Menu
AWS SDK for PHP
Developer Guide

Credentials for the AWS SDK for PHP Version 3

To make requests to Amazon Web Services, you must supply AWS access keys, also known as credentials, to the AWS SDK for PHP.

You can do this in the following ways:

  • Use the default credential provider chain (recommended).

  • Use a specific credential provider or provider chain (or create your own).

  • Supply the credentials yourself. These can be root account credentials, IAM credentials, or temporary credentials retrieved from AWS STS.

Important

For security, we strongly recommend that you use IAM users instead of the root account for AWS access. For more information, see IAM Best Practices in the IAM User Guide.

Using the Default Credential Provider Chain

When you initialize a new service client without providing any credential arguments, the SDK uses the default credential provider chain to find AWS credentials. The SDK uses the first provider in the chain that returns credentials without an error.

The default provider chain looks for and uses credentials as follows, in this order:

  1. Use credentials from environment variables.

    Setting environment variables is useful if you're doing development work on a machine other than an Amazon EC2 instance.

  2. Use the AWS shared credentials file and profiles.

    This credentials file is the same one used by other SDKs and the AWS CLI. If you're already using a shared credentials file, you can use that file for this purpose.

    We use this method in most of our PHP code examples.

  3. Assume an IAM role.

    IAM roles provide applications on the instance with temporary security credentials to make AWS calls. For example, IAM roles offer an easy way to distribute and manage credentials on multiple Amazon EC2 instances.

Other Ways to Add Credentials

You can also add credentials in these ways:

  • Using a credential provider.

    Provide custom logic for credentials when constructing the client.

  • Using temporary credentials from AWS STS.

    When using a multi-factor authentication (MFA) token for two-factor authentication, use AWS STS to give the user temporary crentials to access AWS services or use the AWS SDK for PHP.

  • Using hard-coded credentials (not recommended).

Warning

Hard-coding your credentials can be dangerous, because it's easy to accidentally commit your credentials into an SCM repository. This can potentially expose your credentials to more people than you intend. It can also make it difficult to rotate credentials in the future. Do not submit code with hard-coded credentials to your source control.

  • Creating anonymous clients.

    Create a client that isn't associated with any credentials when the service allows anonymous access.

For more information, see AWS Security Credentials Best Practices in the Amazon Web Services General Reference.

Topics