TL;DR : Is passing auth data to a boto3 script in a csv file named as an argument (and not checked in) less secure than a plaintext shared credentials file (the default answer in docs) for any reason?
I want to write a boto3 script intended to run from my laptop that uses an IAM key. The main accepted way to initialize your session is to include the API key, the secret, the region, and (if applicable) your session key in a shared credentials file identified by AWS_SHARED_CREDENTIALS_FILE
, or to have the key and secret be environment variables themselves (AWS_ACCESS_KEY_ID
, etc.) What I would like to do is load these values in a dictionary auth
from a csv or similar file, and then use the keys and values of this dictionary to initialize my boto3.Session
. This is easy to do; but, because a utility to load auth data from csv is so obvious and because so few modules provide this utility, I assume there is some security problem with it that I don't know.
Is there a reason the shared credentials file is safer than a csv file with the auth data passed as an argument to the boto3 script? I understand that running this from an EC2 instance with a role assignment is best, but I'm looking for a way to test libraries locally before adding them to one run through role security.