# AWS SDKs and tools settings reference
SDKs provide language-specific APIs for AWS services. They take care of some of the heavy lifting necessary in successfully making API calls, including authentication, retry behavior, and more. To do this, the SDKs have flexible strategies to obtain credentials to use for your requests, to maintain settings to use with each service, and to obtain values to use for global settings.
You can find detailed information about configuration settings in the following sections:
+ [AWS SDKs and Tools standardized credential providers](standardized-credentials.md) – Common credential providers standardized across multiple SDKs.
+ [AWS SDKs and Tools standardized features](standardized-features.md) – Common features standardized across multiple SDKs.
## Creating service clients
To programmatically access AWS services, SDKs use a client class/object for each AWS service. For example, if your application needs to access Amazon EC2, your application creates an Amazon EC2 client object to interface with that service. You then use the service client to make requests to that AWS service. In most SDKs, a service client object is immutable, so you must create a new client for each service to which you make requests and for making requests to the same service using a different configuration.
## Precedence of settings
Global settings configure features, credential providers, and other functionality that are supported by most SDKs and have a broad impact across AWS services. All SDKs have a series of places (or sources) that they check in order to find a value for global settings. The following is the setting lookup precedence:
1. Any explicit setting set in the code or on a service client itself takes precedence over anything else.
+ Some settings can be set on a per-operation basis, and can be changed as needed for each operation that you invoke. For the AWS CLI or AWS Tools for PowerShell, these take the form of per-operation parameters that you enter on the command line. For an SDK, explicit assignments can take the form of a parameter that you set when you instantiate an AWS service client or configuration object, or sometimes when you call an individual API.
1. Java/Kotlin only: The JVM system property for the setting is checked. If it's set, that value is used to configure the client.
1. The environment variable is checked. If it's set, that value is used to configure the client.
1. The SDK checks the shared `credentials` file for the setting. If it's set, the client uses it.
1. The shared `config` file for the setting. If the setting is present, the SDK uses it.
+ The `AWS_PROFILE` environment variable or the `aws.profile` JVM system property can be used to specify which profile that the SDK loads.
1. Any default value provided by the SDK source code itself is used last.
**Note**
Some SDKs and tools might check in a different order. Also, some SDKs and tools support other methods of storing and retrieving parameters. For example, the AWS SDK for .NET supports an additional source called the [SDK Store](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/sdk-store.html). For more information about providers that are unique to a SDK or tool, see the specific guide for the SDK or tool that you are using.
The order determines which methods take precedence and override others. For example, if you set up a profile in the shared `config` file, it's only found and used after the SDK or tool checks the other places first. This means that if you put a setting in the `credentials` file, it is used instead of one found in the `config` file. If you configure an environment variable with a setting and value, it would override that setting in both the `credentials` and `config` files. And finally, a setting on the individual operation (AWS CLI command-line parameter or API parameter) or in code would override all other values for that one command.
## Understanding the settings pages of this guide
The pages within the **Settings reference** section of this guide detail the available settings that can be set through various mechanisms. The tables that follow list the config and credential file settings, environment variables, and (for Java and Kotlin SDKs) the JVM settings that can be used outside of your code to configure the feature. Each linked topic in each list takes you to the corresponding settings page.
+ [`Config` file settings list](#ConfigFileSettings)
+ [`Credentials` file settings list](#CredFileSettings)
+ [Environment variables list](#EVarSettings)
+ [JVM system properties list](#JVMSettings)
Each credential provider or feature has a page where the settings that are used to configure that functionality are listed. For each setting, you can often set the value either by adding the setting to a configuration file, or by setting an environment variable, or (for Java and Kotlin only) by setting a JVM system property. Each setting lists all supported methods of setting the value in a block above the details of the description. Although the [precedence](#precedenceOfSettings) varies, the resulting functionality is the same regardless of how you set it.
The description will include the default value, if any, that takes effect if you do nothing. It also defines what a valid value is for that setting.
For example, let's look at a setting from the [Request compression](feature-compression.md) feature page.
The `disable_request_compression` example setting's information documents the following:
+ There are three equivalent ways to control request compression outside of your codebase. You can either:
+ Set it in your config file using `disable_request_compression`
+ Set it as an environment variable using `AWS_DISABLE_REQUEST_COMPRESSION`
+ Or, if you are using the Java or Kotlin SDK, set it as a JVM system property using `aws.disableRequestCompression`
**Note**
There might also be a way to configure the same functionality directly in your code, but this Reference does not cover this since it is unique to each SDK. If you want to set your configuration in the code itself, see your specific SDK guide or API reference.
