Static credentials
For basics on static credentials, see AWS account root user credentials and IAM identities and Understanding and getting your AWS credentials in the Amazon Web Services General Reference.
The AWS SDK automatically uses these AWS credentials to sign API requests to AWS, so that your workloads can access your AWS resources and data securely and conveniently. If you use an IAM role, these temporary AWS credentials are refreshed multiple times a day.
Note
If AWS becomes unable to refresh these temporary credentials, AWS may extend the validity of the credentials so that your workloads are not impacted.
For instructions on how to obtain these values, see Authenticate using short-term credentials. The shared AWS credentials
file is the recommended location for
storing credentials information because it is safely outside of application source
directories and separate from the SDK-specific settings of the shared config
file.
Configure this functionality by using the following:
aws_access_key_id
- shared AWSconfig
file settingaws_access_key_id
- shared AWScredentials
file setting (recommended method)AWS_ACCESS_KEY_ID
- environment variable-
Specifies the AWS access key used as part of the credentials to authenticate the user.
aws_secret_access_key
- shared AWSconfig
file settingaws_secret_access_key
- shared AWScredentials
file setting (recommended method)AWS_SECRET_ACCESS_KEY
- environment variable-
Specifies the AWS secret key used as part of the credentials to authenticate the user.
aws_session_token
- shared AWSconfig
file settingaws_session_token
- shared AWScredentials
file setting (recommended method)AWS_SESSION_TOKEN
- environment variable-
Specifies an AWS session token used as part of the credentials to authenticate the user. You receive this value as part of the temporary credentials returned by successful requests to assume a role. A session token is required only if you manually specify temporary security credentials. However, we recommend you always use temporary security credentials instead of long-term credentials. For security recommendations, see Security best practices in IAM.
Example of setting these required values in the config
or
credentials
file:
[default] aws_access_key_id =
AKIAIOSFODNN7EXAMPLE
aws_secret_access_key =wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token =AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
Linux/macOS example of setting environment variables via command line:
export AWS_ACCESS_KEY_ID=
AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
Windows example of setting environment variables via command line:
setx AWS_ACCESS_KEY_ID
AKIAIOSFODNN7EXAMPLE
setx AWS_SECRET_ACCESS_KEYwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
setx AWS_SESSION_TOKENAQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
Compatibility with AWS SDKS
The following SDKs support the features and settings described on this page, any partial exceptions are noted:
SDK | Supported | Notes or more information |
---|---|---|
AWS CLI v2 | Yes | |
SDK for C++ | Yes | shared config file not supported. |
SDK for Go V2 (1.x) |
Yes | |
SDK for Go 1.x (V1) | Yes | |
SDK for Java 2.x | Yes | |
SDK for Java 1.x | Yes | |
SDK for JavaScript 3.x | Yes | |
SDK for JavaScript 2.x | Yes | |
SDK for .NET 3.x | Yes | Environment variables not supported. |
SDK for PHP 3.x | Yes | |
SDK for Python (Boto3) |
Yes | |
SDK for Ruby 3.x | Yes |