Standardized credential providers - AWS SDKs and Tools

Standardized credential providers

Many credential providers have been standardized to consistent defaults and to work the same way across many SDKs. This consistency increases productivity and clarity when coding across multiple SDKs. All settings can be overridden in code. For details, see your specific SDK API.


Not all SDKs support all providers, or even all aspects within a provider.

Credential provider chain

All SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the default credential provider chain.

Although the distinct chain used by each SDK varies, they most often include sources such as the following:

Credential provider Description
AWS access keys AWS access keys for an IAM user (such as AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY).
Federate with web identity or OpenID Connect - Assume role credential provider Sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. Assume the permissions of an IAM role using a web identity token from AWS Security Token Service (AWS STS).
IAM Identity Center credential provider Get credentials from AWS IAM Identity Center.
Assume role credential provider Get access to other resources by assuming the permissions of an IAM role. (Retrieve and then use temporary credentials for a role).
Container credential provider Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) credentials. The container credential provider fetches credentials for the customer’s containerized application.
Process credential provider Custom credential provider. Get your credentials from an external source or process, including IAM Roles Anywhere.
IMDS credential provider Amazon Elastic Compute Cloud (Amazon EC2) instance profile credentials. Associate an IAM role with each of your EC2 instances. Temporary credentials for that role are made available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service.

For each step in the chain, there are multiple ways to assign setting values. Setting values that are specified in code always take precedence. However, there are also Environment variables and the Shared config and credentials files. For more information, see Precedence of settings.