cdk <command> --profile <named profile> tries default regardless

[dxunix]

cdk commands does not pick up the named profile from .aws/credential and ./aws/config. the profile is configured thru aws configure and in the format as specified in the aws doc. (two files, [<profile name>] in credential file and [profile <profile name>] in config file.

Reproduction Steps

create the profile
specify account number and region in the stack env.
run cdk synth or cdk deploy with --profile <profile name>

Error Log

[Error at /test-stack] Need to perform AWS calls for account ************, but no credentials found. Tried: default credentials.
Found errors

Environment

• **CLI Version : 1.16.3 **
• **Framework Version: 1.16.3 **
• OS : mac os
• **Language : python **

Other

Also tried to remove the [default] blocks in the .aws/ files, still same error.

---

This is 🐛 Bug Report

[dxunix]

this problem seems to be triggered when i try to import existing resource of the account into to the stack. Such as when I make ec2.Vpc.from_lookup(...) call

[dxunix]

Any updates @SomayaB and @shivlaks ? Thanks!

[shivlaks]

@dxunix have you taken a look at #1656

[dxunix]

@shivlaks Yes I did. My case is ok to deploy with profile. So that works. But the problem is I am using methods such as ec2.Vpc.from_lookup(), so cdk will need to login to aws to get the existing resource info. That's where the problem came up.

I didnt try the plug-in.. Thought the CDK should work natively with the profile....

[shivlaks]

@dxunix I see what you mean. I'll have to give that a repro, but please let me know if the plugin works for you.

[dxunix]

@shivlaks: Ok. i have a feeling this something to do with vpc only

without specify the account id works in other from*** methods for other resources. vpc needs account id. thus i got the error.

jsii.errors.JSIIError: Cannot retrieve value from context provider vpc-provider since account/region are not specified at the stack level. Either configure "env" with explicit account and region when you define your stack, or use the environment variables "CDK_DEFAULT_ACCOUNT" and "CDK_DEFAULT_REGION" to inherit environment information from the CLI (not recommended for production stacks)
Subprocess exited with error 1

add account to env

$ cdk synth --profile sbx
vpc is vpc-12345
vpc is vpc-12345
[Error at /ecs-test-stack] Need to perform AWS calls for account ************, but no credentials found. Tried: default credentials.

also worth noting is: we are using saml to get the keys. therefore, there is a token as well. I dont know if this is the reason it is off.

[shivlaks]

@dxunix does running the command with --verbose provide any additional information.
Thanks for mentioning SAML, it might be a detail of significance but I'm not sure at this point.

[dxunix]

@shivlaks , see the verbose output. The credential is fed in from the env variables including TOKEN.

cdk synth --verboseCDK toolkit version: 1.17.1 (build fa4cb1f)Command line arguments: {
  _: [ 'synth' ],
  verbose: true,
  v: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  '$0': '/usr/local/bin/cdk'
}
Determining whether we're on an EC2 instance.
Does not look like EC2 instance.
cdk.json: {
  "app": "python3 app.py"
}
cdk.context.json: {
  "@aws-cdk/core:enableStackNameDuplicates": "true"
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'python3 app.py',
  context: {},
  tags: [],
  assetMetadata: true,
  toolkitBucket: {},
  staging: true
}
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Looking up default account ID from STS
Default account ID: ------------6
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ------------6
context: {
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: '------------6',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:enableStackNameDuplicates":"true","aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.17.1'
}
vpc is vpc-12345
Some context information is missing. Fetching...
Setting "vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true" context to {"$providerError":"Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ------------6
context: {
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true': {
    '$providerError': 'Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.',
    '$dontSaveContext': true
  },
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: '------------6',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:enableStackNameDuplicates":"true","vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true":{"$providerError":"Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.","$dontSaveContext":true},"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.17.1'
}
vpc is vpc-12345
Not making progress trying to resolve environmental context. Giving up.
[Error at /ecs-test-stack] Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.
  ConstructNode.addError (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/core/lib/construct.js:285:14)
  Function.getValue (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/core/lib/context-provider.js:50:28)
  Function.fromLookup (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/aws-ec2/lib/vpc.js:375:51)
  /Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7603:51
  Kernel._wrapSandboxCode (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8202:20)
  /Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7603:25
  Kernel._ensureSync (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8178:20)
  Kernel.sinvoke (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7602:26)
  KernelHost.processRequest (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7293:28)
  KernelHost.run (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7233:14)
  Immediate._onImmediate (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7236:37)
  processImmediate (internal/timers.js:439:21)
Found errors
Error: Found errors
    at AppStacks.processMetadata (/usr/local/lib/node_modules/aws-cdk/lib/api/cxapp/stacks.ts:316:13)
    at cliSynthesize (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:309:15)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at main (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:232:16)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:160:9)

[dxunix]

@shivlaks Is there a plan to fix bugs like these?