+ If you do nothing, the value will default to `false`.
+ The only valid values for this Boolean setting are `true` and `false`.
At the bottom of each feature page there is a **Support by AWS SDKs and tools** table.
This table shows whether your SDK supports the settings that are listed on the page. The `Supported` column indicates the support level with the following values:
+ `Yes` – The settings are fully supported by the SDK as written.
+ `Partial` – Some of the settings are supported or the behavior deviates from the description. For `Partial`, an additional note indicates the deviation.
+ `No` – None of the settings are supported. This doesn't make claims as to whether the same functionality might be achieved in code; it only indicates that the listed external configuration settings are not supported.
## `Config` file settings list
The settings listed in the following table can be assigned in the shared AWS `config` file. They are global and affect all AWS services. SDKs and tools may also support unique settings and environment variables. To see the settings and environment variables supported by only an individual SDK or tool, see that specific SDK or tool guide.
| Setting name | Details |
| --- | --- |
| account\$1id\$1endpoint\$1mode | [Account-based endpoints](feature-account-endpoints.md) |
| api\$1versions | [General configuration settings](feature-gen-config.md) |
| auth\$1scheme\$1preference | [Authentication scheme](feature-auth-scheme.md) |
| aws\$1access\$1key\$1id | [AWS access keys](feature-static-credentials.md) |
| aws\$1account\$1id | [Account-based endpoints](feature-account-endpoints.md) |
| aws\$1secret\$1access\$1key | [AWS access keys](feature-static-credentials.md) |
| aws\$1session\$1token | [AWS access keys](feature-static-credentials.md) |
| ca\$1bundle | [General configuration settings](feature-gen-config.md) |
| credential\$1process | [Process credential provider](feature-process-credentials.md) |
| credential\$1source | [Assume role credential provider](feature-assume-role-credentials.md) |
| defaults\$1mode | [Smart configuration defaults](feature-smart-config-defaults.md) |
| disable\$1host\$1prefix\$1injection | [Host prefix injection](feature-host-prefix.md) |
| disable\$1request\$1compression | [Request compression](feature-compression.md) |
| duration\$1seconds | [Assume role credential provider](feature-assume-role-credentials.md) |
| ec2\$1metadata\$1service\$1endpoint | [IMDS credential provider](feature-imds-credentials.md) |
| ec2\$1metadata\$1service\$1endpoint\$1mode | [IMDS credential provider](feature-imds-credentials.md) |
| ec2\$1metadata\$1v1\$1disabled | [IMDS credential provider](feature-imds-credentials.md) |
| endpoint\$1discovery\$1enabled | [Endpoint discovery](feature-endpoint-discovery.md) |
| endpoint\$1url | [Service-specific endpoints](feature-ss-endpoints.md) |
| external\$1id | [Assume role credential provider](feature-assume-role-credentials.md) |
| ignore\$1configured\$1endpoint\$1urls | [Service-specific endpoints](feature-ss-endpoints.md) |
| max\$1attempts | [Retry behavior](feature-retry-behavior.md) |
| metadata\$1service\$1num\$1attempts | [Amazon EC2 instance metadata](feature-ec2-instance-metadata.md) |
| metadata\$1service\$1timeout | [Amazon EC2 instance metadata](feature-ec2-instance-metadata.md) |
| mfa\$1serial | [Assume role credential provider](feature-assume-role-credentials.md) |
| output | [General configuration settings](feature-gen-config.md) |
| parameter\$1validation | [General configuration settings](feature-gen-config.md) |
| region | [AWS Region](feature-region.md) |
| request\$1checksum\$1calculation | [Data Integrity Protections for Amazon S3](feature-dataintegrity.md) |
