{"id":2042,"date":"2025-04-17T09:51:37","date_gmt":"2025-04-17T01:51:37","guid":{"rendered":"https:\/\/www.fanyamin.com\/wordpress\/?p=2042"},"modified":"2025-04-17T09:51:37","modified_gmt":"2025-04-17T01:51:37","slug":"whats-aws-credentials","status":"publish","type":"post","link":"https:\/\/www.fanyamin.com\/wordpress\/?p=2042","title":{"rendered":"what&#8217;s &#8220;~\/.aws\/credentials&#8221;"},"content":{"rendered":"<h2>AWS credentials<\/h2>\n<h3>\ud83d\udd0d What is <code>~\/.aws\/credentials<\/code>?<\/h3>\n<p>This file holds <strong>AWS credentials<\/strong> for different user profiles. It\u2019s read by tools like:<\/p>\n<ul>\n<li>AWS CLI (<code>aws<\/code>)<\/li>\n<li>AWS SDKs (Python boto3, Java SDK, etc.)<\/li>\n<li>Any program using the AWS shared credentials provider<\/li>\n<\/ul>\n<p>Each <strong>profile<\/strong> is a named set of AWS credentials (like <code>default<\/code>, <code>dev-alice<\/code>, etc.), and contains at minimum:<\/p>\n<ul>\n<li><code>aws_access_key_id<\/code><\/li>\n<li><code>aws_secret_access_key<\/code><\/li>\n<\/ul>\n<p>For temporary credentials (like those from SSO or STS), it also includes:<\/p>\n<ul>\n<li><code>aws_session_token<\/code><\/li>\n<\/ul>\n<hr \/>\n<h3>\ud83d\udcc1 File Example Explained<\/h3>\n<pre><code class=\"language-ini\">[default]               # Default profile, used when no --profile flag is given\naws_access_key_id     = xx1\naws_secret_access_key = yy1\naws_session_token     = zz1  # Indicates this is a temporary session (probably from SSO, MFA, or STS)\n\n[dev-alice]             # A named profile for &quot;alice&quot;\naws_access_key_id     = xx2\naws_secret_access_key = yy2\n\n[dev-bob]               # A named profile for &quot;bob&quot;\naws_access_key_id     = xx3\naws_secret_access_key = yy3<\/code><\/pre>\n<p>You can use each profile like:<\/p>\n<pre><code class=\"language-bash\">aws s3 ls --profile dev-bob<\/code><\/pre>\n<hr \/>\n<h3>\ud83d\udee0\ufe0f How to Generate Credentials (via CLI)<\/h3>\n<p>There are a few ways to <strong>generate<\/strong> and <strong>populate<\/strong> credentials into this file.<\/p>\n<h4>1. <strong>Manually Adding Long-Term IAM User Credentials<\/strong><\/h4>\n<p>This is the most straightforward (but least secure):<\/p>\n<pre><code class=\"language-bash\">aws configure --profile dev-bob<\/code><\/pre>\n<p>It will prompt:<\/p>\n<pre><code class=\"language-text\">AWS Access Key ID [None]: xx3\nAWS Secret Access Key [None]: yy3\nDefault region name [None]: us-east-1\nDefault output format [None]: json<\/code><\/pre>\n<h4>2. <strong>Using AWS SSO (Recommended for human users)<\/strong><\/h4>\n<pre><code class=\"language-bash\">aws configure sso --profile dev-alice<\/code><\/pre>\n<p>After setup:<\/p>\n<pre><code class=\"language-bash\">aws sso login --profile dev-alice<\/code><\/pre>\n<p>This will populate a <code>~\/.aws\/cli\/cache\/*.json<\/code> file and the credentials file with temporary credentials.<\/p>\n<h4>3. <strong>Using <code>aws sts assume-role<\/code> (For programmatic access)<\/strong><\/h4>\n<p>If you have a role to assume:<\/p>\n<pre><code class=\"language-bash\">aws sts assume-role \\\n  --role-arn arn:aws:iam::123456789012:role\/MyRole \\\n  --role-session-name my-session<\/code><\/pre>\n<p>It will return JSON like:<\/p>\n<pre><code class=\"language-json\">{\n  &quot;Credentials&quot;: {\n    &quot;AccessKeyId&quot;: &quot;xx&quot;,\n    &quot;SecretAccessKey&quot;: &quot;yy&quot;,\n    &quot;SessionToken&quot;: &quot;zz&quot;\n  }\n}<\/code><\/pre>\n<p>You can write this output into the <code>~\/.aws\/credentials<\/code> file manually or using a script.<\/p>\n<h4>4. <strong>Using SSM Agent (as in your case)<\/strong><\/h4>\n<p>SSM Agent can inject temporary credentials into the <code>default<\/code> profile of <code>~\/.aws\/credentials<\/code> <strong>when running in a managed instance with a role<\/strong>. These are automatically rotated. You usually don\u2019t generate them manually \u2014 they\u2019re provided when the EC2 instance has an <strong>Instance Profile<\/strong> (IAM role attached).<\/p>\n<hr \/>\n<h3>\ud83d\udd10 Pro Tips<\/h3>\n<ul>\n<li><code>default<\/code> profile is automatically used if no profile is specified.<\/li>\n<li>Use <code>AWS_PROFILE=dev-bob<\/code> env variable in scripts to use a specific profile.<\/li>\n<li><code>aws sts get-caller-identity --profile dev-bob<\/code> is a great command to verify who you are with each profile.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>AWS credentials \ud83d\udd0d What is ~\/.aws\/credentials? This file holds AWS credentials for different user profiles. It\u2019s read by tools like: AWS CLI (aws) AWS SDKs (Python boto3, Java SDK, etc.) Any program using the AWS shared credentials provider Each profile is a named set of AWS credentials (like default, dev-alice, etc.), and contains at minimum: [&hellip;] <a class=\"read-more\" href=\"https:\/\/www.fanyamin.com\/wordpress\/?p=2042\" title=\"Permanent Link to: what&#8217;s &#8220;~\/.aws\/credentials&#8221;\">&rarr;Read&nbsp;more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"class_list":["post-2042","post","type-post","status-publish","format-standard","hentry","category-cloud"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2042"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2042"}],"version-history":[{"count":1,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2042\/revisions"}],"predecessor-version":[{"id":2043,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2042\/revisions\/2043"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}