Running npx @guardian/cdk@latest account-readiness --profile workflow gave me SSM Parameter Readiness: ❌ Fail even though the workflow account is all green.

It turns out that there were stale [default] credentials in my local ~/.aws/credentials file. I had to delete them and get fresh workflow credentials from Janus, which finally gave me SSM Parameter Readiness: ✅ Pass.

Not sure how or why the default creds are generated, but it would be great for the readiness check against the matching account name (e.g.[workflow]) instead of the default. Also it would be helpful have a more informative error message if the credentials are invalid.