| request\$1min\$1compression\$1size\$1bytes | [Request compression](feature-compression.md) |
| response\$1checksum\$1validation | [Data Integrity Protections for Amazon S3](feature-dataintegrity.md) |
| retry\$1mode | [Retry behavior](feature-retry-behavior.md) |
| role\$1arn | [Assume role credential provider](feature-assume-role-credentials.md) |
| role\$1session\$1name | [Assume role credential provider](feature-assume-role-credentials.md) |
| s3\$1disable\$1express\$1session\$1auth | [S3 Express One Zone session authentication](feature-s3-express.md) |
| s3\$1disable\$1multiregion\$1access\$1points | [Amazon S3 Multi-Region Access Points](feature-s3-mrap.md) |
| s3\$1use\$1arn\$1region | [Amazon S3 access points](feature-s3-access-point.md) |
| sdk\$1ua\$1app\$1id | [Application ID](feature-appid.md) |
| sigv4a\$1signing\$1region\$1set | [Authentication scheme](feature-auth-scheme.md) |
| source\$1profile | [Assume role credential provider](feature-assume-role-credentials.md) |
| sso\$1account\$1id | [IAM Identity Center credential provider](feature-sso-credentials.md) |
| sso\$1region | [IAM Identity Center credential provider](feature-sso-credentials.md) |
| sso\$1registration\$1scopes | [IAM Identity Center credential provider](feature-sso-credentials.md) |
| sso\$1role\$1name | [IAM Identity Center credential provider](feature-sso-credentials.md) |
| sso\$1start\$1url | [IAM Identity Center credential provider](feature-sso-credentials.md) |
| sts\$1regional\$1endpoints | [AWS STS Regional endpoints](feature-sts-regionalized-endpoints.md) |
| use\$1dualstack\$1endpoint | [Dual-stack and FIPS endpoints](feature-endpoints.md) |
| use\$1fips\$1endpoint | [Dual-stack and FIPS endpoints](feature-endpoints.md) |
| web\$1identity\$1token\$1file | [Assume role credential provider](feature-assume-role-credentials.md) |
## `Credentials` file settings list
The settings listed in the following table can be assigned in the shared AWS `credentials` file. They are global and affect all AWS services. SDKs and tools may also support unique settings and environment variables. To see the settings and environment variables supported by only an individual SDK or tool, see that specific SDK or tool guide.
| Setting name | Details |
| --- | --- |
| aws\$1access\$1key\$1id | [AWS access keys](feature-static-credentials.md) |
| aws\$1secret\$1access\$1key | [AWS access keys](feature-static-credentials.md) |
| aws\$1session\$1token | [AWS access keys](feature-static-credentials.md) |
## Environment variables list
Environment variables supported by most SDKs are listed in the following table. They are global and affect all AWS services. SDKs and tools may also support unique settings and environment variables. To see the settings and environment variables supported by only an individual SDK or tool, see that specific SDK or tool guide.
| Setting name | Details |
| --- | --- |
| AWS\$1ACCESS\$1KEY\$1ID | [AWS access keys](feature-static-credentials.md) |
| AWS\$1ACCOUNT\$1ID | [Account-based endpoints](feature-account-endpoints.md) |
| AWS\$1ACCOUNT\$1ID\$1ENDPOINT\$1MODE | [Account-based endpoints](feature-account-endpoints.md) |
| AWS\$1AUTH\$1SCHEME\$1PREFERENCE | [Authentication scheme](feature-auth-scheme.md) |
| AWS\$1CA\$1BUNDLE | [General configuration settings](feature-gen-config.md) |
| AWS\$1CONFIG\$1FILE | [Finding and changing the location of the shared `config` and `credentials` files of AWS SDKs and tools](file-location.md) |
| AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN | [Container credential provider](feature-container-credentials.md) |
| AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN\$1FILE | [Container credential provider](feature-container-credentials.md) |
| AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI | [Container credential provider](feature-container-credentials.md) |
