如何解决：'无法解析要使用的 AWS 帐户。 必须在定义 CDK 时或通过环境配置它

Question

I am trying to run CDK commands to check the diff of my local and remote stack.

I am using the following command.

cdk diff --profile saml

I am getting the following error message

Unable to resolve AWS account to use. It must be either configured when you define your CDK or through the environment

I am looking for ways to resolve this issue.

Answer 1

Removing [profile default] from ~/.aws/config solved it for me.

Answer 2

You need to specify your credentials. Check out this article: https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html#getting_started_credentials

It gives details on how to do this:

Specifying Your Credentials and Region

You must specify your credentials and an AWS Region to use the AWS CDK CLI. The CDK looks for credentials and region in the following order:

Using the --profile option to cdk commands.

Using environment variables.

Using the default profile as set by the AWS Command Line Interface (AWS CLI).

You can set up a profile using the AWS CLI. See https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html for details on how to do this. You can specify named profiles, such as a profile for each account, and then specify the profile name to use for your CDK call.

Answer 3

In your .aws folder, create/add an empty file named credentials without the file extension.

Answer 4

In my case it had nothing to do with the proposed solutions.
If you add the -v (verbose) argument to cdk command, you will see the actual error: Unable to determine the default AWS account: TypeError [ERR_INVALID_PROTOCOL]: Protocol "https:" not supported. Expected "http:" Unable to determine the default AWS account: TypeError [ERR_INVALID_PROTOCOL]: Protocol "https:" not supported. Expected "http:"

I tried different versions of CDK and nothing, still the same error. After many tries I ended up with the root cause: node version. With v15.2.1 I got that error, but after downgrading to v14.15.1 the issue was solved.

Answer 5

You should explicitly set your account and region when initializing your stacks. AWS CDK CLI provides two environment variables, CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION, to determine the target at synthesis time.

new MyDevStack(app, 'dev', { 
  env: { 
    account: process.env.CDK_DEFAULT_ACCOUNT, 
    region: process.env.CDK_DEFAULT_REGION 
}});

If you use these environment variables, the target account and region are fetched from your active AWS profile, eg --profile option.

https://docs.aws.amazon.com/cdk/latest/guide/environments.html

Answer 6

Finally I used following in C:\XXXX.aws\credentials

[default]
aws_access_key_id=XXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXX

and cmd:> cdk deploy --profile default

However this didn't work.

[project1]
aws_access_key_id = ANOTHER_AWS_ACCESS_KEY_ID
aws_secret_access_key = ANOTHER_AWS_SECRET_ACCESS_KEY

and cmd:> cdk deploy --profile project1

Error: AWS region must be configured either when you configure your CDK stack or through the environment

Answer 7

You might be suffering from https://github.com/aws/aws-cdk/issues/5455

To work around, don't use a profile, grab access keys (your org should have a way) and export these to the environment

Answer 8

Not sure if this help, but in my organization we use AWS SSO, with over 90 AWS Accounts, with MFA, so it was impossible to manage CDK without AWS CLIv2 with profiles, and AWS SSO support.

I found a way to solve it, so till its officially relesed, you can use this, it works quite all right: MatsCloud blog - CDK with AWS SSO multi account multi profile

Answer 9

in ~/.aws/config the tag [default] must be alone in a new row Example:

[someBasicUser]
[default]
aws_access_key_id = XXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXX

Answer 10

I my case I created new access key's in AWS fist, which I used then as descruped above.

aws configure aws_access_key_id aws_secret_access_key then enter your region

Then it worked. So I assume when the error is "Unable to resolve AWS account" you have the issue new access keys, as the current one is obviously not valid anymore.

enter image description here

Answer 11

I just came across this, because I had the same issue...

using THE SAME profile idenitiefer fixed it for my:D

I was using an _ where as the profile name contained a - ...

