ProviderError: Profile <redacted> could not be found in shared credentials file

I am 100% NOT referencing my AWS profile in my code! Yet CloudWatch says:

ERROR: ProviderError: Profile <redacted> could not be found in shared credentials file.
    at resolveProcessCredentials (/var/task/node_modules/@aws-sdk/credential-provider-process/dist/cjs/index.js:68:15)
    at /var/task/node_modules/@aws-sdk/credential-provider-process/dist/cjs/index.js:13:85
    at async SignatureV4.credentialProvider (/var/task/node_modules/@aws-sdk/property-provider/dist/cjs/memoize.js:26:26)
    at async SignatureV4.signRequest (/var/task/node_modules/@aws-sdk/signature-v4/dist/cjs/SignatureV4.js:84:29)
    at async /var/task/node_modules/@aws-sdk/middleware-signing/dist/cjs/middleware.js:14:22
    at async StandardRetryStrategy.retry (/var/task/node_modules/@aws-sdk/middleware-retry/dist/cjs/defaultStrategy.js:56:46)
    at async /var/task/node_modules/@aws-sdk/middleware-logger/dist/cjs/loggerMiddleware.js:6:22
    at async WazzCards.getDecks (/var/task/WazzCards.js:50:22)
    at async Runtime.module.exports.getDecks [as handler] (/var/task/handler.js:10:19) {
  tryNextLink: true,
  '$metadata': { attempts: 1, totalRetryDelay: 0 }

The code where this occurs looks like:

this.dbClient = new DynamoDBClient({ region: props.region });
this.table = `WazzCards-${props.stage}`
const query = new ExecuteStatementCommand({
        Statement: `SELECT * FROM "${this.table}" WHERE begins_with("PK", 'DECK#') AND "SK"='DECK'`,
// The error occurs when the next line executes
const result = await this.dbClient.send(query);

The IAM role statements in serverless.yml copied from Serverless example in the docs and adjusted look like:

    - Effect: "Allow"
       - dynamodb:Query
       - dynamodb:Scan
       - dynamodb:GetItem
       - dynamodb:PutItem
       - dynamodb:UpdateItem
      Resource: "arn:aws:dynamodb:ca-central-1:<redacted>:table/<redacted>"

I am particularly confused because of the reference to “shared credentials file” showing up in CloudWatch which my understanding Serverless takes care of during deployment. The Lambda also executes up to the offending line so basic execution permissions are working.

And as always, it works without any issue locally with serverless-offline.

I have been trying to debug this most of the day now and just exhausted all possible avenues. Hoping someone else has seen this and solved it???


Right after I sent this I looked at my code (for the umpteenth time) and realised I had AWS_PROFILE=<redacted> in my .env file. Removed it and everything works.