| AWS\$1CONTAINER\$1CREDENTIALS\$1RELATIVE\$1URI | [Container credential provider](feature-container-credentials.md) |
| AWS\$1DEFAULTS\$1MODE | [Smart configuration defaults](feature-smart-config-defaults.md) |
| AWS\$1DISABLE\$1HOST\$1PREFIX\$1INJECTION | [Host prefix injection](feature-host-prefix.md) |
| AWS\$1DISABLE\$1REQUEST\$1COMPRESSION | [Request compression](feature-compression.md) |
| AWS\$1EC2\$1METADATA\$1DISABLED | [IMDS credential provider](feature-imds-credentials.md) |
| AWS\$1EC2\$1METADATA\$1SERVICE\$1ENDPOINT | [IMDS credential provider](feature-imds-credentials.md) |
| AWS\$1EC2\$1METADATA\$1SERVICE\$1ENDPOINT\$1MODE | [IMDS credential provider](feature-imds-credentials.md) |
| AWS\$1EC2\$1METADATA\$1V1\$1DISABLED | [IMDS credential provider](feature-imds-credentials.md) |
| AWS\$1ENABLE\$1ENDPOINT\$1DISCOVERY | [Endpoint discovery](feature-endpoint-discovery.md) |
| AWS\$1ENDPOINT\$1URL | [Service-specific endpoints](feature-ss-endpoints.md) |
| AWS\$1ENDPOINT\$1URL\$1 | [Service-specific endpoints](feature-ss-endpoints.md) |
| AWS\$1IGNORE\$1CONFIGURED\$1ENDPOINT\$1URLS | [Service-specific endpoints](feature-ss-endpoints.md) |
| AWS\$1MAX\$1ATTEMPTS | [Retry behavior](feature-retry-behavior.md) |
| AWS\$1METADATA\$1SERVICE\$1NUM\$1ATTEMPTS | [Amazon EC2 instance metadata](feature-ec2-instance-metadata.md) |
| AWS\$1METADATA\$1SERVICE\$1TIMEOUT | [Amazon EC2 instance metadata](feature-ec2-instance-metadata.md) |
| AWS\$1PROFILE | [Using shared `config` and `credentials` files to globally configure AWS SDKs and tools](file-format.md) |
| AWS\$1REGION | [AWS Region](feature-region.md) |
| AWS\$1REQUEST\$1CHECKSUM\$1CALCULATION | [Data Integrity Protections for Amazon S3](feature-dataintegrity.md) |
| AWS\$1REQUEST\$1MIN\$1COMPRESSION\$1SIZE\$1BYTES | [Request compression](feature-compression.md) |
| AWS\$1RESPONSE\$1CHECKSUM\$1VALIDATION | [Data Integrity Protections for Amazon S3](feature-dataintegrity.md) |
| AWS\$1RETRY\$1MODE | [Retry behavior](feature-retry-behavior.md) |
| AWS\$1ROLE\$1ARN | [Assume role credential provider](feature-assume-role-credentials.md) |
| AWS\$1ROLE\$1SESSION\$1NAME | [Assume role credential provider](feature-assume-role-credentials.md) |
| AWS\$1S3\$1DISABLE\$1EXPRESS\$1SESSION\$1AUTH | [S3 Express One Zone session authentication](feature-s3-express.md) |
| AWS\$1S3\$1DISABLE\$1MULTIREGION\$1ACCESS\$1POINTS | [Amazon S3 Multi-Region Access Points](feature-s3-mrap.md) |
| AWS\$1S3\$1USE\$1ARN\$1REGION | [Amazon S3 access points](feature-s3-access-point.md) |
| AWS\$1SDK\$1UA\$1APP\$1ID | [Application ID](feature-appid.md) |
| AWS\$1SECRET\$1ACCESS\$1KEY | [AWS access keys](feature-static-credentials.md) |
| AWS\$1SESSION\$1TOKEN | [AWS access keys](feature-static-credentials.md) |
| AWS\$1SHARED\$1CREDENTIALS\$1FILE | [Finding and changing the location of the shared `config` and `credentials` files of AWS SDKs and tools](file-location.md) |
| AWS\$1SIGV4A\$1SIGNING\$1REGION\$1SET | [Authentication scheme](feature-auth-scheme.md) |
| AWS\$1STS\$1REGIONAL\$1ENDPOINTS | [AWS STS Regional endpoints](feature-sts-regionalized-endpoints.md) |
| AWS\$1USE\$1DUALSTACK\$1ENDPOINT | [Dual-stack and FIPS endpoints](feature-endpoints.md) |
| AWS\$1USE\$1FIPS\$1ENDPOINT | [Dual-stack and FIPS endpoints](feature-endpoints.md) |
| AWS\$1WEB\$1IDENTITY\$1TOKEN\$1FILE | [Assume role credential provider](feature-assume-role-credentials.md) |
## JVM system properties list
You can use the following JVM system properties for the AWS SDK for Java and the AWS SDK for Kotlin (targeting the JVM). See [How to set JVM system properties](jvm-system-properties.md#jvm-sys-props-set) for instructions on how to set JVM system properties.
