Credentials for the AWS SDK for PHP Version 3 - AWS SDK for PHP

Credentials for the AWS SDK for PHP Version 3

For reference information on available credentials mechanisms for the AWS SDKs, see Credentials and access in the AWS SDKs and Tools Reference Guide.

To make requests to Amazon Web Services, supply AWS access keys, also known as credentials, to the AWS SDK for PHP.

You can do this in the following ways:

  • Use the default credential provider chain (recommended).

  • Use a specific credential provider or provider chain (or create your own).

  • Supply the credentials yourself. These can be root account credentials, IAM credentials, or temporary credentials retrieved from AWS STS.


For security, we strongly recommend that you do not use the root account for AWS access. Always refer to the Security best practices in IAM in the IAM User Guide for the latest security recommendations.

Using the default credential provider chain

When you initialize a new service client without providing any credential arguments, the SDK uses the default credential provider chain to find AWS credentials. The SDK uses the first provider in the chain that returns credentials without an error.

The default provider chain looks for and uses credentials as follows, in this order:

  1. Use credentials from environment variables.

    Setting environment variables is useful if you’re doing development work on a machine other than an Amazon EC2 instance.

  2. Use the AWS shared credentials file and profiles.

    This credentials file is the same one used by other SDKs and the AWS CLI. If you’re already using a shared credentials file, you can use that file for this purpose.

    We use this method in most of our PHP code examples.

  3. Assume an IAM role.

    IAM roles provide applications on the instance with temporary security credentials to make AWS calls. For example, IAM roles offer an easy way to distribute and manage credentials on multiple Amazon EC2 instances.

Other ways to add credentials

You can also add credentials in these ways:


Hard-coding your credentials can be dangerous, because it’s easy to accidentally commit your credentials into an SCM repository. This can potentially expose your credentials to more people than you intend. It can also make it difficult to rotate credentials in the future. Do not submit code with hard-coded credentials to your source control.

  • Creating anonymous clients.

    Create a client that isn’t associated with any credentials when the service allows anonymous access.