The AWS SDK for JavaScript v2 has reached end-of-support. We recommend that you migrate to [AWS SDK for JavaScript v3](https://docs.aws.amazon.com//sdk-for-javascript/v3/developer-guide/). For additional details and information on how to migrate, please refer to this [announcement](https://aws.amazon.com/blogs//developer/announcing-end-of-support-for-aws-sdk-for-javascript-v2/).
# Setting Credentials in Node.js
There are several ways in Node.js to supply your credentials to the SDK. Some of these are more secure and others afford greater convenience while developing an application. When obtaining credentials in Node.js, be careful about relying on more than one source such as an environment variable and a JSON file you load. You can change the permissions under which your code runs without realizing the change has happened.
Here are the ways you can supply your credentials in order of recommendation:
1. Loaded from AWS Identity and Access Management (IAM) roles for Amazon EC2
1. Loaded from the shared credentials file (`~/.aws/credentials`)
1. Loaded from environment variables
1. Loaded from a JSON file on disk
1. Other credential-provider classes provided by the JavaScript SDK
If more than one credential source is available to the SDK, the default precedence of selection is as follows:
1. Credentials that are explicitly set through the service-client constructor
1. Environment variables
1. The shared credentials file
1. Credentials loaded from the ECS credentials provider (if applicable)
1. Credentials that are obtained by using a credential process specified in the shared AWS config file or the shared credentials file. For more information, see [Loading Credentials in Node.js using a Configured Credential Process](loading-node-credentials-configured-credential-process.md).
1. Credentials loaded from AWS IAM using the credentials provider of the Amazon EC2 instance (if configured in the instance metadata)
For more information, see [https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html) and [https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CredentialProviderChain.html) in the API reference.
**Warning**
While it is possible to do so, we do not recommend hard-coding your AWS credentials in your application. Hard-coding credentials poses a risk of exposing your access key ID and secret access key.
The topics in this section describe how to load credentials into Node.js.
**Topics**
+ [Loading Credentials in Node.js from IAM roles for Amazon EC2](loading-node-credentials-iam.md)
+ [Loading Credentials for a Node.js Lambda Function](loading-node-credentials-lambda.md)
+ [Loading Credentials in Node.js from the Shared Credentials File](loading-node-credentials-shared.md)
+ [Loading Credentials in Node.js from Environment Variables](loading-node-credentials-environment.md)
+ [Loading Credentials in Node.js from a JSON File](loading-node-credentials-json-file.md)
+ [Loading Credentials in Node.js using a Configured Credential Process](loading-node-credentials-configured-credential-process.md)
# Loading Credentials in Node.js from IAM roles for Amazon EC2
If you run your Node.js application on an Amazon EC2 instance, you can leverage IAM roles for Amazon EC2 to automatically provide credentials to the instance. If you configure your instance to use IAM roles, the SDK automatically selects the IAM credentials for your application, eliminating the need to manually provide credentials.
For more information on adding IAM roles to an Amazon EC2 instance, see [Using IAM roles for Amazon EC2 instances](https://docs.aws.amazon.com/sdkref/latest/guide/access-iam-roles-for-ec2.html) in the *AWS SDKs and Tools Reference Guide*.
# Loading Credentials for a Node.js Lambda Function
When you create an AWS Lambda function, you must create a special IAM role that has permission to execute the function. This role is called the *execution role*. When you set up a Lambda function, you must specify the IAM role you created as the corresponding execution role.
The execution role provides the Lambda function with the credentials it needs to run and to invoke other web services. As a result, you do not need to provide credentials to the Node.js code you write within a Lambda function.
For more information about creating a Lambda execution role, see [Manage Permissions: Using an IAM Role (Execution Role)](https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html#lambda-intro-execution-role) in the *AWS Lambda Developer Guide*.
