Standardized credential providers
Many credential providers have been standardized to consistent defaults and to work the same way across many SDKs. This consistency increases productivity and clarity when coding across multiple SDKs. All settings can be overridden in code. For details, see your specific SDK API.
Important
Not all SDKs support all providers, or even all aspects within a provider.
Topics
Credential provider chain
All SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the default credential provider chain. Although the distinct chain used by each SDK varies, they most often include sources such as the following:
-
Static credentials (such as
AWS_ACCESS_KEY_ID). For more information, see Static credentials. -
Web identity token from AWS Security Token Service (AWS STS). For more information, see Assume role credential provider.
-
AWS IAM Identity Center (successor to AWS Single Sign-On). For more information, see IAM Identity Center credential provider.
-
Trusted entity provider (such as
AWS_ROLE_ARN). For more information, see Assume role credential provider. -
Amazon Elastic Container Service (Amazon ECS) credentials. For more information, see Container credential provider.
-
Custom credential provider. For more information, see Process credential provider.
-
Amazon Elastic Compute Cloud (Amazon EC2) instance profile credentials (IMDS credential provider). For more information, see IMDS credential provider.
For each step in the chain, there are a variety of ways to assign setting values. Setting values specified in code always take precedence, but there are also Environment variables and the Shared config and credentials files. For more information, see Precedence of settings.
