Standardized credential providers - AWS SDKs and Tools

Standardized credential providers

Many credential providers have been standardized to consistent defaults and to work the same way across many SDKs. This consistency increases productivity and clarity when coding across multiple SDKs. All settings can be overridden in code. For details, see your specific SDK API.


Not all SDKs support all providers, or even all aspects within a provider.

Credential provider chain

All SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the default credential provider chain. Although the distinct chain used by each SDK varies, they most often include sources such as the following:

  • Static credentials (such as AWS_ACCESS_KEY_ID). For more information, see Static credentials.

  • Web identity token from AWS Security Token Service (AWS STS). For more information, see Assume role credentials.

  • AWS IAM Identity Center (successor to AWS Single Sign-On). For more information, see SSO credentials.

  • Trusted entity provider (such as AWS_ROLE_ARN). For more information, see Assume role credentials.

  • Amazon Elastic Container Service (Amazon ECS) credentials. For more information, see Container credentials.

  • Custom credential provider. For more information, see Process credentials.

  • Amazon Elastic Compute Cloud (Amazon EC2) instance profile credentials (IMDS credential provider). For more information, see IMDS credentials.

For each step in the chain, there are a variety of ways to assign setting values. Setting values specified in code always take precedence, but there are also Environment variables and the Shared AWSconfig and credentials files. For more information, see Precedence of settings.