How does AWS SDK know the credentials without specifying it?

1
votes

I am curious about how AWS SDK can access services locally such as S3 without explicitly providing credentials. For example, this python code is only provided with bucket name and key name but can still access the file from s3 on my local:

def s3():
    bucket = "my-bucket"
    file_name = "folder1/sample.json"

    s3 = boto3.client('s3')

    obj = s3.get_object(Bucket=bucket, Key=file_name)
    file_content = obj["Body"].read().decode('utf-8')

Where did AWS SDK get the credentials? Does it use the role configured using the command aws configure in the CLI? How about if you provide an explicit access key and secret key, what is the level of priority?

1
amazon-web-servicesamazon-s3aws-sdkboto3

1 Answers

2
votes

All of the Amazon SDK's follow a similar pattern. For boto3, they are documented here but for completeness they are:

  1. Passing credentials as parameters in the boto.client() method
  2. Passing credentials as parameters when creating a Session object
  3. Environment variables
  4. Shared credential file (~/.aws/credentials)
  5. AWS config file (~/.aws/config)
  6. Assume Role provider
  7. Boto2 config file (/etc/boto.cfg and ~/.boto)
  8. Instance metadata service on an Amazon EC2 instance that has an IAM role configured.

It depends on how your environment is configured but it sounds like you have a ~/.aws/credentials file.