[vzakharchenko]

This solution is works for me:

~/.aws/config

[profile testProfile]
region = us-east-1

~/.aws/credentials

[testProfile]
role_arn = arn:aws:iam::...
aws_access_key_id = *****
aws_secret_access_key = *********
source_profile=testProfile

command to deploy:
cdk deploy --profile=testProfile

Environment

• CDK_CLI_ASM_VERSION: '1.16.0',
• CDK_CLI_VERSION: '1.18.0'
• OS : mac os
• Language : java

[shivlaks]

@dxunix yes, but i'm still a little unclear on the repro steps... what does your stack code look like (particularly environment setup and where you're attempting to use the fromLookup). I'm also curious what your cdk.context.json looks like. please redact information as needed.

[tomassommar]

@shivlaks I have the same issue. It seems that the source_profile in ~/.aws/config does not use the corresponding credentials in ~/.aws/credentials.

[foscraig]

@shivlaks I am also seeing this error. It is coming from the context. However, I've destroyed context continuously; i.e. used cdk context --clear, manually deleted cdk.context.json. I have followed the workaround suggested by @vzakharchenko above but to no avail. I see similar behavior pasted above by @dxunix. The CDK gets the proper credentials for my profile's account, but it fetches context for stuff in the default profile account and therefore finds VPC info that I'm not looking for. Where's it getting this if there's no local context?

ACCOUNT_A == default profile
ACCOUNT_B == new target profile

<snip/>
Does not look like EC2 instance.
Toolkit stack: CDKToolkit
Setting "CDK_DEFAULT_REGION" environment variable to us-west-2
Resolving default credentials
Retrieved account ID ACCOUNT_B from disk cache
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ACCOUNT_B
context: {
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-west-2',
  CDK_DEFAULT_ACCOUNT: 'ACCOUNT_B',
  CDK_CONTEXT_JSON: '{"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '5.0.0',
  CDK_CLI_VERSION: '1.51.0'
}

I expect the above.

I don't expect the below.

<snip/>
Some context information is missing. Fetching...
Reading AZs for ACCOUNT A:us-west-2
Setting "availability-zones:account=ACCOUNT_A:region=us-west-2" context to {"$providerError":"Need to perform AWS calls for account ACCOUNT_A, but the current credentials are for ACCOUNT_B.","$dontSaveContext":true}
Setting "vpc-provider:account=ACCOUNT_A:filter.tag:Name=infraStack/CodeBuild VPC:region=us-west-2:returnAsymmetricSubnets=true" context to {"$providerError":"Need to perform AWS calls for account ACCOUNT_A, but the current credentials are for ACCOUNT_B.","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to us-west-2
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ACCOUNT_B

Environment:

CDK_CLI_VERSION: '1.51.0'
Mac OS 10.14.6
Language: Java

[aw-huit]

Same or similar issue here with cdk 1.57.0. Running cdk synth --profile <profile name>.

  Error: Cannot retrieve value from context provider vpc-provider since account/region are not specified at the stack level. Either configure "env" with explicit account and region when you define your stack, or use the environment variables "CDK_DEFAULT_ACCOUNT" and "CDK_DEFAULT_REGION" to inherit environment information from the CLI (not recommended for production stacks)
      at Function.getValue (/private/var/folders/vk/ztyb56817vx3n12hzcjpfv1r0000gp/T/jsii-kernel-jLl9SS/node_modules/@aws-cdk/core/lib/context-provider.js:42:19)
      at Function.fromLookup (/private/var/folders/vk/ztyb56817vx3n12hzcjpfv1r0000gp/T/jsii-kernel-jLl9SS/node_modules/@aws-cdk/aws-ec2/lib/vpc.js:460:51)
      at /Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7768:51
      at Kernel._wrapSandboxCode (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8398:19)
      at /Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7768:25
      at Kernel._ensureSync (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8371:20)
      at Kernel.sinvoke (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7767:26)
      at KernelHost.processRequest (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7446:28)
      at KernelHost.run (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7384:14)
      at Immediate._onImmediate (/Users/anw306/MyEcsConstruct/.env/lib/python3.8/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7387:37)
      at processImmediate (internal/timers.js:458:21)

What I did was follow the example provided by AWS: https://docs.aws.amazon.com/cdk/latest/guide/ecs_example.html. But since I want to use an existing VPC, I added this in my_ecs_construct_stack.py:

        vpc = ec2.Vpc.from_lookup(self, "VPC",
             vpc_id='vpc-xxxxxxxxx', is_default=False)

Maybe there is something else I need to do first?