| Setting name | Details |
| --- | --- |
| aws.accessKeyId | [AWS access keys](feature-static-credentials.md) |
| aws.accountId | [Account-based endpoints](feature-account-endpoints.md) |
| aws.accountIdEndpointMode | [Account-based endpoints](feature-account-endpoints.md) |
| aws.authSchemePreference | [Authentication scheme](feature-auth-scheme.md) |
| aws.configFile | [Finding and changing the location of the shared `config` and `credentials` files of AWS SDKs and tools](file-location.md) |
| aws.defaultsMode | [Smart configuration defaults](feature-smart-config-defaults.md) |
| aws.disableEc2MetadataV1 | [IMDS credential provider](feature-imds-credentials.md) |
| aws.disableHostPrefixInjection | [Host prefix injection](feature-host-prefix.md) |
| aws.disableRequestCompression | [Request compression](feature-compression.md) |
| aws.disableS3ExpressAuth | [S3 Express One Zone session authentication](feature-s3-express.md) |
| aws.ec2MetadataServiceEndpoint | [IMDS credential provider](feature-imds-credentials.md) |
| aws.ec2MetadataServiceEndpointMode | [IMDS credential provider](feature-imds-credentials.md) |
| aws.endpointDiscoveryEnabled | [Endpoint discovery](feature-endpoint-discovery.md) |
| aws.endpointUrl | [Service-specific endpoints](feature-ss-endpoints.md) |
| aws.endpointUrl | [Service-specific endpoints](feature-ss-endpoints.md) |
| aws.ignoreConfiguredEndpointUrls | [Service-specific endpoints](feature-ss-endpoints.md) |
| aws.maxAttempts | [Retry behavior](feature-retry-behavior.md) |
| aws.profile | [Using shared `config` and `credentials` files to globally configure AWS SDKs and tools](file-format.md) |
| aws.region | [AWS Region](feature-region.md) |
| aws.requestChecksumCalculation | [Data Integrity Protections for Amazon S3](feature-dataintegrity.md) |
| aws.requestMinCompressionSizeBytes | [Request compression](feature-compression.md) |
| aws.responseChecksumValidation | [Data Integrity Protections for Amazon S3](feature-dataintegrity.md) |
| aws.retryMode | [Retry behavior](feature-retry-behavior.md) |
| aws.roleArn | [Assume role credential provider](feature-assume-role-credentials.md) |
| aws.roleSessionName | [Assume role credential provider](feature-assume-role-credentials.md) |
| aws.s3DisableMultiRegionAccessPoints | [Amazon S3 Multi-Region Access Points](feature-s3-mrap.md) |
| aws.s3UseArnRegion | [Amazon S3 access points](feature-s3-access-point.md) |
| aws.secretAccessKey | [AWS access keys](feature-static-credentials.md) |
| aws.sessionToken | [AWS access keys](feature-static-credentials.md) |
| aws.sharedCredentialsFile | [Finding and changing the location of the shared `config` and `credentials` files of AWS SDKs and tools](file-location.md) |
| aws.useDualstackEndpoint | [Dual-stack and FIPS endpoints](feature-endpoints.md) |
| aws.useFipsEndpoint | [Dual-stack and FIPS endpoints](feature-endpoints.md) |
| aws.webIdentityTokenFile | [Assume role credential provider](feature-assume-role-credentials.md) |
| sdk.ua.appId | [Application ID](feature-appid.md) |
# AWS SDKs and Tools standardized credential providers
Many credential providers have been standardized to consistent defaults and to work the same way across many SDKs. This consistency increases productivity and clarity when coding across multiple SDKs. All settings can be overridden in code. For details, see your specific SDK API.
**Important**
Not all SDKs support all providers, or even all aspects within a provider.
**Topics**
+ [
## Understand the credential provider chain
](#credentialProviderChain)
+ [
## SDK-specific and tool-specific credential provider chains
](#sdk-chains)
+ [AWS access keys](feature-static-credentials.md)
+ [Login provider](feature-login-credentials.md)
+ [Assume role provider](feature-assume-role-credentials.md)
+ [Container provider](feature-container-credentials.md)
+ [IAM Identity Center provider](feature-sso-credentials.md)
+ [IMDS provider](feature-imds-credentials.md)
+ [Process provider](feature-process-credentials.md)
## Understand the credential provider chain
All SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the credential provider chain.
When using one of the standardized credential providers, the AWS SDKs always attempt to renew credentials automatically when they expire. The built-in credential provider chain provides your application with the ability to refresh your credentials regardless of which provider you are using in the chain. No additional code is required for the SDK to do this.
