The Amazon SDK for .NET V3 has entered maintenance mode. We recommend that you migrate to [Amazon SDK for .NET V4](https://docs.amazonaws.cn/sdk-for-net/v4/developer-guide/welcome.html). For additional details and information on how to migrate, please refer to our [maintenance mode announcement](https://aws.amazon.com/blogs/developer/aws-sdk-for-net-v3-maintenance-mode-announcement/). # Using legacy credentials The topics in this section provide information about using long-term or short-term credentials without using Amazon IAM Identity Center. **Warning** To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [Amazon IAM Identity Center](https://docs.amazonaws.cn/singlesignon/latest/userguide/what-is.html). **Note** The information in this topic is for circumstances where you need to obtain and manage short-term or long-term credentials manually. For additional information about short-term and long-term credentials, see [Other ways to authenticate](https://docs.amazonaws.cn/sdkref/latest/guide/access-users.html) in the *Amazon SDKs and Tools Reference Guide*. For best security practices, use Amazon IAM Identity Center, as described in [Configure SDK authentication](creds-idc.md). ## Important warnings and guidance for credentials **Warnings for credentials** + ***Do NOT*** use your account's root credentials to access Amazon resources. These credentials provide unrestricted account access and are difficult to revoke. + ***Do NOT*** put literal access keys or credential information in your application files. If you do, you create a risk of accidentally exposing your credentials if, for example, you upload the project to a public repository. + ***Do NOT*** include files that contain credentials in your project area. + Be aware that any credentials stored in the shared Amazon `credentials` file, are stored in plaintext. **Additional guidance for securely managing credentials** For a general discussion of how to securely manage Amazon credentials, see [Amazon security credentials](https://docs.amazonaws.cn/general/latest/gr/Welcome.html#aws-security-credentials) in the [Amazon Web Services General Reference](https://docs.amazonaws.cn/general/latest/gr/) and [Security best practices and use cases](https://docs.amazonaws.cn/IAM/latest/UserGuide/IAMBestPracticesAndUseCases.html) in the [IAM User Guide](https://docs.amazonaws.cn/IAM/latest/UserGuide/). In addition to those discussions, consider the following: + Create additional users, such as users in IAM Identity Center, and use their credentials instead of using your Amazon root user credentials. Credentials for other users can be revoked if necessary or are temporary by nature. In addition, you can apply a policy to each user for access to only certain resources and actions and thereby take a stance of least-privilege permissions. + Use [IAM roles for tasks](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/task-iam-roles.html) for Amazon Elastic Container Service (Amazon ECS) tasks. + Use [IAM roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) for applications that are running on Amazon EC2 instances. + Use [temporary credentials](creds-assign.md#net-dg-config-creds-assign-role) or environment variables for applications that are available to users outside your organization. **Topics** + [ ## Important warnings and guidance for credentials ](#net-dg-config-creds-warnings-and-guidelines) + [ # Using the shared Amazon credentials file ](creds-file.md) + [ # Using the SDK Store (Windows only) ](sdk-store.md) # Using the shared Amazon credentials file (Be sure to review the [important warnings and guidance for credentials](net-dg-legacy-creds.md#net-dg-config-creds-warnings-and-guidelines).) One way to provide credentials for your applications is to create profiles in the *shared Amazon credentials file* and then store credentials in those profiles. This file can be used by the other Amazon SDKs. It can also be used by the [Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/), the [Amazon Tools for Windows PowerShell](https://docs.amazonaws.cn/powershell/latest/userguide/), and the Amazon toolkits for [Visual Studio](https://docs.amazonaws.cn/toolkit-for-visual-studio/latest/user-guide/), [JetBrains](https://docs.amazonaws.cn/toolkit-for-jetbrains/latest/userguide/), and [VS Code](https://docs.amazonaws.cn/toolkit-for-vscode/latest/userguide/). **Warning** To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [Amazon IAM Identity Center](https://docs.amazonaws.cn/singlesignon/latest/userguide/what-is.html). **Note** The information in this topic is for circumstances where you need to obtain and manage short-term or long-term credentials manually. For additional information about short-term and long-term credentials, see [Other ways to authenticate](https://docs.amazonaws.cn/sdkref/latest/guide/access-users.html) in the *Amazon SDKs and Tools Reference Guide*. For best security practices, use Amazon IAM Identity Center, as described in [Configure SDK authentication](creds-idc.md). ## General information By default, the shared Amazon credentials file is located in the `.aws` directory within your home directory and is named `credentials`; that is, `~/.aws/credentials` (Linux or macOS) or `%USERPROFILE%\.aws\credentials` (Windows). For information about alternative locations, see [Location of the shared files](https://docs.amazonaws.cn/sdkref/latest/guide/file-location.html) in the *[Amazon SDKs and Tools Reference Guide](https://docs.amazonaws.cn/sdkref/latest/guide/overview.html)*. Also see [Accessing credentials