AWS access keys
Warning
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as AWS IAM Identity Center.
AWS access keys for an IAM user can be used as your AWS credentials. The AWS SDK
automatically uses these AWS credentials to sign API requests to AWS, so that your
workloads can access your AWS resources and data securely and conveniently. It is
recommended to always use the aws_session_token so that the credentials are
temporary and no longer valid after they expire. Using long term credentials is not
recommended.
Note
If AWS becomes unable to refresh these temporary credentials, AWS may extend the validity of the credentials so that your workloads are not impacted.
The shared AWS credentials file is the recommended location for storing credentials information
because it is safely outside of application source directories and separate from the
SDK-specific settings of the shared config file.
To learn more about AWS credentials and using access keys, see AWS security credentials and Managing access keys for IAM users in the IAM User Guide.
Configure this functionality by using the following:
aws_access_key_id- shared AWSconfigfile settingaws_access_key_id- shared AWScredentialsfile setting (recommended method)AWS_ACCESS_KEY_ID- environment variable-
Specifies the AWS access key used as part of the credentials to authenticate the user.
aws_secret_access_key- shared AWSconfigfile settingaws_secret_access_key- shared AWScredentialsfile setting (recommended method)AWS_SECRET_ACCESS_KEY- environment variable-
Specifies the AWS secret key used as part of the credentials to authenticate the user.
aws_session_token- shared AWSconfigfile settingaws_session_token- shared AWScredentialsfile setting (recommended method)AWS_SESSION_TOKEN- environment variable-
Specifies an AWS session token used as part of the credentials to authenticate the user. You receive this value as part of the temporary credentials returned by successful requests to assume a role. A session token is required only if you manually specify temporary security credentials. However, we recommend you always use temporary security credentials instead of long-term credentials. For security recommendations, see Security best practices in IAM.
For instructions on how to obtain these values, see Authenticate using short-term credentials.
Example of setting these required values in the config or
credentials file:
[default] aws_access_key_id =AKIAIOSFODNN7EXAMPLEaws_secret_access_key =wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYaws_session_token =AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
Linux/macOS example of setting environment variables via command line:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEexport AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYexport AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
Windows example of setting environment variables via command line:
setx AWS_ACCESS_KEY_IDAKIAIOSFODNN7EXAMPLEsetx AWS_SECRET_ACCESS_KEYwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYsetx AWS_SESSION_TOKENAQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
Compatibility with AWS SDKS
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted.
| SDK | Supported | Notes or more information |
|---|---|---|
| AWS CLI v2 | Yes | |
| SDK for C++ | Yes | shared config file not supported. |
| SDK for Go V2 (1.x) |
Yes | |
| SDK for Go 1.x (V1) | Yes | To use shared config file settings, you must turn on loading from the config file; see Sessions. |
| SDK for Java 2.x | Yes | |
| SDK for Java 1.x | Yes | |
| SDK for JavaScript 3.x | Yes | |
| SDK for JavaScript 2.x | Yes | |
| SDK for .NET 3.x | Yes | Environment variables not supported. |
| SDK for PHP 3.x | Yes | |
| SDK for Python (Boto3) |
Yes | |
| SDK for Ruby 3.x | Yes |
