Credentials
identify who is calling the API.
Access credentials are used to encrypt the request to the AWS servers to confirm
your identity and retrieve associated permissions policies. These permissions
determine the actions you can perform. For information on setting up your
credentials, see
Authentication and access credentials for the
AWS CLI
.
Other configuration details
to tell the AWS CLI how
to process requests, such as the default output format and the default AWS
Region.
AWS requires that all incoming requests are cryptographically signed. The AWS CLI does
this for you. The "signature" includes a date/time stamp. Therefore, you must ensure
that your computer's date and time are set correctly. If you don't, and the date/time in
the signature is too far off of the date/time recognized by the AWS service, AWS
rejects the request.
Credentials and configuration settings are located in multiple places, such as the
system or user environment variables, local AWS configuration files, or explicitly
declared on the command line as a parameter. Certain locations take precedence over
others. The AWS CLI credentials and configuration settings take precedence in the
following order:
Command line
options
– Overrides settings in any other location, such as the
--region
,
--output
, and
--profile
parameters.
Environment
variables
– You can store values in your system's environment
variables.
Assume role
– Assume the permissions of an IAM role through configuration or the
aws sts assume-role
command.
Assume role with web
identity
– Assume the permissions of an IAM role using web
identity through configuration or the
aws sts assume-role
command.
Credentials
file
– The
credentials
and
config
file are
updated when you run the command
aws configure
. The
credentials
file
is located at
~/.aws/credentials
on Linux or macOS, or at
C:\Users\
USERNAME
\.aws\credentials
on
Windows.
Custom
process
– Get your credentials from an external source.
Configuration
file
– The
credentials
and
config
file are
updated when you run the command
aws configure
. The
config
file is
located at
~/.aws/config
on Linux or macOS, or at
C:\Users\
USERNAME
\.aws\config
on
Windows.
Container
credentials
– You can associate an IAM role with each of your
Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to
that task's containers. For more information, see
IAM Roles for Tasks
in the
Amazon Elastic Container Service Developer Guide
.
Amazon EC2
instance profile credentials
– You can associate an IAM role
with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then
available to code running in the instance. The credentials are delivered through the Amazon EC2
metadata service. For more information, see
IAM Roles for Amazon EC2
in the
Amazon EC2 User Guide
and
Using Instance
Profiles
in the
IAM User Guide
.
