The Amazon SDK for JavaScript V3 API
Reference Guide
Set credentials in Node.js
We recommend that new users who are developing locally and are not given a method of authentication by their employer to set up Amazon IAM Identity Center. For more information, see SDK authentication with Amazon.
There are several ways in Node.js to supply your credentials to the SDK. Some of these are more secure and others afford greater convenience while developing an application. When obtaining credentials in Node.js, be careful about relying on more than one source, such as an environment variable and a JSON file you load. You can change the permissions under which your code runs without realizing the change has happened.
Amazon SDK for JavaScript V3 provides a default credential provider chain in Node.js, so you are not required to supply a credential provider explicitly. The default credential provider chain attempts to resolve the credentials from a variety of different sources in a given precedence, until a credential is returned from the one of the sources. You can find the credential provider chain for SDK for JavaScript V3 here.
Credential provider chain
All SDKs have a series of places (or sources) that they check in order to get valid credentials to use to make a request to an Amazon Web Service. After valid credentials are found, the search is stopped. This systematic search is called the default credential provider chain.
For each step in the chain, there are different ways to set the values. Setting values
directly in code always takes precedence, followed by setting as environment variables, and
then in the shared Amazon config
file. For more information, see Precedence of
settings in the Amazon SDKs and Tools Reference Guide.
The Amazon SDKs and Tools Reference Guide has information on SDK configuration
settings used by all Amazon SDKs and the Amazon CLI. To learn more about how to configure the SDK
through the shared Amazon config
file, see Shared
config and credentials files. To learn more about how to configure the SDK
through setting environment variables, see Environment variables
support.
To authenticate with Amazon, the Amazon SDK for JavaScript checks the credential providers in the order listed in the following table.
Amazon SDK for JavaScript API Reference credential provider method by precedence | Credential provider(s) available | Amazon SDKs and Tools Reference Guide |
---|---|---|
fromEnv()
| Amazon access keys from environment variables | Amazon access keys |
fromSSO() |
Amazon IAM Identity Center. In this guide, see SDK authentication with Amazon. | IAM Identity Center credential provider |
fromIni()
|
Amazon access keys from shared |
|
Trusted entity provider (such as |
||
Web identity token from Amazon Security Token Service (Amazon STS) |
||
Amazon Elastic Container Service (Amazon ECS) credentials |
||
Amazon Elastic Compute Cloud (Amazon EC2) instance profile credentials (IMDS credential provider) |
||
Process credential provider |
||
Amazon IAM Identity Center credentials |
||
fromProcess() |
Process credential provider | Process credential provider |
fromTokenFile() |
Web identity token from Amazon Security Token Service (Amazon STS) | Federate with web identity or OpenID Connect |
fromContainerMetadata() |
Amazon Elastic Container Service (Amazon ECS) credentials | Container credential provider |
fromInstanceMetadata() |
Amazon Elastic Compute Cloud (Amazon EC2) instance profile credentials (IMDS credential provider) | IMDS credential provider |
If you followed the recommended approach for new users to get started, you set up Amazon IAM Identity Center authentication during SDK authentication with Amazon of the Getting started topic. Other authentication methods are useful for different situations. To avoid security risks, we recommend always using short-term credentials. For other authentication method procedures, see Authentication and access in the Amazon SDKs and Tools Reference Guide.
The topics in this section describe how to load credentials into Node.js.