Hard code the account number in the code, or set environment variables is not an acceptable solution for us since we have over 40 accounts to manage.

[polothy]

We just switched to AWS SSO and ran into this same problem. Our profiles looked similar to what @seekayel posted (but no access keys). Then switched to AWS SSO and getting this same error everyone is reporting, EG:

Need to perform AWS calls for account 11111111, but no credentials have been configured

Maybe this is helpful (from cdk diff --verbose):

Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Unable to determine the default AWS account: ProcessCredentialsProviderFailure: Profile MY_PROFILE did not include credential process
    at ProcessCredentials.load (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:102:11)
    at ProcessCredentials.coalesceRefresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:205:12)
    at ProcessCredentials.refresh (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/process_credentials.js:163:10)
    at ProcessCredentials.get (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:122:12)
    at resolveNext (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:125:17)
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials/credential_provider_chain.js:126:13
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:124:23
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/credentials.js:212:15
    at processTicksAndRejections (node:internal/process/task_queues:76:11) {
  code: 'ProcessCredentialsProviderFailure',

[polothy]

Sorry for the noise, looks like there is another issue tracking AWS SSO: #5455

[erwinverdonk]

What @tomassommar said is the correct cause of this issue: "It seems that the source_profile in ~/.aws/config does not use the corresponding credentials in ~/.aws/credentials."

The CDK CLI seems to search for both the config and credentials with the same name as the profile provided. When the credentials are under a different name than the config, but referenced with "source_profile", it does not work.

[ann8ty]

cdk bootstrap aws://ACCOUNT/REGION --profile PROFILENAME

seems pretty straightforward that this should just work but it doesnt

failed bootstrapping: Error: Need to perform AWS calls for account 475466387505, but no credentials have been configured

i have three profiles configured in ~/.aws/config but no default (removed per debug steps)
I deleted and then recreated empty ~/.aws/credential

my credential is an AWS SSO type
I am sso logged in and aws commands work with --profile

cdk --version
2.11.0 (build f7148c5)

[rafzei]

Try with the --verbose flag to get the error. In my case, it was Unable to determine the default AWS account: InvalidClientTokenId: The security token included in the request is invalid. And it turned out that aws_secret_access_key contains the plus (+) sign that causes the issue.

[RajasGujarathi]

I am facing exactly the same issue. When passing --profile with cdk bootstrap

node --version
v16.15.0
npm --version
8.10.0
cdk --version
2.28.1 (build d035432)

My command looks something like this
cdk bootstrap --termination-protection --profile=$AWS_PROFILE aws://<AWS_ACCOUNT>/<AWS_REGION>

[praneetloke]

Another case when the credential lookup fails. If you used upper-case for the access key id and secret key in your credentials file, CDK seems to fail. For example,

This doesn't work:

[some_profile]
AWS_ACCESS_KEY_ID=xxxxxxx
AWS_SECRET_ACCESS_KEY=xxxxxx

but this does:

[some_profile]
aws_access_key_id=xxxxxxx
aws_secret_access_key=xxxxxx

Note that the AWS CLI itself seems to be case-insensitive but CDK doesn't seem to be. That is, I am able to run aws sts get-caller-identity --profile some_profile without any issues regardless of which case the ceredentials file uses for the property names. I don't know if this is an issue with CDK or perhaps some other underlying lib that it depends on for credentials lookup.

[zdev24]

Another case when the credential lookup fails. If you used upper-case for the access key id and secret key in your credentials file, CDK seems to fail. For example,

This doesn't work:

[some_profile]
AWS_ACCESS_KEY_ID=xxxxxxx
AWS_SECRET_ACCESS_KEY=xxxxxx

but this does:

[some_profile]
aws_access_key_id=xxxxxxx
aws_secret_access_key=xxxxxx

Note that the AWS CLI itself seems to be case-insensitive but CDK doesn't seem to be. That is, I am able to run aws sts get-caller-identity --profile some_profile without any issues regardless of which case the ceredentials file uses for the property names. I don't know if this is an issue with CDK or perhaps some other underlying lib that it depends on for credentials lookup.

