Default credentials provider chain - Amazon SDK for Java 2.x
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Default credentials provider chain

The default credentials provider chain is implemented by the DefaultCredentialsProvider class. It sequentially checks each place where you can set the default configuration for supplying temporary credentials, and then selects the first one you set.

To use the default credentials provider chain to supply temporary credentials, create a service client builder but don't specify a credentials provider. The following code snippet creates a DynamoDbClient that uses the default credentials provider chain to locate and retrieve default configuration settings.

Region region = Region.US_WEST_2; DynamoDbClient ddb = DynamoDbClient.builder() .region(region) .build();

Credential settings retrieval order

The default credentials provider chain of the SDK for Java 2.x searches for configuration in your environment using a predefined sequence.

  1. Java system properties

    • The SDK uses the SystemPropertyCredentialsProvider class to load temporary credentials from the aws.accessKeyId, aws.secretAccessKey, and aws.sessionToken Java system properties.

      Note

      For information on how to set Java system properties, see the System Properties tutorial on the official Java Tutorials website.

  2. Environment variables

  3. Web identity token from Amazon Security Token Service

  4. The shared credentials and config files

    • The SDK uses the ProfileCredentialsProvider to load IAM Identity Center single sign-on settings or temporary credentials from the [default] profile in the shared credentials and config files.

      The Amazon SDKs and Tools Reference Guide has detailed information about how the SDK for Java works with the IAM Identity Center single sign-on token to get temporary credentials that the SDK uses to call Amazon Web Services services.

      Note

      The credentials and config files are shared by various Amazon SDKs and Tools. For more information, see The .aws/credentials and .aws/config files in the Amazon SDKs and Tools Reference Guide.

  5. Amazon ECS container credentials

    • The SDK uses the ContainerCredentialsProvider class to load temporary credentials from the following environment variables:

      AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI

      AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE or AWS_CONTAINER_AUTHORIZATION_TOKEN

  6. Amazon EC2 instance IAM role-provided credentials