Although the distinct chain used by each SDK varies, they most often include sources such as the following:
| Credential provider | Description |
| --- | --- |
| [AWS access keys](feature-static-credentials.md) | AWS access keys for an IAM user (such as AWS\$1ACCESS\$1KEY\$1ID, and AWS\$1SECRET\$1ACCESS\$1KEY). |
| [Federate with web identity or OpenID Connect](access-assume-role-web.md#webidentity) - Assume role credential provider | Sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. Assume the permissions of an IAM role using a JSON Web Token (JWT) from AWS Security Token Service (AWS STS). |
| [Login credentials provider](feature-login-credentials.md) | Get credentials for a new or existing console session that you are logged in to. |
| [IAM Identity Center credential provider](feature-sso-credentials.md) | Get credentials from AWS IAM Identity Center. |
| [Assume role credential provider](feature-assume-role-credentials.md) | Get access to other resources by assuming the permissions of an IAM role. (Retrieve and then use temporary credentials for a role). |
| [Container credential provider](feature-container-credentials.md) | Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) credentials. The container credential provider fetches credentials for the customer's containerized application. |
| [Process credential provider](feature-process-credentials.md) | Custom credential provider. Get your credentials from an external source or process, including IAM Roles Anywhere. |
| [IMDS credential provider](feature-imds-credentials.md) | Amazon Elastic Compute Cloud (Amazon EC2) instance profile credentials. Associate an IAM role with each of your EC2 instances. Temporary credentials for that role are made available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. |
For each step in the chain, there are multiple ways to assign setting values. Setting values that are specified in code always take precedence. However, there are also [Environment variables](environment-variables.md) and the [Using shared `config` and `credentials` files to globally configure AWS SDKs and tools](file-format.md). For more information, see [Precedence of settings](settings-reference.md#precedenceOfSettings).
## SDK-specific and tool-specific credential provider chains
To go directly to your SDK's or tool's **specific** credential provider chain details, choose your SDK or tool from the following:
+ [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)
+ [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/credproviders.html)
+ [SDK for Go](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html)
+ [SDK for Java](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html)
+ [SDK for JavaScript](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/setting-credentials-node.html#credchain)
+ [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/credential-providers.html)
+ [SDK for .NET](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/creds-assign.html)
+ [SDK for PHP](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/guide_credentials.html)
+ [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html)
+ [SDK for Ruby](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/setup-config.html)
+ [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/credproviders.html)
+ [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/using-configuration.html)
+ [Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/creds-assign.html)
# AWS access keys
**Warning**
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
AWS access keys for an IAM user can be used as your AWS credentials. The AWS SDK automatically uses these AWS credentials to sign API requests to AWS, so that your workloads can access your AWS resources and data securely and conveniently. It is recommended to always use the `aws_session_token` so that the credentials are temporary and no longer valid after they expire. Using long-term credentials is not recommended.
**Note**
If AWS becomes unable to refresh these temporary credentials, AWS may extend the validity of the credentials so that your workloads are not impacted.
The shared AWS `credentials` file is the recommended location for storing credentials information because it is safely outside of application source directories and separate from the SDK-specific settings of the shared `config` file.
To learn more about AWS credentials and using access keys, see [AWS security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html) and [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in the *IAM User Guide*.
Configure this functionality by using the following:
**`aws_access_key_id` - shared AWS `config` file setting`aws_access_key_id` - shared AWS `credentials` file setting *(recommended method)*`AWS_ACCESS_KEY_ID` - environment variable`aws.accessKeyId` - JVM system property: Java/Kotlin only**
Specifies the AWS access key used as part of the credentials to authenticate the user.
**`aws_secret_access_key` - shared AWS `config` file setting`aws_secret_access_key` - shared AWS `credentials` file setting *(recommended method)*`AWS_SECRET_ACCESS_KEY` - environment variable`aws.secretAccessKey` - JVM system property: Java/Kotlin only**
Specifies the AWS secret key used as part of the credentials to authenticate the user.
**`aws_session_token` - shared AWS `config` file setting`aws_session_token` - shared AWS `credentials` file setting *(recommended method)*`AWS_SESSION_TOKEN` - environment variable`aws.sessionToken` - JVM system property: Java/Kotlin only**
Specifies an AWS session token used as part of the credentials to authenticate the user. You receive this value as part of the temporary credentials returned by successful requests to assume a role. A session token is required only if you manually specify temporary security credentials. However, we recommend you always use temporary security credentials instead of long-term credentials. For security recommendations, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).
For instructions on how to obtain these values, see [Using short-term credentials to authenticate AWS SDKs and toolsShort-term credentials](access-temp-idc.md).
