Manualshelf

Installation guide

ManualsBrandsAmazon ManualsComputer equipmentAWS SDK
31323334353637383940
• How many sets of credentials you are using
• The type of project you are developing (e.g., application, CLI, library)
• How often you rotate your credentials
• If you rely on temporary or federated credentials
• Your deployment process
• Your application framework
Regardless of the technique used, it is encouraged that you follow the IAM Best Practices when managing your
credentials, including the recommendation to not use your AWS account's root credentials. Instead, create separate
IAM users with their own access keys for each project, and tailor the permissions of the users specific to those
projects.
In general, it is recommended that you use IAM roles when running your application on Amazon EC2 and use
environment variables elsewhere.
Using credentials from environment variables
If you do not provide credentials to a client object at the time of its instantiation (e.g., via the client's factory method
or via a service builder configuration), the SDK will attempt to find credentials in your environment when you call
your first operation. The SDK will use the $_SERVER superglobal and getenv() function to look for the
AWS_ACCESS_KEY_ID and AWS_SECRET_KEY environment variables. These credentials are often called
environment credentials.
If you are hosting your application on AWS Elastic Beanstalk, you can set the AWS_ACCESS_KEY_ID and
AWS_SECRET_KEY environment variables on the AWS Elastic Beanstalk console so that the SDK can use those
credentials automatically.
Using IAM roles for Amazon EC2 instances
Using IAM roles is the preferred technique for providing credentials to applications running on Amazon EC2. IAM
roles remove the need to worry about credential management from your application. They allow an instance to
"assume" a role by retrieving temporary credentials from the EC2 instance's metadata server. These temporary
credentials, often referred to as instance profile credentials, allow access to the actions and resources that the
role's policy allows.
When launching an EC2 instance, you can choose to associate it with an IAM role. Any application running on that
EC2 instance is then allowed to assume the associated role. Amazon EC2 handles all the legwork of securely
authenticating instances to the IAM service to assume the role and periodically refreshing the retrieved role
credentials, keeping your application secure with almost no work on your part.
If you do not explicitly provide credentials to the client object and no environment variable credentials are available,
the SDK attempts to retrieve instance profile credentials from an Amazon EC2 instance metadata server. These
credentials are available only when running on Amazon EC2 instances that have been configured with an IAM role.
Note
Instance profile credentials and other temporary credentials generated by the AWS Security Token Service
(AWS STS) are not supported by every service. Please check if the service you are using supports temporary
credentials by reading AWS Services that Support AWS STS.
For more information, see IAM Roles for Amazon EC2.
Caching IAM role credentials
While using IAM role credentials is the preferred method for providing credentials to an application running on an
Amazon EC2 instance, the roundtrip from the application to the instance metadata server on each request can
introduce latency. In these situations, you might find that utilizing a caching layer on top of your IAM role credentials
can eliminate the introduced latency.
Providing Credentials to the SDK
20