Container credential provider - Amazon SDKs and Tools
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Container credential provider

The container credential provider fetches credentials for customer’s containerized application. This credential provider is useful for Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) customers. SDKs attempt to load credentials from the specified HTTP endpoint through a GET request.

If you use Amazon ECS, we recommend you use a task IAM Role for improved credential isolation, authorization, and auditability. When configured, Amazon ECS sets the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable that the SDKs and tools use to obtain credentials. To configure Amazon ECS for this functionality, see Task IAM role in the Amazon Elastic Container Service Developer Guide.

If you use Amazon EKS, we recommend you use Amazon EKS Pod Identity for improved credential isolation, least privilege, auditability, independent operation, reusability, and scalability. Both your Pod and an IAM role are associated with a Kubernetes service account to manage credentials for your applications. To learn more on Amazon EKS Pod Identity, see Amazon EKS Pod Identities in the Amazon EKS User Guide. When configured, Amazon EKS sets the AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variables that the SDKs and tools use to obtain credentials. For setup information, see Setting up the Amazon EKS Pod Identity Agent in the Amazon EKS User Guide or Amazon EKS Pod Identity simplifies IAM permissions for applications on Amazon EKS clusters at the Amazon Blog website.

Configure this functionality by using the following:

AWS_CONTAINER_CREDENTIALS_FULL_URI - environment variable

Specifies the full HTTP URL endpoint for the SDK to use when making a request for credentials. This includes both the scheme and the host.

Default value: None.

Valid values: Valid URI.

Note: This setting is an alternative to AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and will only be used if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set.

Linux/macOS example of setting environment variables via command line:

export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credentials

or

export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:8080/get-credentials
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI - environment variable

Specifies the relative HTTP URL endpoint for the SDK to use when making a request for credentials. The value is appended to the default Amazon ECS hostname of 169.254.170.2.

Default value: None.

Valid values: Valid relative URI.

Linux/macOS example of setting environment variables via command line:

export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/get-credentials?a=1
AWS_CONTAINER_AUTHORIZATION_TOKEN - environment variable

Specifies an authorization token in plain text. If this variable is set, the SDK will set the Authorization header on the HTTP request with the environment variable's value.

Default value: None.

Valid values: String.

Note: This setting is an alternative to AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE and will only be used if AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is not set.

Linux/macOS example of setting environment variables via command line:

export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credential export AWS_CONTAINER_AUTHORIZATION_TOKEN=Basic abcd
AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE - environment variable

Specifies an absolute file path to a file that contains the authorization token in plain text.

Default value: None.

Valid values: String.

Linux/macOS example of setting environment variables via command line:

export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credential export AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE=/path/to/token

Compatibility with Amazon SDKs

The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the Amazon SDK for Java and the Amazon SDK for Kotlin only.

SDK Supported Notes or more information
Amazon CLI v2 Yes
SDK for C++ Yes
SDK for Go V2 (1.x) Yes
SDK for Go 1.x (V1) Yes
SDK for Java 2.x Yes AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN are also used for Lambda SnapStart for Java.
SDK for Java 1.x Yes AWS_CONTAINER_CREDENTIALS_FULL_URI and AWS_CONTAINER_AUTHORIZATION_TOKEN are also used for Lambda SnapStart for Java.
SDK for JavaScript 3.x Yes
SDK for JavaScript 2.x Yes
SDK for Kotlin Yes
SDK for .NET 3.x Yes
SDK for PHP 3.x Yes
SDK for Python (Boto3) Yes
SDK for Ruby 3.x Yes
SDK for Rust Yes
SDK for Swift Yes
Tools for PowerShell Yes