Credential settings retrieval order

by walter

Table of Contents

file

@startuml
start
floating note: Credential settings retrieval order
: 1. Java system properties;
: 2. environment variables;
: 3. web identity token from AWS STS;
: 4. the shared credentials and config files;
: 5. Amazon ECS container credentials;
: 6. Amazon EC2 instance IAM role-provided credentials;

end
@enduml

The default credentials provider chain of the SDK for Java 2.x searches for configuration in your environment using a predefined sequence.

1. Java system properties

The SDK uses the SystemPropertyCredentialsProvider class to load temporary credentials from the aws.accessKeyId, aws.secretAccessKey, and aws.sessionToken Java system properties.

Note
For information on how to set Java system properties, see the System Properties tutorial on the official Java Tutorials website.

2. Environment variables

The SDK uses the EnvironmentVariableCredentialsProvider class to load temporary credentials from the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables.

3. Web identity token from AWS Security Token Service

The SDK uses the WebIdentityTokenFileCredentialsProvider class to load temporary credentials from Java system properties or environment variables.

4. The shared credentials and config files

The SDK uses the ProfileCredentialsProvider to load IAM Identity Center single sign-on settings or temporary credentials from the [default] profile in the shared credentials and config files.

The AWS SDKs and Tools Reference Guide has detailed information about how the SDK for Java works with the IAM Identity Center single sign-on token to get temporary credentials that the SDK uses to call AWS services.

Note
The credentials and config files are shared by various AWS SDKs and Tools. For more information, see The .aws/credentials and .aws/config files in the AWS SDKs and Tools Reference Guide.

5. Amazon ECS container credentials

The SDK uses the ContainerCredentialsProvider class to load temporary credentials from the following environment variables:

AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI

AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE or AWS_CONTAINER_AUTHORIZATION_TOKEN

6. Amazon EC2 instance IAM role-provided credentials

The SDK uses the InstanceProfileCredentialsProvider class to load temporary credentials from the Amazon EC2 metadata service.

Comments |0|

Legend *) Required fields are marked
**) You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Category: 似水流年