Exactly, case sensitive problem. My code works after changing to lower case: "aws_access_key_id", etc... Thank @praneetloke
We just use lower case, then cdk --profile works fine!!! Still alive!!!

[johnalupton]

Hi - I got this to work

~/.aws/credentials

[default]
aws_access_key_id = aaaaaaaaaaaaaaaaaaaa
aws_secret_access_key = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

[london]
aws_access_key_id = bbbbbbbbbbbbbbbbbbbb
aws_secret_access_key = bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb


[paris]
aws_access_key_id = cccccccccccccccccccc
aws_secret_access_key = cccccccccccccccccccccccccccccccccccccccc

~/.aws/config

[default]
output = json
region = eu-west-3

[profile london]
region = eu-west-2

[profile paris]
region = eu-west-3

then

cdk bootstrap -- profile london etc work as youd hope

[jedrekdomanski]

I have the same problem. I have configured my named profile but when I try to cdk deploy I get an error saying Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment

~/.aws/credentials

[jedrek]
AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxx

~/.aws/config

[profile jedrek]
region = eu-central-1
output = json
cli_pager =

My app is configured to look for CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION.

new AiCaptionCraftStack(app, 'AiCaptionCraftStack', {
  env: {
    account: process.env.CDK_DEFAULT_ACCOUNT,
    region: process.env.CDK_DEFAULT_REGION
  }
});

I can list files in my S3 bucket using my named profile

aws s3 ls --profile jedrek                                                                                                                                                                                                                                                               
2022-10-31 12:47:28 cdk-hnb659fds-assets-317905390022-eu-central-1
2022-10-31 13:03:11 cdk-hnb659fds-assets-317905390022-us-east-1
2023-01-22 15:36:33 elasticbeanstalk-eu-central-1-317905390022

Even without the flag --profile by export AWS_PROFILE=jedrek I can list my files in S3 bucket

aws s3 ls                                                                                                                                                                                                                                                       
2022-10-31 12:47:28 cdk-hnb659fds-assets-317905390022-eu-central-1
2022-10-31 13:03:11 cdk-hnb659fds-assets-317905390022-us-east-1
2023-01-22 15:36:33 elasticbeanstalk-eu-central-1-317905390022

I console loged environment available for the process when I run cdk deploy and I don't see CDK_DEFAULT_ACCOUNT nor CDK_DEFAULT_REGION

console.log("environment variables " + JSON.stringify(process.env));

I have two other AWS accounts configured with SSO
~/.aws/credentials

[xxxxx_NonProdDeveloperAccess]
aws_access_key_id=xxxxxxxxx
aws_secret_access_key=xxxxxxxxx
aws_session_token=xxxxxxx

~/.aws/config

[profile Prod-dev]
sso_start_url = https://xxxxxx
sso_region = us-west-2
sso_account_id = xxxxxx
sso_role_name = ProductionDeveloperAccess
region = us-west-2
output = json
cli_pager=
[profile OtherNonprod-dev]
sso_start_url = https://xxxxx
sso_region = us-west-2
sso_account_id = xxxxxxxxxx
sso_role_name = NonProdDeveloperAccess
region = us-west-2
output = json
cli_pager=

I even tried setting the environment variable explicitly in my shell but no luck.

What am I missing? Why does CDK not pick up the right profile? What am I doing wrong?

[KarthikChandy]

I am not sure if this will solve your problem. However, I had the same issue when I tried adding a ec2.Vpc() construct. Eventually, what worked for me is the following.

1. Initialise a temporary CDK project.
2. Copy any missing sections under "context" from your new cdk.json file to your old project cdk.json file. Here old project refers to your CDK project that was failing.
3. Run cdk synth again.

I suspect either I removed some "context" sections thinking they were not needed, or over a period of time new entries were added by CDK. Good luck.

[pahud]

Hi @dxunix is this bug still relevant?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[mabster314]

Hello, I can confirm this issue still exists. I notice it just got closed but it is definitely still an issue

[scanlonp]

We should not be adding response-requested labels to issues that have not had recent responses. It is somewhat unreasonable to expect a comment within a week to keep an issue open.

[TheRealAmazonKendra]

Looks like the big issue here is the casing of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. This is an issue that appears to continue to be the case in the SDK v3 so our in-progress upgrade will not immediately alleviate it. We'll either need to add custom logic to our credential provider chain or make it explicit in the documentation that these files are case sensitive and must be in lowercase.

[github-actions]

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.