cdk <command> --profile <named profile> tries default regardless

[dxunix]

cdk commands does not pick up the named profile from .aws/credential and ./aws/config. the profile is configured thru aws configure and in the format as specified in the aws doc. (two files, [<profile name>] in credential file and [profile <profile name>] in config file.

Reproduction Steps

create the profile
specify account number and region in the stack env.
run cdk synth or cdk deploy with --profile <profile name>

Error Log

[Error at /test-stack] Need to perform AWS calls for account ************, but no credentials found. Tried: default credentials.
Found errors

Environment

• **CLI Version : 1.16.3 **
• **Framework Version: 1.16.3 **
• OS : mac os
• **Language : python **

Other

Also tried to remove the [default] blocks in the .aws/ files, still same error.

---

This is 🐛 Bug Report

[dxunix]

this problem seems to be triggered when i try to import existing resource of the account into to the stack. Such as when I make ec2.Vpc.from_lookup(...) call

[dxunix]

Any updates @SomayaB and @shivlaks ? Thanks!

[shivlaks]

@dxunix have you taken a look at aws/aws-cdk#1656

[dxunix]

@shivlaks Yes I did. My case is ok to deploy with profile. So that works. But the problem is I am using methods such as ec2.Vpc.from_lookup(), so cdk will need to login to aws to get the existing resource info. That's where the problem came up.

I didnt try the plug-in.. Thought the CDK should work natively with the profile....

[shivlaks]

@dxunix I see what you mean. I'll have to give that a repro, but please let me know if the plugin works for you.

[dxunix]

@shivlaks: Ok. i have a feeling this something to do with vpc only

without specify the account id works in other from*** methods for other resources. vpc needs account id. thus i got the error.

jsii.errors.JSIIError: Cannot retrieve value from context provider vpc-provider since account/region are not specified at the stack level. Either configure "env" with explicit account and region when you define your stack, or use the environment variables "CDK_DEFAULT_ACCOUNT" and "CDK_DEFAULT_REGION" to inherit environment information from the CLI (not recommended for production stacks)
Subprocess exited with error 1

add account to env

$ cdk synth --profile sbx
vpc is vpc-12345
vpc is vpc-12345
[Error at /ecs-test-stack] Need to perform AWS calls for account ************, but no credentials found. Tried: default credentials.

also worth noting is: we are using saml to get the keys. therefore, there is a token as well. I dont know if this is the reason it is off.

[shivlaks]

@dxunix does running the command with --verbose provide any additional information.
Thanks for mentioning SAML, it might be a detail of significance but I'm not sure at this point.

[dxunix]

@shivlaks , see the verbose output. The credential is fed in from the env variables including TOKEN.

cdk synth --verboseCDK toolkit version: 1.17.1 (build fa4cb1f)Command line arguments: {
  _: [ 'synth' ],
  verbose: true,
  v: true,
  'ignore-errors': false,
  ignoreErrors: false,
  json: false,
  j: false,
  ec2creds: undefined,
  i: undefined,
  'version-reporting': undefined,
  versionReporting: undefined,
  'path-metadata': true,
  pathMetadata: true,
  'asset-metadata': true,
  assetMetadata: true,
  'role-arn': undefined,
  r: undefined,
  roleArn: undefined,
  staging: true,
  'no-color': false,
  noColor: false,
  '$0': '/usr/local/bin/cdk'
}
Determining whether we're on an EC2 instance.
Does not look like EC2 instance.
cdk.json: {
  "app": "python3 app.py"
}
cdk.context.json: {
  "@aws-cdk/core:enableStackNameDuplicates": "true"
}
merged settings: {
  versionReporting: true,
  pathMetadata: true,
  output: 'cdk.out',
  app: 'python3 app.py',
  context: {},
  tags: [],
  assetMetadata: true,
  toolkitBucket: {},
  staging: true
}
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Resolving default credentials
Looking up default account ID from STS
Default account ID: ------------6
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ------------6
context: {
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: '------------6',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:enableStackNameDuplicates":"true","aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.17.1'
}
vpc is vpc-12345
Some context information is missing. Fetching...
Setting "vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true" context to {"$providerError":"Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.","$dontSaveContext":true}
Setting "CDK_DEFAULT_REGION" environment variable to us-east-1
Setting "CDK_DEFAULT_ACCOUNT" environment variable to ------------6
context: {
  '@aws-cdk/core:enableStackNameDuplicates': 'true',
  'vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true': {
    '$providerError': 'Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.',
    '$dontSaveContext': true
  },
  'aws:cdk:enable-path-metadata': true,
  'aws:cdk:enable-asset-metadata': true
}
outdir: cdk.out
env: {
  CDK_DEFAULT_REGION: 'us-east-1',
  CDK_DEFAULT_ACCOUNT: '------------6',
  CDK_CONTEXT_JSON: '{"@aws-cdk/core:enableStackNameDuplicates":"true","vpc-provider:account=------------:filter.vpc-id=vpc-0000000000000000:region=us-east-1:returnAsymmetricSubnets=true":{"$providerError":"Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.","$dontSaveContext":true},"aws:cdk:enable-path-metadata":true,"aws:cdk:enable-asset-metadata":true}',
  CDK_OUTDIR: 'cdk.out',
  CDK_CLI_ASM_VERSION: '1.16.0',
  CDK_CLI_VERSION: '1.17.1'
}
vpc is vpc-12345
Not making progress trying to resolve environmental context. Giving up.
[Error at /ecs-test-stack] Need to perform AWS calls for account ------------, but no credentials found. Tried: default credentials.
  ConstructNode.addError (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/core/lib/construct.js:285:14)
  Function.getValue (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/core/lib/context-provider.js:50:28)
  Function.fromLookup (/private/var/folders/zc/h552c9kn7_jg_2k6xz15r_v40000gp/T/jsii-kernel-UcjXI5/node_modules/@aws-cdk/aws-ec2/lib/vpc.js:375:51)
  /Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7603:51
  Kernel._wrapSandboxCode (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8202:20)
  /Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7603:25
  Kernel._ensureSync (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8178:20)
  Kernel.sinvoke (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7602:26)
  KernelHost.processRequest (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7293:28)
  KernelHost.run (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7233:14)
  Immediate._onImmediate (/Users/user/dev/cdk/service-chk/.env/lib/python3.7/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7236:37)
  processImmediate (internal/timers.js:439:21)
Found errors
Error: Found errors
    at AppStacks.processMetadata (/usr/local/lib/node_modules/aws-cdk/lib/api/cxapp/stacks.ts:316:13)
    at cliSynthesize (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:309:15)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at main (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:232:16)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:160:9)