Amazon access keys - Amazon SDKs and Tools
Compatibility with Amazon SDKs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon access keys

Warning

To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as Amazon IAM Identity Center.

Amazon access keys for an IAM user can be used as your Amazon credentials. The Amazon SDK automatically uses these Amazon credentials to sign API requests to Amazon, so that your workloads can access your Amazon resources and data securely and conveniently. It is recommended to always use the aws_session_token so that the credentials are temporary and no longer valid after they expire. Using long term credentials is not recommended.

Note

If Amazon becomes unable to refresh these temporary credentials, Amazon may extend the validity of the credentials so that your workloads are not impacted.

The shared Amazon credentials file is the recommended location for storing credentials information because it is safely outside of application source directories and separate from the SDK-specific settings of the shared config file.

To learn more about Amazon credentials and using access keys, see Amazon security credentials and Managing access keys for IAM users in the IAM User Guide.

Configure this functionality by using the following:

aws_access_key_id - shared Amazon config file setting
aws_access_key_id - shared Amazon credentials file setting (recommended method)
AWS_ACCESS_KEY_ID - environment variable
aws.accessKeyId - JVM system property: Java/Kotlin only

Specifies the Amazon access key used as part of the credentials to authenticate the user.

aws_secret_access_key - shared Amazon config file setting
aws_secret_access_key - shared Amazon credentials file setting (recommended method)
AWS_SECRET_ACCESS_KEY - environment variable
aws.secretAccessKey - JVM system property: Java/Kotlin only

Specifies the Amazon secret key used as part of the credentials to authenticate the user.

aws_session_token - shared Amazon config file setting
aws_session_token - shared Amazon credentials file setting (recommended method)
AWS_SESSION_TOKEN - environment variable
aws.sessionToken - JVM system property: Java/Kotlin only

Specifies an Amazon session token used as part of the credentials to authenticate the user. You receive this value as part of the temporary credentials returned by successful requests to assume a role. A session token is required only if you manually specify temporary security credentials. However, we recommend you always use temporary security credentials instead of long-term credentials. For security recommendations, see Security best practices in IAM.

For instructions on how to obtain these values, see Authenticate using short-term credentials.

Example of setting these required values in the config or credentials file:

[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk

Linux/macOS example of setting environment variables via command line:

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk

Windows example of setting environment variables via command line:

setx AWS_ACCESS_KEY_ID AKIAIOSFODNN7EXAMPLE
setx AWS_SECRET_ACCESS_KEY wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
setx AWS_SESSION_TOKEN AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk

Compatibility with Amazon SDKs

The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the Amazon SDK for Java and the Amazon SDK for Kotlin only.

SDK Supported Notes or more information
Amazon CLI v2 Yes
SDK for C++ Yes shared config file not supported.
SDK for Go V2 (1.x) Yes
SDK for Go 1.x (V1) Yes To use shared config file settings, you must turn on loading from the config file; see Sessions.
SDK for Java 2.x Yes
SDK for Java 1.x Yes
SDK for JavaScript 3.x Yes
SDK for JavaScript 2.x Yes
SDK for Kotlin Yes
SDK for .NET 3.x Yes Environment variables not supported.
SDK for PHP 3.x Yes
SDK for Python (Boto3) Yes
SDK for Ruby 3.x Yes
SDK for Rust Yes
Tools for PowerShell Yes Environment variables not supported.