Credentials for the AWS SDK for PHP Version 3
For reference information on available credentials mechanisms for the AWS SDKs, see Credentials and access in the AWS SDKs and Tools Reference Guide.
Important
For security, we strongly recommend that you do not use the root account for AWS access. Always refer to the Security best practices in IAM in the IAM User Guide for the latest security recommendations.
Precedence of settings
When you initialize a new service client without providing any credential arguments, the SDK uses the default credential provider chain to find AWS credentials. The SDK uses the first provider in the chain that returns credentials without an error. To learn more about the chain of sources checked for credentials, see Credential provider chain in the AWS SDKs and Tools Reference Guide.
The AWS SDK for PHP has a series of places that it checks in order to find values for global settings and credential providers. The following is the order of precedence:
-
Any explicit setting set in the code or on a service client itself takes precedence over anything else.
-
Use credentials from environment variables.
Setting environment variables is useful if you’re doing development work on a machine other than an Amazon EC2 instance.
-
Shared config and credentials files.
These are the same files used by other SDKs and the AWS CLI.
Credential providers
-
Provide custom logic for credentials when constructing the client.
-
IAM roles provide applications on the instance with temporary security credentials to make AWS calls. For example, IAM roles offer an easy way to distribute and manage credentials on multiple Amazon EC2 instances.
-
Using temporary credentials from AWS STS.
When using a multi-factor authentication (MFA) token for two-factor authentication, use AWS STS to give the user temporary credentials to access AWS services or use the AWS SDK for PHP.
-
Create a client that isn’t associated with any credentials when the service allows anonymous access.
