Using the AWS Credentials File and Credential Profiles - AWS SDK for PHP

Using the AWS Credentials File and Credential Profiles

A credentials file is a plaintext file that contains your access keys. The file must:

  • Be on the same machine on which you’re running your application.

  • Be named credentials.

  • Be located in the .aws/ folder in your home directory.

The home directory can vary by operating system. On Windows, you can refer to your home directory by using the environment variable %UserProfile%. On Unix-like systems, you can use the environment variable $HOME or ~ (tilde).

If you already use this file for other SDKs and tools (like the AWS CLI), you don’t need to change anything to use the files in this SDK. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file.

We use this method in all our PHP code examples.

Using an AWS credentials file offers the following benefits:

  • Your projects’ credentials are stored outside of your projects, so there is no chance of accidentally committing them into version control.

  • You can define and name multiple sets of credentials in one place.

  • You can easily reuse the same credentials among projects.

  • Other AWS SDKs and tools support, this same credentials file. This allows you to reuse your credentials with other tools.

The format of the AWS credentials file should look something like the following.

[default] aws_access_key_id = YOUR_AWS_ACCESS_KEY_ID aws_secret_access_key = YOUR_AWS_SECRET_ACCESS_KEY [project1] aws_access_key_id = ANOTHER_AWS_ACCESS_KEY_ID aws_secret_access_key = ANOTHER_AWS_SECRET_ACCESS_KEY

Each section (e.g., [default], [project1]), represents a separate credential profile. You can reference profiles from an SDK configuration file, or when you are instantiating a client, by using the profile option.

use Aws\DynamoDb\DynamoDbClient; // Instantiate a client with the credentials from the project1 profile $client = new DynamoDbClient([ 'profile' => 'project1', 'region' => 'us-west-2', 'version' => 'latest' ]);

If no credentials or profiles were explicitly provided to the SDK and no credentials were defined in environment variables, but a credentials file is defined, the SDK uses the “default” profile. You can change the default profile by specifying an alternate profile name in the AWS_PROFILE environment variable.

Assume Role with Profile

You can configure the AWS SDK for PHP to use an IAM role by defining a profile for the role in ~/.aws/credentials.

Create a new profile with the role_arn for the role you will assume. Also include the source_profile of a profile with credentials that have permissions to assume the IAM role.

Profile in ~/.aws/credentials:

[default] aws_access_key_id = YOUR_AWS_ACCESS_KEY_ID aws_secret_access_key = YOUR_AWS_SECRET_ACCESS_KEY [project1] role_arn = arn:aws:iam::123456789012:role/testing source_profile = default role_session_name = OPTIONAL_SESSION_NAME

By setting the AWS_PROFILE environment variable, or profile option when instantiating a client, the role specified in project1 will be assumed, using the default profile as the source credentials.

Roles can also be assumed for profiles defined in ~/.aws/config. Setting the environment variable AWS_SDK_LOAD_NONDEFAULT_CONFIG enables loading profiles for assuming a role from ~/.aws/config. When enabled, profiles from both ~/.aws/config and ~/.aws/credentials will be loaded. Profiles from ~/.aws/credentials are loaded last and will take precedence over a profile from ~/.aws/config with the same name. Profiles from either location can serve as the source_profile or the profile to be assumed.

Profile in ~/.aws/config:

[profile project1] role_arn = arn:aws:iam::123456789012:role/testing source_profile = default role_session_name = OPTIONAL_SESSION_NAME

Profile in ~/.aws/credentials:

[project2] aws_access_key_id = YOUR_AWS_ACCESS_KEY_ID aws_secret_access_key = YOUR_AWS_SECRET_ACCESS_KEY

Using the above files, [project1] will be assumed using [project2] as the source credentials.