Configuration and authentication settings reference - AWS SDKs and Tools

Configuration and authentication settings reference

SDKs provide language-specific APIs for AWS services. They take care of some of the heavy lifting necessary in successfully making API calls, including authentication, retry behavior, and more. To do this, the SDKs have flexible strategies to obtain credentials to use for your requests, to maintain settings to use with each service, and to obtain values to use for global settings.

Creating service clients

To programmatically access AWS services, SDKs use a client class/object for each AWS service. For example, if your application needs to access Amazon EC2, your application creates an Amazon EC2 client object to interface with that service. You then use the service client to make requests to that AWS service. A service client object is immutable, so you must create a new client for each service to which you make requests and for making requests to the same service using a different configuration.

Precedence of settings

Global settings configure features, credential providers, and other functionality that are supported by most SDKs and have a broad impact across AWS services. All SDKs have a series of places (or sources) that they check in order to find a value for global settings. The following is the setting lookup precedence:

  1. Any explicit setting set in the code or on a service client itself takes precedence over anything else.

    • Some settings can be set on a per-operation basis, and can be changed as needed for each operation that you invoke. For the AWS CLI or AWS Tools for PowerShell, these take the form of per-operation parameters that you enter on the command line. For an SDK, explicit assignments can take the form of a parameter that you set when you instantiate an AWS service client or configuration object, or sometimes when you call an individual API.

  2. Java/Kotlin only: Sometimes there is a JVM system property associated with the setting. If it’s set, that value is used to configure the client.

  3. The environment variable is checked. If it’s set, that value is used to configure the client.

  4. The SDK checks the shared credentials file and then the shared config file. If the setting is present, the SDK uses it. The AWS_PROFILE environment variable or the aws.profile system property can be used to specify which profile that the SDK loads.

  5. Any default value provided by the SDK code base is used last.

Note

If a setting exists in both the config file and the credentials file for the same profile, the value in the credentials file is used instead of the value in the config file.

Note

Some SDKs and tools might check in a different order. Also, some SDKs and tools support other methods of storing and retrieving parameters. For example, the AWS SDK for .NET supports an additional source called the SDK Store. For more information about providers that are unique to a SDK or tool, see the documentation for that SDK or tool.

The order determines which methods take precedence and override others. For example, if you set up a default profile in the shared config file, it's only found and used after the SDK or tool checks the other places first. This means that if you put a setting in the credentials file, it is used instead of one found in the config file. If you configure an environment variable with a setting and value, it would override that setting in both the credentials and config files. And finally, a setting on the individual operation (AWS CLI command-line parameter or API parameter) or in code would override all other values for that one command.

Config file settings list

The settings listed in the following table can be assigned in the shared AWS config file. They are global and affect all AWS services.

Setting name Details
api_versions General configuration settings
aws_access_key_id Static credentials
aws_secret_access_key Static credentials
aws_session_token Static credentials
ca_bundle General configuration settings
credential_process Process credentials
credential_source Assume role credentials
defaults_mode Smart configuration defaults
duration_seconds Assume role credentials
ec2_metadata_service_endpoint IMDS credentials
ec2_metadata_service_endpoint_mode IMDS credentials
endpoint_discovery_enabled Endpoint discovery
external_id Assume role credentials
max_attempts Retry behavior
metadata_service_num_attempts Amazon EC2 instance metadata
metadata_service_timeout Amazon EC2 instance metadata
mfa_serial Assume role credentials
parameter_validation General configuration settings
region AWS Region
retry_mode Retry behavior
role_arn Assume role credentials
role_session_name Assume role credentials
s3_disable_multiregion_access_points Amazon S3 Multi-Region Access Points
s3_use_arn_region Amazon S3 access points
source_profile Assume role credentials
sso_account_id SSO credentials
sso_region SSO credentials
sso_role_name SSO credentials
sso_start_url SSO credentials
sts_regional_endpoints STS regionalized endpoints
web_identity_token_file Assume role credentials

Credentials file settings list

The settings listed in the following table can be assigned in the shared AWS credentials file. They are global and affect all AWS services.

Setting name Details
aws_access_key_id Static credentials
aws_secret_access_key Static credentials
aws_session_token Static credentials

Environment variables list

Environment variables supported by most SDKs are listed in the following table. They are global and affect all AWS services.

Setting name Details
AWS_ACCESS_KEY_ID Static credentials
AWS_CA_BUNDLE General configuration settings
AWS_CONFIG_FILE Location of the shared config and credentials files
AWS_CONTAINER_AUTHORIZATION_TOKEN Container credentials
AWS_CONTAINER_CREDENTIALS_FULL_URI Container credentials
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI Container credentials
AWS_DEFAULTS_MODE Smart configuration defaults
AWS_EC2_METADATA_SERVICE_ENDPOINT IMDS credentials
AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE IMDS credentials
AWS_ENABLE_ENDPOINT_DISCOVERY Endpoint discovery
AWS_MAX_ATTEMPTS Retry behavior
AWS_METADATA_SERVICE_NUM_ATTEMPTS Amazon EC2 instance metadata
AWS_METADATA_SERVICE_TIMEOUT Amazon EC2 instance metadata
AWS_PROFILE Shared AWS  config and credentials files
AWS_REGION AWS Region
AWS_RETRY_MODE Retry behavior
AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS Amazon S3 Multi-Region Access Points
AWS_S3_USE_ARN_REGION Amazon S3 access points
AWS_SECRET_ACCESS_KEY Static credentials
AWS_SESSION_TOKEN Static credentials
AWS_SHARED_CREDENTIALS_FILE Location of the shared config and credentials files
AWS_STS_REGIONAL_ENDPOINTS STS regionalized endpoints