AWS SDK for PHP
Developer Guide

Using the AWS Credentials File and Credential Profiles

A credentials file is a plaintext file that contains your access keys. The file must:

  • Be on the same machine on which you're running your application.

  • Be named credentials.

  • Be located in the .aws/ folder in your home directory.

The home directory can vary by operating system. On Windows, you can refer to your home directory by using the environment variable %UserProfile%. On Unix-like systems, you can use the environment variable $HOME or ~ (tilde).

If you already use this file for other SDKs and tools (like the AWS CLI), you don't need to change anything to use the files in this SDK. If you use different credentials for different tools or applications, you can use profiles to configure multiple access keys in the same configuration file.

We use this method in all our PHP code examples.

Using an AWS credentials file offers the following benefits:

  • Your projects' credentials are stored outside of your projects, so there is

    no chance of accidentally committing them into version control.

  • You can define and name multiple sets of credentials in one place.

  • You can easily reuse the same credentials among projects.

  • Other AWS SDKs and tools support, this same

    credentials file. This allows you to reuse your credentials with other tools.

The format of the AWS credentials file should look something like the following.

[default] aws_access_key_id = YOUR_AWS_ACCESS_KEY_ID aws_secret_access_key = YOUR_AWS_SECRET_ACCESS_KEY [project1] aws_access_key_id = ANOTHER_AWS_ACCESS_KEY_ID aws_secret_access_key = ANOTHER_AWS_SECRET_ACCESS_KEY

Each section (e.g., [default], [project1]), represents a separate credential profile. You can reference profiles from an SDK configuration file, or when you are instantiating a client, by using the profile option.

use Aws\DynamoDb\DynamoDbClient; // Instantiate a client with the credentials from the project1 profile $client = new DynamoDbClient([ 'profile' => 'project1', 'region' => 'us-west-2', 'version' => 'latest' ]);

If no credentials or profiles were explicitly provided to the SDK and no credentials were defined in environment variables, but a credentials file is defined, the SDK uses the "default" profile. You can change the default profile by specifying an alternate profile name in the AWS_PROFILE environment variable.