Working with Amazon Credentials - Amazon SDK for Java
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Hello {AWSlong} Java community! Please share your experience and help us improve the Amazon SDK for Java and its learning resources by taking a survey. This survey takes approximately 10 minute to complete.

Click here to take the survey

Working with Amazon Credentials

To make requests to Amazon Web Services, you must supply Amazon credentials to the Amazon SDK for Java. You can do this in the following ways:

  • Use the default credential provider chain (recommended).

  • Use a specific credential provider or provider chain (or create your own).

  • Supply the credentials yourself. These can be root account credentials, IAM credentials, or temporary credentials retrieved from Amazon STS.

Important

For security, we strongly recommend that you use IAM users instead of the root account for Amazon access. For more information, see IAM Best Practices in the IAM User Guide.

Using the Default Credential Provider Chain

When you initialize a new service client without supplying any arguments, the Amazon SDK for Java attempts to find Amazon credentials by using the default credential provider chain implemented by the DefaultAWSCredentialsProviderChain class. The default credential provider chain looks for credentials in this order:

  1. Environment variables-AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The Amazon SDK for Java uses the EnvironmentVariableCredentialsProvider class to load these credentials.

  2. Java system properties-aws.accessKeyId and aws.secretKey. The Amazon SDK for Java uses the SystemPropertiesCredentialsProvider to load these credentials.

  3. Web Identity Token credentials from the environment or container.

  4. The default credential profiles file- typically located at ~/.aws/credentials (location can vary per platform), and shared by many of the Amazon SDKs and by the Amazon CLI. The Amazon SDK for Java uses the ProfileCredentialsProvider to load these credentials.

    You can create a credentials file by using the aws configure command provided by the Amazon CLI, or you can create it by editing the file with a text editor. For information about the credentials file format, see Amazon Credentials File Format.

  5. Amazon ECS container credentials- loaded from the Amazon ECS if the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is set. The Amazon SDK for Java uses the ContainerCredentialsProvider to load these credentials. You can specify the IP address for this value.

  6. Instance profile credentials- used on EC2 instances, and delivered through the Amazon EC2 metadata service. The Amazon SDK for Java uses the InstanceProfileCredentialsProvider to load these credentials. You can specify the IP address for this value.

    Note

    Instance profile credentials are used only if AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set. See EC2ContainerCredentialsProviderWrapper for more information.

Setting Credentials

To be able to use Amazon credentials, they must be set in at least one of the preceding locations. For information about setting credentials, see the following topics:

Setting an Alternate Credentials Profile

The Amazon SDK for Java uses the default profile by default, but there are ways to customize which profile is sourced from the credentials file.

You can use the Amazon Profile environment variable to change the profile loaded by the SDK.

For example, on Linux, macOS, or Unix you would run the following command to change the profile to myProfile.

export AWS_PROFILE="myProfile"

On Windows you would use the following.

set AWS_PROFILE="myProfile"

Setting the AWS_PROFILE environment variable affects credential loading for all officially supported Amazon SDKs and Tools (including the Amazon CLI and the Amazon Tools for Windows PowerShell). To change only the profile for a Java application, you can use the system property aws.profile instead.

Note

The environment variable takes precedence over the system property.

Setting an Alternate Credentials File Location

The Amazon SDK for Java loads Amazon credentials automatically from the default credentials file location. However, you can also specify the location by setting the AWS_CREDENTIAL_PROFILES_FILE environment variable with the full path to the credentials file.

You can use this feature to temporarily change the location where the Amazon SDK for Java looks for your credentials file (for example, by setting this variable with the command line). Or you can set the environment variable in your user or system environment to change it for the user or systemwide.

To override the default credentials file location

  • Set the AWS_CREDENTIAL_PROFILES_FILE environment variable to the location of your Amazon credentials file.

    • On Linux, macOS, or Unix, use :

      export AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file
    • On Windows, use :

      set AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file

Credentials File Format

When you use the aws configure command to create an Amazon credentials file, the command creates a file with the following format.

[default] aws_access_key_id={YOUR_ACCESS_KEY_ID} aws_secret_access_key={YOUR_SECRET_ACCESS_KEY} [profile2] aws_access_key_id={YOUR_ACCESS_KEY_ID} aws_secret_access_key={YOUR_SECRET_ACCESS_KEY}

The profile name is specified in square brackets (for example, [default]), followed by the configurable fields in that profile as key-value pairs. You can have multiple profiles in your credentials file, which can be added or edited using aws configure --profile PROFILE_NAME to select the profile to configure.

You can specify additional fields, such as aws_session_token, metadata_service_timeout, and metadata_service_num_attempts. These are not configurable with the CLI—​you must edit the file by hand if you want to use them. For more information about the configuration file and its available fields, see Configuring the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.

Loading Credentials

After you set credentials, you can load them by using the default credential provider chain.

To do this, you instantiate an Amazon Web Service client without explicitly providing credentials to the builder, as follows.

AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withRegion(Regions.US_WEST_2) .build();

Specifying a Credential Provider or Provider Chain

You can specify a credential provider that is different from the default credential provider chain by using the client builder.

You provide an instance of a credentials provider or provider chain to a client builder that takes an AWSCredentialsProvider interface as input. The following example shows how to use environment credentials specifically.

AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new EnvironmentVariableCredentialsProvider()) .build();

For the full list of Amazon SDK for Java-supplied credential providers and provider chains, see All Known Implementing Classes in AWSCredentialsProvider.

Note

You can use this technique to supply credential providers or provider chains that you create by using your own credential provider that implements the AWSCredentialsProvider interface, or by subclassing the AWSCredentialsProviderChain class.

Explicitly Specifying Credentials

If the default credential chain or a specific or custom provider or provider chain doesn’t work for your code, you can set credentials that you supply explicitly. If you’ve retrieved temporary credentials using Amazon STS, use this method to specify the credentials for Amazon access.

  1. Instantiate a class that provides the AWSCredentials interface, such as BasicAWSCredentials, and supply it with the Amazon access key and secret key you will use for the connection.

  2. Create an AWSStaticCredentialsProvider with the AWSCredentials object.

  3. Configure the client builder with the AWSStaticCredentialsProvider and build the client.

The following is an example.

BasicAWSCredentials awsCreds = new BasicAWSCredentials("access_key_id", "secret_key_id"); AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new AWSStaticCredentialsProvider(awsCreds)) .build();

When using temporary credentials obtained from STS, create a BasicSessionCredentials object, passing it the STS-supplied credentials and session token.

BasicSessionCredentials sessionCredentials = new BasicSessionCredentials( session_creds.getAccessKeyId(), session_creds.getSecretAccessKey(), session_creds.getSessionToken()); AmazonS3 s3 = AmazonS3ClientBuilder.standard() .withCredentials(new AWSStaticCredentialsProvider(sessionCredentials)) .build();

More Info