Get AWS IAM credentials from PHP SDK

2
votes

I use AWS Services regularly and have my PHP SDK automatically retrieve credentials from my ec2 instance when I connect with Amazon.

I now have a library that I want to use which also requires my AWS secret key and access key to be included when I instantiate the class.

How can I retrieve the current access token and secret key through the AWS PHP SDK so I don't hard code keys into my application?

1
phpamazon-web-servicesamazon-iamaws-php-sdk
The secret key is only published one time on AWS and is no longer available once you navigate away from credential completion. You cannot do this.Jay Blanchard
So how would I go about not hard coding my keys for this library > github.com/eddturtle/direct-upload >bertmaclin

1 Answers

3
votes

Where are you storing your AWS Credentials? In a credentials file or IAM Role?

[EDIT after the OP provided specific use case details]

From the link that you provided modify the example to look like this. Note: I have not tested the code, but this will be close:

// Require Composer's autoloader
require_once __DIR__ . "/vendor/autoload.php";

use Aws\Credentials\Credentials
use Aws\Credentials\CredentialProvider;
use Aws\Exception\CredentialsException;
use EddTurtle\DirectUpload\Signature;

// Use the default credential provider
$provider = CredentialProvider::defaultProvider();

$credentials = $provider()->wait();

$upload = new Signature(
    $credentials->getAccessKeyId(),
    $credentials->getSecretKey(),
    "YOUR_S3_BUCKET",
    "eu-west-1"
);

[END EDIT]

The simplest answer if you are using a credentials file is to open ~/.aws/credentials in a text editor and extract them. Otherwise follow the details below.

See the bottom for the actual answer on how to extract your access key once you have them loaded.

The following example will create a DynamoDB client using credentials stored in ~/.aws/credentials (normally created by the AWS CLI) from the profile named 'project1':

$client = new DynamoDbClient([
    'profile' => 'project1',
    'region'  => 'us-west-2',
    'version' => 'latest'
]);

However, usually you will want the SDK to locate your credentials automatically. The AWS SDK will search for your credentials in the following order (not all cases included):

  1. Environment Variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, etc.)
  2. In the default profile section of ~/.aws/credentials
  3. EC2 IAM Role

Normally just use this example and let the SDK find the credentials for you:

use Aws\Credentials\CredentialProvider;
use Aws\S3\S3Client;

// Use the default credential provider
$provider = CredentialProvider::defaultProvider();

// Pass the provider to the client
$client = new S3Client([
    'region'      => 'us-west-2',
    'version'     => '2006-03-01',
    'credentials' => $provider
]);

The SDK has a number of credential providers so that you can control exactly where your credentials are coming from.

PHP Class CredentialProvider

One item is that you mention Access Token. This means that you are using STS Assume Role type of access. The PHP SDK supports this also. Just dig into the documentation for STS:

PHP STS Client

Once you have loaded your credentials into a provider you can use the class Credentials to extract the three components (AccessKeyId, AcessKeySecret, SecurityToken):

PHP Class Credentials