and profiles in an application](creds-locate.md). The shared Amazon credentials file is a plaintext file and follows a certain format. For information about the format of Amazon credentials files, see [Format of the credentials file](https://docs.amazonaws.cn/sdkref/latest/guide/file-format.html#file-format-creds) in the *Amazon SDKs and Tools Reference Guide*. You can manage the profiles in the shared Amazon credentials file in several ways. + Use any text editor to create and update the shared Amazon credentials file. + Use the [Amazon.Runtime.CredentialManagement](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/NRuntimeCredentialManagement.html) namespace of the Amazon SDK for .NET API, as shown later in this topic. + Use commands and procedures for the [Amazon Tools for PowerShell](https://docs.amazonaws.cn/powershell/latest/userguide/specifying-your-aws-credentials.html) and the Amazon toolkits for [Visual Studio](https://docs.amazonaws.cn/toolkit-for-visual-studio/latest/user-guide/credentials.html), [JetBrains](https://docs.amazonaws.cn/toolkit-for-jetbrains/latest/userguide/setup-credentials.html), and [VS Code.](https://docs.amazonaws.cn/toolkit-for-vscode/latest/userguide/setup-credentials.html) + Use [Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/cli-configure-files.html) commands; for example, `aws configure set aws_access_key_id` and `aws configure set aws_secret_access_key`. ## Examples of profile management The following sections show examples of profiles in the shared Amazon credentials file. Some of the examples show the result, which can be obtained through any of the credential-management methods described earlier. Other examples show how to use a particular method. ### The default profile The shared Amazon credentials file will almost always have a profile named *default*. This is where the Amazon SDK for .NET looks for credentials if no other profiles are defined. The `[default]` profile typically looks something like the following. ``` [default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ``` ### Create a profile programmatically This example shows you how to create a profile and save it to the shared Amazon credentials file programmatically. It uses the following classes of the [Amazon.Runtime.CredentialManagement](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/NRuntimeCredentialManagement.html) namespace: [CredentialProfileOptions](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TCredentialProfileOptions.html), [CredentialProfile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TCredentialProfile.html), and [SharedCredentialsFile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TSharedCredentialsFile.html). ``` using Amazon.Runtime.CredentialManagement; ... // Do not include credentials in your code. WriteProfile("my_new_profile", SecurelyStoredKeyID, SecurelyStoredSecretAccessKey); ... void WriteProfile(string profileName, string keyId, string secret) { Console.WriteLine($"Create the [{profileName}] profile..."); var options = new CredentialProfileOptions { AccessKey = keyId, SecretKey = secret }; var profile = new CredentialProfile(profileName, options); var sharedFile = new SharedCredentialsFile(); sharedFile.RegisterProfile(profile); } ``` **Warning** Code such as this generally shouldn't be in your application. If you include it in your application, take appropriate precautions to ensure that plaintext keys can't possibly be seen in the code, over the network, or even in computer memory. The following is the profile that's created by this example. ``` [my_new_profile] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ``` ### Update an existing profile programmatically This example shows you how to programmatically update the profile that was created earlier. It uses the following classes of the [Amazon.Runtime.CredentialManagement](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/NRuntimeCredentialManagement.html) namespace: [CredentialProfile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TCredentialProfile.html) and [SharedCredentialsFile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TSharedCredentialsFile.html). It also uses the [RegionEndpoint](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Amazon/TRegionEndpoint.html) class of the [Amazon](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Amazon/N.html) namespace. ``` using Amazon.Runtime.CredentialManagement; ... AddRegion("my_new_profile", RegionEndpoint.USWest2); ... void AddRegion(string profileName, RegionEndpoint region) { var sharedFile = new SharedCredentialsFile(); CredentialProfile profile; if (sharedFile.TryGetProfile(profileName, out profile)) { profile.Region = region; sharedFile.RegisterProfile(profile); } } ``` The following is the updated profile. ``` [my_new_profile] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY region=us-west-2 ``` **Note** You can also set the Amazon Region in other locations and by using other methods. For more information, see [Configure the Amazon Region](net-dg-region-selection.md). # Using the SDK Store (Windows only) (Be sure to review the [important warnings and guidelines](net-dg-legacy-creds.md#net-dg-config-creds-warnings-and-guidelines).) On Windows, the *SDK Store* is another place to create profiles and store encrypted credentials for your Amazon SDK for .NET application. It's located in `%USERPROFILE%\AppData\Local\AWSToolkit\RegisteredAccounts.json`. You can use the SDK Store during development as an alternative to the [shared Amazon credentials