- Environment variables such as
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
- Application code properties (like
boto3.session(region_name='us-west-2', profile_name='account01')
)profile_name=''
and--profile
are used for assuming other roles if you are using API key-based authentication.
- Local credentials profile file (
~/.aws/credentials
)- You can set credential profiles within
~/.aws/credentials
by using [default] , [profileA] ,[profileB] , etc. These credential profiles can be other IAM users or assumed roles.
- You can set credential profiles within
[default]
aws_access_key_id=API_KEY_NAME_EXAMPLE
aws_secret_access_key=API_KEY_SECRET_EXAMPLE
[profileA]
aws_access_key_id=API_KEY_NAME_EXAMPLE
aws_secret_access_key=API_KEY_SECRET_EXAMPLE
Note that in your ~/.aws/config
, each named profile will have to start with profile prefix, for example:
[default]
region=us-west-2
output=json
[profile profileA]
region=us-east-1
output=text
[profile profileB]
region=us-east-1
output=table
For more information on this, please see official AWS documentation on the Named Profiles.
- Amazon ECS container credentials
- Instance profile credentials
- In this case, IAM instance profile (which is a service role) is assigned to the instance and used.
- Please note that IAM roles created in AWS Console automatically have an instance profile created for a role.
- Instance profiles do not need credential files when assuming roles because that information is picked up from EC2 metadata automatically.
- You can run
aws sts assume-role
to grab temporary credentials if needed and then use those with--profile flag
(ensure that you have both~/.aws/config
and~/.aws/credentials
populated). - Otherwise the instance profile will pick those up automatically from EC2 metadata. For more information on this, please see AWS documentation on Retrieving Security Credentials from Instance Metadata.
Comments
comments powered by Disqus