Example of setting these required values in the `config` or `credentials` file:
```
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
```
Windows example of setting environment variables via command line:
```
setx AWS_ACCESS_KEY_ID AKIAIOSFODNN7EXAMPLE
setx AWS_SECRET_ACCESS_KEY wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
setx AWS_SESSION_TOKEN AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
```
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | shared config file not supported. |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | Environment variables not supported. |
# Login credentials provider
You can [use your existing AWS Management Console sign-in credentials](https://docs.amazon.aws.com/sdkref/latest/guide/access-login.html) to acquire short-term credentials that can be used for programmatic access. After you complete the browser-based authentication flow, AWS generates temporary credentials that work across local development tools like the AWS CLI, AWS Tools for PowerShell and AWS SDKs.
To generate these credentials, run the `aws login` command in the AWS CLI, or the `Invoke-AWSLogin` cmdlet in AWS Tools for PowerShell. The resulting short-term credentials will be cached locally, where they can be reused by the AWS SDKs. The short-term credentials expire in 15 minutes, but the CLI and SDKs will automatically refresh them as needed up to 12 hours. When the refresh token expires, you'll be prompted to log in again via the CLI or PowerShell.
The login command will update the profile you specify with the `login_session` setting, which stores the identity of the management console session that you selected during the login workflow.
```
[profile console]
login_session = arn:aws:iam::0123456789012:user/username
region = us-west-2
```
By default, the short-term credentials and refresh token are stored in a JSON file in the `~/.aws/login/cache` directory on Linux and macOS, or `%USERPROFILE%\.aws\login\cache` on Windows. The filename is based on the login session name. You can override the directory by setting the `AWS_LOGIN_CACHE_DIRECTORY` environment variable.
## Login Provider Settings
Configure this functionality by using the following:
**`AWS_LOGIN_CACHE_DIRECTORY` - environment variable**
Alternative directory where the CLI and SDKs will store the cached credentials that map to a login session profile.
Default value: `~/.aws/login/cache` on Linux and macOS, or `%USERPROFILE%\.aws\login\cache` on Windows.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | No | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | Requires CRT |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | No | |
# Assume role credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Assuming a role involves using a set of temporary security credentials to access AWS resources that you might not have access to otherwise. These temporary credentials consist of an access key ID, a secret access key, and a security token.
To set up your SDK or tool to assume a role, you must first create or identify a specific *role* to assume. IAM roles are uniquely identified by a role Amazon Resource Name ([ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)). Roles establish trust relationships with another entity. The trusted entity that uses the role might be an AWS service, another AWS account, a web identity provider or OIDC, or SAML federation.
After the IAM role is identified, if you are trusted by that role, you can configure your SDK or tool to use the permissions that are granted by the role. To do this, use the following settings.
For guidance on getting started using these settings, see [Assuming a role with AWS credentials to authenticate AWS SDKs and tools](access-assume-role.md) in this guide.
## Assume role credential provider settings
Configure this functionality by using the following:
**`credential_source` - shared AWS `config` file setting**
Used within Amazon EC2 instances or Amazon Elastic Container Service containers to specify where the SDK or tool can find credentials that have permission to assume the role that you specify with the `role_arn` parameter.
**Default value:** None
**Valid values:**
+ **Environment** – Specifies that the SDK or tool is to retrieve source credentials from the environment variables [`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`](feature-static-credentials.md).
+ **Ec2InstanceMetadata** – Specifies that the SDK or tool is to use the [IAM role attached to the EC2 instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) to get source credentials.
+ **EcsContainer** – Specifies that the SDK or tool is to use the [IAM role attached to the Amazon ECS container](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) or the [IAM role attached to the Amazon EKS container](https://docs.aws.amazon.com/eks/latest/userguide/security-iam-service-with-iam.html) to get source credentials.
You cannot specify both `credential_source` and `source_profile` in the same profile.
Example of setting this in a `config` file to indicate that credentials should be sourced from Amazon EC2:
```
credential_source = Ec2InstanceMetadata
role_arn = arn:aws:iam::123456789012:role/my-role-name
```
**`duration_seconds` - shared AWS `config` file setting**
Specifies the maximum duration of the role session, in seconds.
This setting applies only when the profile specifies to assume a role.
**Default value:** 3600 seconds (one hour)
**Valid values:** The value can range from 900 seconds (15 minutes) up to the maximum session duration setting configured for the role (which can be a maximum of 43200 seconds, or 12 hours). For more information, see [View the Maximum Session Duration Setting for a Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) in the *IAM User Guide*.
Example of setting this in a `config` file:
```
duration_seconds = 43200
```
**`external_id` - shared AWS `config` file setting**
Specifies a unique identifier that is used by third parties to assume a role in their customers' accounts.