file](creds-file.md). **Warning** To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [Amazon IAM Identity Center](https://docs.amazonaws.cn/singlesignon/latest/userguide/what-is.html). **Note** The information in this topic is for circumstances where you need to obtain and manage short-term or long-term credentials manually. For additional information about short-term and long-term credentials, see [Other ways to authenticate](https://docs.amazonaws.cn/sdkref/latest/guide/access-users.html) in the *Amazon SDKs and Tools Reference Guide*. For best security practices, use Amazon IAM Identity Center, as described in [Configure SDK authentication](creds-idc.md). ## General information The SDK Store provides the following benefits: + The credentials in the SDK Store are encrypted, and the SDK Store resides in the user's home directory. This limits the risk of accidentally exposing your credentials. + The SDK Store also provides credentials to the [Amazon Tools for Windows PowerShell](https://docs.amazonaws.cn/powershell/latest/userguide/) and the [Amazon Toolkit for Visual Studio](https://docs.amazonaws.cn/AWSToolkitVS/latest/UserGuide/). SDK Store profiles are specific to a particular user on a particular host. You can't copy them to other hosts or other users. This means that you can't reuse SDK Store profiles that are on your development machine for other hosts or developer machines. It also means that you can't use SDK Store profiles in production applications. You can manage the profiles in the SDK Store in the following ways: + Use the graphical user interface (GUI) in the [Amazon Toolkit for Visual Studio](https://docs.amazonaws.cn/toolkit-for-visual-studio/latest/user-guide/credentials.html). + Use the [Amazon.Runtime.CredentialManagement](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/NRuntimeCredentialManagement.html) namespace of the Amazon SDK for .NET API, as shown later in this topic. + Use commands from the [Amazon Tools for Windows PowerShell](https://docs.amazonaws.cn/powershell/latest/userguide/specifying-your-aws-credentials.html); for example, `Set-AWSCredential` and `Remove-AWSCredentialProfile`. ## Examples of profile management The following examples show you how to programmatically create and update a profile in the SDK Store. ### Create a profile programmatically This example shows you how to create a profile and save it to the SDK Store programmatically. It uses the following classes of the [Amazon.Runtime.CredentialManagement](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/NRuntimeCredentialManagement.html) namespace: [CredentialProfileOptions](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TCredentialProfileOptions.html), [CredentialProfile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TCredentialProfile.html), and [NetSDKCredentialsFile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TNetSDKCredentialsFile.html). ``` using Amazon.Runtime.CredentialManagement; ... // Do not include credentials in your code. WriteProfile("my_new_profile", SecurelyStoredKeyID, SecurelyStoredSecretAccessKey); ... void WriteProfile(string profileName, string keyId, string secret) { Console.WriteLine($"Create the [{profileName}] profile..."); var options = new CredentialProfileOptions { AccessKey = keyId, SecretKey = secret }; var profile = new CredentialProfile(profileName, options); var netSdkStore = new NetSDKCredentialsFile(); netSdkStore.RegisterProfile(profile); } ``` **Warning** Code such as this generally shouldn't be in your application. If it's included in your application, take appropriate precautions to ensure that plaintext keys can't possibly be seen in the code, over the network, or even in computer memory. The following is the profile that's created by this example. ``` "[generated GUID]" : { "AWSAccessKey" : "01000000D08...[etc., encrypted access key ID]", "AWSSecretKey" : "01000000D08...[etc., encrypted secret access key]", "ProfileType" : "AWS", "DisplayName" : "my_new_profile", } ``` ### Update an existing profile programmatically This example shows you how to programmatically update the profile that was created earlier. It uses the following classes of the [Amazon.Runtime.CredentialManagement](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/NRuntimeCredentialManagement.html) namespace: [CredentialProfile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TCredentialProfile.html) and [NetSDKCredentialsFile](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Runtime/TNetSDKCredentialsFile.html). It also uses the [RegionEndpoint](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Amazon/TRegionEndpoint.html) class of the [Amazon](https://docs.amazonaws.cn/sdkfornet/v3/apidocs/items/Amazon/N.html) namespace. ``` using Amazon.Runtime.CredentialManagement; ... AddRegion("my_new_profile", RegionEndpoint.USWest2); ... void AddRegion(string profileName, RegionEndpoint region) { var netSdkStore = new NetSDKCredentialsFile(); CredentialProfile profile; if (netSdkStore.TryGetProfile(profileName, out profile)) { profile.Region = region; netSdkStore.RegisterProfile(profile); } } ``` The following is the updated profile. ``` "[generated GUID]" : { "AWSAccessKey" : "01000000D08...[etc., encrypted access key ID]", "AWSSecretKey" : "01000000D08...[etc., encrypted secret access key]", "ProfileType" : "AWS", "DisplayName" : "my_new_profile", "Region" : "us-west-2" } ``` **Note** You can also set the Amazon Region in other locations and by using other methods. For more information, see [Configure the Amazon Region](net-dg-region-selection.md).