localstack
bug: Unable to run cdk bootstrap with aws-cdk 2.172.0 (or newer) and cdklocal 2.19.2
Original issue: https://github.com/localstack/localstack/issues/12261 reported by @Garethp
Is there an existing issue for this?
- [x] I have searched the existing issues
Current Behavior
When attempting to run yarn cdklocal bootstrap on LocalStack with aws-cdk set to 2.172.0 or newer, I get the following error:
❌ Environment aws://000000000000/eu-west-2 failed bootstrapping: Error: Need to perform AWS calls for account 000000000000, but no credentials have been configured
at SdkProvider.forEnvironment (/home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:776:19853)
at async SdkProvider.methFunc (/home/parkerg/development/localstack-bugs/node_modules/aws-cdk-local/bin/cdklocal:414:16)
at async _BootstrapStack.lookup (/home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:626:8583)
at async Bootstrapper.modernBootstrap (/home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:627:1084)
at async /home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:833:1671
If I try running the bootstrap with 2.178.2, the error looks like:
❌ Environment aws://000000000000/eu-west-2 failed bootstrapping: _AuthenticationError: Need to perform AWS calls for account 000000000000, but no credentials have been configured
at SdkProvider.forEnvironment (/home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:809:140752)
at async _BootstrapStack.lookup (/home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:780:25842)
at async Bootstrapper.modernBootstrap (/home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:781:1115)
at async /home/parkerg/development/localstack-bugs/node_modules/aws-cdk/lib/index.js:823:1560 {
type: 'authentication'
}
Need to perform AWS calls for account 000000000000, but no credentials have been configured
Expected Behavior
This should work and there should be no Authentication issues
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
docker run localstack/localstack
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
`yarn cdklocal bootstrap`
Environment
- OS: Ubuntu 20.04
- LocalStack: 4.1.1
LocalStack version: 4.1.1
LocalStack Docker image sha: sha256:97ccc65daec3542bd2cb3160d7355f11e89ad8027fd3c834b9d1197d197d866f
LocalStack build date: 2025-02-05
LocalStack build git hash: 873d150c0
Anything else?
I've reproduced the issue here: https://github.com/Garethp/localstack-bugs/tree/bootstrap-error
When I clone down the branch bootstrap-error, run yarn install, and then ./start.sh I see the above error.
Additionally, we do have a temporary workaround. If we run AWS_PROFILE={profile} yarn cdklocal bootstrap where {profile} is a profile that's already been locally configured and is not an sso login then it passes. If it's set to a non-existent profile or a profile that's configured through aws sso then it still fails
Thanks @Garethp for reporting. Unfortunately the CDK team have made some significant changes to the internals of cdk that are keeping us busy!
Since v2.167.0 the upstream cdk has supported AWS profiles. Can you try setting an AWS profile similar to
[profile localstack]
region = us-east-1
endpoint_url = https://localhost.localstack.cloud:4566
aws_access_key_id = test
aws_secret_access_key = test
cli_binary_format=raw-in-base64-out
services = localstack-services
[services localstack-services]
s3 =
endpoint_url = http://s3.localhost.localstack.cloud:4566
in your ~/.aws/config and try using the upstream cdk setting AWS_PROFILE=localstack cdk ...? You will need to make sure you don't have any other AWS_* configuration variables in your environment, particularly AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY etc.
Hi Simon
Thanks for opening this issue in the correct repository. Having each developer define this profile locally and alter any scripts that call localstack to include the profile would have been a larger workaround than what we'd want to do. Thankfully we've already built a cdk plugin to automatically pick and refresh profiles/credentials based on which account is being targeted and it was fairly easy to slip this workaround into that plugin, so distributing the workaround is just a case of the plugin being updated.
Thanks, Gareth
@simonrw Is there any working config right now? No matter what version of aws-cdk and aws-cdk-local I use, I always get credentials error:
Need to perform AWS calls for account 000000000000, but no credentials have been configured
Currently using:
Also tried:
-
aws-cdk@latestandaws-cdk-local@latestand various versions in between. - Also tried setting
profile localstackin myaws/config
My team really likes this tool but it's a deal-breaker if we can't get it to work with CDK.
I solved my issue. The problem seems to be that a misleading error is thrown by cdklocal. Whether you are using docker-compose or localstack CLI, the SERVICES env has to have
# docker-compose
SERVICES=sts,iam,ssm,s3,cloudformation,ecr
# localstack CLI
SERVICES=sts,iam,ssm,s3,cloudformation
in order to run
cdklocal bootstrap
If one of those services are missing, the following credential error is thrown (thus misleading you)
Need to perform AWS calls for account 000000000000, but no credentials have been configured
Used:
-
[email protected] -
aws-cdk-local@latest
Interesting thanks @emmanuelnk. That makes sense as you may not be loading one of the core services the cdk relies on. However do you need the 'SERVICES' envar at all?
@simonrw yes. If I don't add it to my docker-compose.yml with those services (especially sts which seems to be the main culprit for the credentials error), cdklocal deploy will fail.
I am also hitting this issue since upgrading aws-cdk-lib. We are trying to upgrade to [email protected] and have tested [email protected] and [email protected].
We have a docker-compose setup with localstack/localstack running in a container, then another container with
environment:
LOCALSTACK_ENDPOINT_URL: http://localstack:4566
LOCALSTACK_HOSTNAME: localstack
...
command: >
/bin/sh -c "
npx -p aws-cdk-local cdklocal bootstrap &&
npx -p aws-cdk-local cdklocal deploy nest-example-service-infra --require-approval never &&
echo Done
"
And we get the exact same error:
nest-example-service-localstack |
nest-example-service-localstack | LocalStack version: 4.4.1.dev47
nest-example-service-localstack | LocalStack build date: 2025-05-28
nest-example-service-localstack | LocalStack build git hash: b90f172f4
nest-example-service-localstack |
nest-example-service-localstack | Ready.
nest-example-service-bootstrap | ⏳ Bootstrapping environment aws://000000000000/us-east-1...
nest-example-service-bootstrap | ❌ Environment aws://000000000000/us-east-1 failed bootstrapping: _AuthenticationError: Need to perform AWS calls for account 000000000000, but no credentials have been configured
nest-example-service-bootstrap | at SdkProvider.forEnvironment (/app/node_modules/aws-cdk/lib/index.js:322327:17)
nest-example-service-bootstrap | at async _BootstrapStack.lookup (/app/node_modules/aws-cdk/lib/index.js:323881:22)
nest-example-service-bootstrap | at async Bootstrapper.modernBootstrap (/app/node_modules/aws-cdk/lib/index.js:324129:25)
nest-example-service-bootstrap | at async /app/node_modules/aws-cdk/lib/index.js:345705:29 {
nest-example-service-bootstrap | type: 'authentication',
nest-example-service-bootstrap | source: 'user',
nest-example-service-bootstrap | cause: undefined
nest-example-service-bootstrap | }
nest-example-service-bootstrap | Need to perform AWS calls for account 000000000000, but no credentials have been configured
I tried doing the SERVICES= env var fix suggested above, by adding that env var to my localstack/localstack container, but this had no impact.
It seems like for this docker-compose scenario it would be a shame if I had to manually add an AWS profile to fix the issue
