Understand the default credential provider chain
The default credential provider chain is made up of a series of built-in credential providers that the SDK invokes. It is implemented by the defaultProvider credential provider function with no parameters. After valid credentials are found, the search is stopped.
The Amazon SDK for PHP executes credential providers in the following order:
-
env provider - the SDK searches for Amazon access keys that have been set as environment variables.
-
assumeRoleWithWebIdentityCredentialProvider provider - The SDK searches for IAM role and web identity token file settings.
-
At this point in the chain, the SDK looks for configuration in the shared Amazon
configandcredentialsfiles. The SDK looks for configuration under the "default" profile, but if theAWS_PROFILEenvironment variable is set, the SDK uses its named profile value.-
sso provider - The SDK looks for IAM Identity Center configuration settings in the shared
configfile. -
process provider - The SDK looks for the
credential_processsetting in the sharedcredentialsfile. -
ini provider - The SDK looks for the Amazon credentials or IAM role information in the shared
credentialsfile. -
process provider - The SDK looks for the
credential_processsetting in the sharedconfigfile. -
ini provider - The SDK looks for the Amazon credentials or IAM role information in the shared
configfile.
-
-
ecsCredentials provider - The SDK looks for the environment variables
AWS_CONTAINER_CREDENTIALS_RELATIVE_URIorAWS_CONTAINER_CREDENTIALS_FULL_URIthat provide information to acquire temporary credentials. -
instanceProfile provider - The SDK uses the EC2 Instance Metadata service to get the IAM role specified in the instance profile. Using the role information, the SDK acquires temporary credentials.
Note
The result of the default provider is automatically memoized.
You can review the code for the chain in the GitHub source code