Default credentials provider chain

The default credentials provider chain is implemented by the DefaultCredentialsProvider class. It sequentially checks each place where you can set the default configuration for supplying temporary credentials, and then selects the first one you set.

To use the default credentials provider chain to supply temporary credentials, create a service client builder but don't specify a credentials provider. The following code snippet creates a DynamoDbClient that uses the default credentials provider chain to locate and retrieve default configuration settings.


Region region = Region.US_WEST_2;
DynamoDbClient ddb = 
    DynamoDbClient.builder()
                  .region(region)
                  .build();

Credential settings retrieval order

The default credentials provider chain of the SDK for Java 2.x searches for configuration in your environment using a predefined sequence.

Java system properties
- The SDK uses the SystemPropertyCredentialsProvider class to load temporary credentials from the aws.accessKeyId, aws.secretAccessKey, and aws.sessionToken Java system properties.
  
  Note
  For information on how to set Java system properties, see the System Properties tutorial on the official Java Tutorials website.
Environment variables
- The SDK uses the EnvironmentVariableCredentialsProvider class to load temporary credentials from the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables.
Web identity token from AWS Security Token Service
- The SDK uses the WebIdentityTokenFileCredentialsProvider class to load temporary credentials from Java system properties or environment variables.
The shared credentials and config files
- The SDK uses the ProfileCredentialsProvider to load IAM Identity Center single sign-on settings or temporary credentials from the [default] profile in the shared credentials and config files.
  
  The AWS SDKs and Tools Reference Guide has detailed information about how the SDK for Java works with the IAM Identity Center single sign-on token to get temporary credentials that the SDK uses to call AWS services.
  
  Note
  The credentials and config files are shared by various AWS SDKs and Tools. For more information, see The .aws/credentials and .aws/config files in the AWS SDKs and Tools Reference Guide.
Amazon ECS container credentials
- The SDK uses the ContainerCredentialsProvider class to load temporary credentials from the following environment variables:
  
  AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI
  
  AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE or AWS_CONTAINER_AUTHORIZATION_TOKEN
Amazon EC2 instance IAM role-provided credentials
- The SDK uses the InstanceProfileCredentialsProvider class to load temporary credentials from the Amazon EC2 metadata service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure access to temporary credentials

Use a specific credentials provider

Default credentials provider chain

Credential settings retrieval order

Note

Note