',
    address: '::1',
    port: 4566,
    region: 'us-west-2',
    hostname: 'localhost',
    retryable: true,
    time: 2021-12-21T18:40:47.551Z
  },
  time: 2021-12-21T18:40:47.551Z
}

[thorayi]

We get the same error (Need to perform AWS calls for account 1------------, but no credentials have been configured) for cdk deploy when using a config file with credential process in a source_profile. However, the approach works fine when using credential_process without being referred through source_profile

[profile srcdev]
credential_process = 
region = us-west-2

[profile dev]
source_profile = srcdev
role_arn = arn:aws:iam::123456789:role/deploy_role
role_session_name = XYZ
region = us-west-2

[chefren]

For anyone else landing here, found a summary of similar issues and pasted answer here

See also:

• CDK errors with no credentials have been configured if credentials file does not exist aws/aws-cdk#6947
• [Error at /MyStack] Need to perform AWS calls for account ***, but no credentials have been configured aws-actions/configure-aws-credentials#228

[dominikschubert]

Feel free to reopen if any new issues regarding this come up. For now it seems like this issue has been handled in multiple locations already and doesn't directly involve the wrapper script here.

[joe4dev]

@edible-programs Your issue might be related to a breaking change in Nodejs v17 as cdklocal tries to connect to an IPv6 address Error: connect ECONNREFUSED ::1:4566
See #76

As a workaround, you can set export LOCALSTACK_HOSTNAME=127.0.0.1

[joe4dev]

@edible-programs We just (2023-02-15T12:22:38.576Z) released a new version of aws-cdk-local 2.17.0, which implements an IPv4 fallback to fix IPv6-related issues on macOS.
See: #80

[godwintrav]

Hi Having this issue when I try to bootstrap localstack on AWS Codebuild. This is the error:
Environment aws://000000000000/eu-west-2 failed bootstrapping: Error: Need to perform AWS calls for account 000000000000, but no credentials have been configured

[anentropic]

I have the same problem in CircleCI

I am just trying to run cdklocal synth so that cdk-nag checks are validated

it works locally, without even the localstack container running, but same thing in CircleCI gives "Need to perform AWS calls for account 000000000000, but no credentials have been configured"

I have the accountid hardcoded to 000000000000 in the stack