Credentials for the Amazon SDK for PHP Version 3
For reference information on available credentials mechanisms for the Amazon SDKs, see Credentials and access in the Amazon SDKs and Tools Reference Guide.
Important
For security, we strongly recommend that you do not use the root account for Amazon access. Always refer to the Security best practices in IAM in the IAM User Guide for the latest security recommendations.
Precedence of settings
When you initialize a new service client without providing any credential arguments, the SDK uses the default credential provider chain to find Amazon credentials. The SDK uses the first provider in the chain that returns credentials without an error. To learn more about the chain of sources checked for credentials, see Credential provider chain in the Amazon SDKs and Tools Reference Guide.
The Amazon SDK for PHP has a series of places that it checks in order to find values for global settings and credential providers. The following is the order of precedence:
-
Any explicit setting set in the code or on a service client itself takes precedence over anything else.
-
Use credentials from environment variables.
Setting environment variables is useful if you’re doing development work on a machine other than an Amazon EC2 instance.
-
Shared config and credentials files.
These are the same files used by other SDKs and the Amazon CLI.
Credential providers
-
Provide custom logic for credentials when constructing the client.
-
IAM roles provide applications on the instance with temporary security credentials to make Amazon calls. For example, IAM roles offer an easy way to distribute and manage credentials on multiple Amazon EC2 instances.
-
Using temporary credentials from Amazon STS.
When using a multi-factor authentication (MFA) token for two-factor authentication, use Amazon STS to give the user temporary credentials to access Amazon services or use the Amazon SDK for PHP.
-
Create a client that isn’t associated with any credentials when the service allows anonymous access.