Source_profile - The boto3 profile that contains credentials we should use for the initial AssumeRole call.Ĭredential_source - The resource (Amazon EC2 instance profile, Amazon ECS container role, or environment variable) that contains the credentials to use for the initial AssumeRole call.Įxternal_id - A unique identifier that is used by third parties to assume a role in their customers’ accounts. Role_arn - The ARN of the role you want to assume. For more information about a particular setting, see the Configuration section. You can specify the following configuration values for configuring an IAM role in Boto3. It will handle in-memory caching as well as refreshing credentials as needed. When you do this, Boto3 will automatically make the corresponding AssumeRole calls to AWS STS on your behalf. Within the ~/.aws/config file, you can also configure a profile to indicate that Boto3 should assume a role. This is a different set of credentials configuration than using IAM roles for EC2 instances, which is discussed in a section below. These are the only supported values in the shared credential file.īelow is a minimal example of the shared credentials file: With each section, the three configuration variables shown above can be specified: aws_access_key_id, aws_secret_access_key, aws_session_token. This file is an INI formatted file with section names corresponding to profiles. You can change the location of the shared credentials file by setting the AWS_SHARED_CREDENTIALS_FILE environment variable. The shared credentials file has a default location of ~/.aws/credentials.
AWS_SESSION_TOKEN is supported by multiple AWS SDKs besides python. The AWS_SECURITY_TOKEN environment variable can also be used, but is only supported for backwards compatibility purposes.
This is only needed when you are using temporary credentials. Environment variables #īoto3 will check these environment variables for credentials:ĪWS_ACCESS_KEY_ID - The access key for your AWS account.ĪWS_SECRET_ACCESS_KEY - The secret key for your AWS account.ĪWS_SESSION_TOKEN - The session key for your AWS account. We do not recommend hard coding credentials in your source code. Note that the examples above do not have hard coded credentials. The first option for providing credentials to Boto3 is passing them as parameters when creating clients:ĪCCESS_KEY, SECRET_KEY, and SESSION_TOKEN are variables that contain your access key, secret key, and optional session token. Loading credentials from some external location, e.g the OS keychain. Retrieving temporary credentials using AWS STS (such as sts.get_session_token()).
There are valid use cases for providing credentials to the client() method and Session object, these include: Instance metadata service on an Amazon EC2 instance that has an IAM role configured.Įach of those locations is discussed in more detail below. Shared credential file ( ~/.aws/credentials)īoto2 config file ( /etc/boto.cfg and ~/.boto) Passing credentials as parameters when creating a Session object Passing credentials as parameters in the boto.client() method The order in which Boto3 searches for credentials is: The mechanism in which Boto3 looks for credentials is to search through a list of possible locations and stop as soon as it finds credentials.
Export cloudwatch metrics to prometheus how to#
For more information on how to configure non-credential configurations, see the Configuration guide.īoto3 will look in several locations when searching for credentials. Non-credential configuration includes items such as which region to use or which addressing style to use for Amazon S3. Credentials include items such as aws_access_key_id, aws_secret_access_key, and aws_session_token.
There are two types of configuration data in Boto3: credentials and non-credentials. Follow the prompts and it will generate configuration files in the correct locations for you.
0 kommentar(er)