# Loading Credentials in Node.js from the Shared Credentials File
You can keep your AWS credentials data in a shared file used by SDKs and the command line interface. When the SDK for JavaScript loads, it automatically searches the shared credentials file, which is named "credentials". Where you keep the shared credentials file depends on your operating system:
+ The shared credentials file on Linux, Unix, and macOS: `~/.aws/credentials`
+ The shared credentials file on Windows: `C:\Users\USER_NAME\.aws\credentials`
If you do not already have a shared credentials file, see [SDK authentication with AWS](getting-your-credentials.md). Once you follow those instructions, you should see text similar to the following in the credentials file, where ** is your access key ID and ** is your secret access key:
```
[default]
aws_access_key_id =
aws_secret_access_key =
```
For an example showing this file being used, see [Getting Started in Node.js](getting-started-nodejs.md).
The `[default]` section heading specifies a default profile and associated values for credentials. You can create additional profiles in the same shared configuration file, each with its own credential information. The following example shows a configuration file with the default profile and two additional profiles:
```
[default] ; default profile
aws_access_key_id =
aws_secret_access_key =
[personal-account] ; personal account profile
aws_access_key_id =
aws_secret_access_key =
[work-account] ; work account profile
aws_access_key_id =
aws_secret_access_key =
```
By default, the SDK checks the `AWS_PROFILE` environment variable to determine which profile to use. If the `AWS_PROFILE` variable is not set in your environment, the SDK uses the credentials for the `[default]` profile. To use one of the alternate profiles, set or change the value of the `AWS_PROFILE` environment variable. For example, given the configuration file shown above, to use the credentials from the work account, set the `AWS_PROFILE` environment variable to `work-account` (as appropriate for your operating system).
**Note**
When setting environment variables, be sure to take appropriate actions afterwards (according to the needs of your operating system) to make the variables available in the shell or command environment.
After setting the environment variable (if needed), you can run a JavaScript file that uses the SDK, such as for example, a file named `script.js`.
```
$ node script.js
```
You can also explicitly select the profile used by the SDK, either by setting `process.env.AWS_PROFILE` before loading the SDK, or by selecting the credential provider as shown in the following example:
```
var credentials = new AWS.SharedIniFileCredentials({profile: 'work-account'});
AWS.config.credentials = credentials;
```
# Loading Credentials in Node.js from Environment Variables
The SDK automatically detects AWS credentials set as variables in your environment and uses them for SDK requests, eliminating the need to manage credentials in your application. The environment variables that you set to provide your credentials are:
+ `AWS_ACCESS_KEY_ID`
+ `AWS_SECRET_ACCESS_KEY`
+ `AWS_SESSION_TOKEN`
For more details on setting environment variables, see [Environment variables support](https://docs.aws.amazon.com/sdkref/latest/guide/environment-variables.html) in the *AWS SDKs and Tools Reference Guide*.
# Loading Credentials in Node.js from a JSON File
You can load configuration and credentials from a JSON document on disk using `AWS.config.loadFromPath`. The path specified is relative to the current working directory of your process. For example, to load credentials from a `'config.json'` file with the following content:
```
{ "accessKeyId": , "secretAccessKey": , "region": "us-east-1" }
```
Then use the following code:
```
var AWS = require("aws-sdk");
AWS.config.loadFromPath('./config.json');
```
**Note**
Loading configuration data from a JSON document resets all existing configuration data. Add additional configuration data after using this technique. Loading credentials from a JSON document is not supported in browser scripts.
# Loading Credentials in Node.js using a Configured Credential Process
You can source credentials by using a method that isn't built into the SDK. To do this, specify a credential process in the shared AWS config file or the shared credentials file. If the `AWS_SDK_LOAD_CONFIG` environment variable is set to any value, the SDK will prefer the process specified in the config file over the process specified in the credentials file (if any).
For details about specifying a credential process in the shared AWS config file or the shared credentials file, see the *AWS CLI Command Reference*, specifically the information about [Sourcing Credentials From External Processes](https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes).
For information about using the `AWS_SDK_LOAD_CONFIG` environment variable, see [Using a Shared Config File](setting-region.md#setting-region-config-file) in this document.