login provider in the SDK for PHP - Amazon SDK for PHP
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

login provider in the SDK for PHP

Aws\Credentials\CredentialProvider::login attempts to load credentials configured by a browser-based login session facilitated by tools like the Amazon CLI. After authentication, Amazon generates temporary credentials that work across local Amazon SDKs and tools.

With this process, you can authenticate using root credentials created during initial account set up, an IAM user, or a federated identity from your identity provider, and the Amazon SDK for PHP automatically manage the temporary credentials for you. This approach enhances security by eliminating the need to store long-term credentials locally.

When you run the aws login command, you can select from your active console sessions, or sign in through the browser-based authentication flow and this will automatically generate temporary credentials. The Amazon SDK for PHP will automatically refresh these credentials, using the Sign-In service, for up to 12 hours.

The login provider attempts to load the access token generated by the previously mentioned login session workflow, based on the profile provided. If no profile is provided when calling the provider, it will attempt to resolve a profile by first checking the AWS_PROFILE environment variable, before falling back to the profile default. In-code configuration can be passed to the provider, where it will look for a region value for the Sign-In service client used for refreshing credentials. If no region is provided in the configuration array, the provider will attempt to resolve a region by checking the AWS_REGION environment variable, then a region value set in the resolved profile. If no region can be found, the provider will return a rejected promise with instructions on how to configure a region.

The provider is called as a part of the default chain and can be called directly.

use Aws\Credentials\CredentialProvider;
use Aws\S3\S3Client;

$provider = CredentialProvider::login(<profile_name>, ['region' => <region>]);
// Cache the results in a memoize function to avoid loading and parsing
// the ini file on every API operation
$provider = CredentialProvider::memoize($provider);

$client = new S3Client([
    'region' => 'us-west-2',
    'credentials' => $provider
]);

By default, if no credentials configuration is provided on the service client you wish to use, this provider will be called as a part of the defaultProvider() credentials chain. In this scenario, the region of the service client is automatically passed to the login() provider. Also in this scenario, the profile value passed to the login provider will be resolved by checking the AWS_PROFILE environment variable, before falling back to the profile default.