AWS API Credentials Order

1. Environment variables such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
2. Application code properties (like boto3.session(region_name='us-west-2', profile_name='account01'))
   • profile_name='' and --profile are used for assuming other roles if you are using API key-based authentication.
3. Local credentials profile file (~/.aws/credentials)
   • You can set credential profiles within ~/.aws/credentials by using [default] , [profileA] ,[profileB] , etc. These credential profiles can be other IAM users or assumed roles.

[default]
aws_access_key_id=API_KEY_NAME_EXAMPLE
aws_secret_access_key=API_KEY_SECRET_EXAMPLE

[profileA]
aws_access_key_id=API_KEY_NAME_EXAMPLE
aws_secret_access_key=API_KEY_SECRET_EXAMPLE

Note that in your ~/.aws/config, each named profile will have to start with profile prefix, for example:

[default]
region=us-west-2
output=json

[profile profileA]
region=us-east-1
output=text

[profile profileB]
region=us-east-1
output=table

For more information on this, please see official AWS documentation on the Named Profiles.

4. Amazon ECS container credentials
5. Instance profile credentials
   • In this case, IAM instance profile (which is a service role) is assigned to the instance and used.
   • Please note that IAM roles created in AWS Console automatically have an instance profile created for a role.
   • Instance profiles do not need credential files when assuming roles because that information is picked up from EC2 metadata automatically.
   • You can run aws sts assume-role to grab temporary credentials if needed and then use those with --profile flag (ensure that you have both ~/.aws/config and ~/.aws/credentials populated).
   • Otherwise the instance profile will pick those up automatically from EC2 metadata. For more information on this, please see AWS documentation on  Retrieving Security Credentials from Instance Metadata.