Answer 12

The error is produced by CDK because it can't resolve valid AWS CLI credentials which allows it to resolve the account by making a call similar to

aws sts get-caller-identity --profile profile_name

There are multiple ways to configure the AWS CLI with valid credentials so that CDK can interact with the CLI configuration to obtain credentials

1. In ~/.aws/credentials, which is easiest and least preferred/secure way due to using longterm creds, you can place longterm credentials assigned to an IAM user like this

    [default]
    aws_access_key_id=AKIAI44QH8DHBEXAMPLE
    aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

2. Using credential process https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html

In ~/.aws/config

[profile developer]
credential_process = /opt/bin/awscreds-custom --username helen

3. Using a more secure tool like https://github.com/99designs/aws-vault

4. Using AWS CLI integration with AWS SSO. This setup allows for SSO across multiple accounts and supports multiple MFA strategies including biometric. The problem with this is that the current version of the CDK has not been updated to use the latest version of the Node AWS SDK so it does not know how to retrieve credentials. Hopefully a future release of CDK will resolve this but its been almost 2 years

In ~/.aws/config

[profile sso_profile]
sso_start_url = https://sso_url.awsapps.com/start
sso_region = us-east-2
sso_account_id =
sso_role_name = AWSAdministratorAccess
region = us-east-2
output=json
 

Fortunately there is a decent workaround which works seamlessly once configured. This involves utilizing a python lib that can expose an SSO profile as a credentials process which is supported by current CDK. Install https://pypi.org/project/aws2-wrap/

pip3 install aws2-wrap==1.2.7

Then in ~/.aws/config add a wrapper profile that uses aws2-wrap to exposes as a credentials process

[profile wrapped_sso_profile]
region = us-east-2
credential_process = aws2-wrap --process --profile sso_profile

Answer 13

AWS CLI v2 is capable of using AWS SSO to acquire credentials natively; however the SDK that was used to develop AWS CDK is not capable of using AWS SSO natively to acquire the credentials. Hence, "credential_process" must be configured in ~/.aws/config to acquire credentials.

While configuring "credential_process", I found they python package "aws2-wrap" (pip install aws2-wrap) as simple and straightforward. The other package "aws-sso-credential-process" required pipx which itself installed python@3.10 on my Mac.

Answer 14

In my case I was running the command:

npm run cdk diff my-stack --profile MyProfile

However it worked when I changed to use

npx cdk diff my-stack --profile MyProfile

This is because npm run x does not pass through --parameters to child processes.

Answer 15

I just created a new profile.

aws configure --profile profile2

aws_access_key_id=XXXXXXXXXXXXXX
aws_secret_access_key=XXXXXXXXXXXX
region = us-west-2
output=text

cdk deploy --profile profile2

I tried various things and this finally helped. Just a quick note, I never added an output until the last one. Maybe a completely filled out profile helped as well.

reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html

Answer 16

sudo was killing me...

I was getting the same error for cdk deploy. I kept running:

$ sudo cdk deploy --profile default

and getting the same error. I eventually used -v and read every line and realized it wasn't using my .aws/credentials file, but was looking for /root/.aws/credentials .

Removed sudo and everything worked just fine.

$ cdk deploy --profile default

Answer 17

In my case, when I specified my credentials using aws configure , when I pasted the apiKey it included an special character in the beginning of the credential causing this issue. So I edited the ./aws/credentials file and removed it.

Answer 18

I tried everything and in the end it was the unadjusted clock of WSL2

Fixed with

sudo ntpdate pool.ntp.org

Answer 19

For me it seemed the CDK had cached a bad session and wouldn't clear it. I deleted the following directory in my home directory

    rm -Rf ~/.cdk/cache

That worked for me as it forced creation of a new cache. (be careful you're deleting the correct dir:)

Answer 20

in my case, i change region name to region code

from: Asia Pacific (Singapore) to: ap-southeast-1

Answer 21

I use AWS SSO and sometimes experience this issue when my session has expired. Calling aws sso login will still seem like it's working fine for a minute or two, but calling cdk deploy (or something similar) already fails.

Answer 22

Just type

aws configure

in your shell and then type

aws_access_key_id

aws_secret_access_key

then enter your region

if you are not confirm with your region sign in to Console

then have a look at the end of url-bar im sure you find it.