I'm trying to deploy a CDK stack using npx cdk diff with credentials managed by 1Password. I need to assume a specific AWS role (admin@ontology-dev) to perform the deployment, but I keep encountering credential issues even though I can access AWS resources with the assumed role in the AWS Console.
Environment Setup: Credentials Managed by 1Password: I’m using a credential_process in my default profile to retrieve AWS credentials via a custom 1password.sh script.
Profile Configuration:
Here are my ~/.aws/config and ~/.aws/credentials setups:
~/.aws/config:
[default]
region = eu-west-1
duration_seconds = 10800
mfa_serial = arn:aws:iam::<my-iam-account-id>:mfa/toseef.ahmed
output = json
[profile admin@dev-profile]
role_arn = arn:aws:iam::<dev-account-id>:role/DevAdmin-CAM
source_profile = default
region = eu-west-1
duration_seconds = 10800
~/.aws/credentials:
[default]
credential_process = bash -c '$HOME/.aws/1password.sh'
1password.sh:
#!/usr/bin/env bash
# Define 1Password parameters
ACCOUNT="myAccount"
VAULT="myValut"
ACCESS_ITEM="AWS-Access-Key"
# Retrieve access key, secret key, and OTP from 1Password
ACCESS_KEY=$(op read --account $ACCOUNT "op://$VAULT/$ACCESS_ITEM/Access Key ID")
SECRET=$(op read --account $ACCOUNT "op://$VAULT/$ACCESS_ITEM/Secret Access Key")
OTP=$(op read --account $ACCOUNT "op://$VAULT/$ACCESS_ITEM/one-time password?attribute=otp")
export ACCESS_KEY
export SECRET
Access Test: Running aws sts get-caller-identity --profile admin@<dev-profile> works fine,
It gives me
{
"UserId": ""XXXAW757OFXXXXXXXXXX:XXX065653XXXXXXXXX"",
"Account": "<dev-account-id>",
"Arn": "arn:aws:sts::<dev-account-id>:assumed-role/DevAdmin-CAM/1730656531XXXXXXXX"
}
After that when I run aws s3 ls s3://<my-bucket name>/
I get the list of files in the bucket.
However, when I run npx cdk diff -c account=dev -c environment=development --verbose with the same profile, I get the following error:
Need to perform AWS calls for account <target-account-id>, but no credentials have been configured
Error Output Here’s part of the verbose output from npx cdk diff:
[17:08:38] Resolving default credentials
Could not assume arn:aws:iam::<account-id>:role/cdk-hnb659fds-lookup-role-<dev-account-id>-eu-west-1, proceeding anyway.
[19:55:48] Reading cached notices from /Users/toseef.ahmed/.cdk/cache/notices.json
Need to perform AWS calls for account <dev-account-id>, but no credentials have been configured
I would appreciate your help.
Please be kind if you think the information is insufficient. This is the first time I'm working in this kind of setup.
The npx cdk diff command tries to assume a specific role (cdk-hnb659fds-lookup-role) automatically to perform environment lookups. Even though your admin@dev-profile works for direct AWS CLI operations (like aws sts get-caller-identity or aws s3 ls), the CDK needs proper access to the assumed roles it uses internally. To fix this you need to bootstrap your project with the correct profile
npx cdk bootstrap aws://<dev-account-id>/eu-west-1 --profile admin@dev-profile
This creates the required roles (cdk-hnb659fds-lookup-role, etc.) in the specified account and region. Ensure you run this with a profile that has permission to create roles and policies.
or simply, specify your admin role also for the diff command
npx cdk diff -c account=dev -c environment=development --profile admin@dev-profile --verbose
and you need to ensure that cdk-hnb659fds-lookup-role is created in the target account, and has a trust relationship with DevAdmin role
Trust policy of cdk-hnb659fds-lookup-role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<dev-account-id>:role/DevAdmin-CAM"
},
"Action": "sts:AssumeRole"
}
]
}