This setting applies only when the profile specifies to assume a role and the trust policy for the role requires a value for `ExternalId`. The value maps to the `ExternalId` parameter that is passed to the `AssumeRole` operation when the profile specifies a role.
**Default value:** None.
**Valid values:** See [How to use an External ID When Granting Access to Your AWS Resources to a Third Party](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) in the *IAM User Guide*.
Example of setting this in a `config` file:
```
external_id = unique_value_assigned_by_3rd_party
```
**`mfa_serial` - shared AWS `config` file setting**
Specifies the identification or serial number of a multi-factor authentication (MFA) device that the user must use when assuming a role.
Required when assuming a role where the trust policy for that role includes a condition that requires MFA authentication. For more information about MFA, see [AWS Multi-factor authentication in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*.
**Default value:** None.
**Valid values:** The value can be either a serial number for a hardware device (such as `GAHT12345678`), or an Amazon Resource Name (ARN) for a virtual MFA device. The format of the ARN is: `arn:aws:iam::account-id:mfa/mfa-device-name`
Example of setting this in a `config` file:
This example assumes a virtual MFA device, called `MyMFADevice`, that has been created for the account and enabled for a user.
```
mfa_serial = arn:aws:iam::123456789012:mfa/MyMFADevice
```
**`role_arn` - shared AWS `config` file setting`AWS_ROLE_ARN` - environment variable`aws.roleArn` - JVM system property: Java/Kotlin only**
Specifies the Amazon Resource Name (ARN) of an IAM role that you want to use to perform operations requested using this profile.
**Default value:** None.
**Valid values:** The value must be the ARN of an IAM role, formatted as follows: `arn:aws:iam::account-id:role/role-name`
In addition, you must also specify **one** of the following settings:
+ `source_profile` – To identify another profile to use to find credentials that have permission to assume the role in this profile.
+ `credential_source` – To use either credentials identified by the current environment variables or credentials attached to an Amazon EC2 instance profile, or an Amazon ECS container instance.
+ `web_identity_token_file` – To use public identity providers or any OpenID Connect (OIDC)-compatible identity provider for users who have been authenticated in a mobile or web application.
**`role_session_name` - shared AWS `config` file setting`AWS_ROLE_SESSION_NAME` - environment variable`aws.roleSessionName` - JVM system property: Java/Kotlin only**
Specifies the name to attach to the role session. This name appears in AWS CloudTrail logs for entries associated with this session, which can be useful when auditing. For details, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide*.
**Default value:** An optional parameter. If you don't provide this value, a session name is generated automatically if the profile assumes a role.
**Valid values:** Provided to the `RoleSessionName` parameter when the AWS CLI or AWS API calls the `AssumeRole` operation (or operations such as the `AssumeRoleWithWebIdentity` operation) on your behalf. The value becomes part of the assumed role user Amazon Resource Name (ARN) that you can query, and shows up as part of the CloudTrail log entries for operations invoked by this profile.
`arn:aws:sts::123456789012:assumed-role/my-role-name/my-role_session_name`.
Example of setting this in a `config` file:
```
role_session_name = my-role-session-name
```
**`source_profile` - shared AWS `config` file setting**
Specifies another profile whose credentials are used to assume the role specified by the `role_arn` setting in the original profile. To understand how profiles are used in the shared AWS `config` and `credentials` files, see [Shared `config` and `credentials` files](file-format.md).
If you specify a profile that is also an assume role profile, each role will be assumed in sequential order to fully resolve the credentials. This chain is stopped when the SDK encounters a profile with credentials. Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour and can't be increased. For more information, see [Roles terms and concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) in the *IAM User Guide*.
**Default value:** None.
**Valid values:** A text string that consists of the name of a profile defined in the `config` and `credentials` files. You must also specify a value for `role_arn` in the current profile.
You cannot specify both `credential_source` and `source_profile` in the same profile.
Example of setting this in a config file:
```
[profile A]
source_profile = B
role_arn = arn:aws:iam::123456789012:role/RoleA
role_session_name = ProfileARoleSession
[profile B]
credential_process = ./aws_signing_helper credential-process --certificate /path/to/certificate --private-key /path/to/private-key --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID --role-arn arn:aws:iam::account:role/ROLE_ID
```
In the previous example, the `A` profile tells the SDK or tool to automatically look up the credentials for the linked `B` profile. In this case, the `B` profile uses the credential helper tool provided by [Using IAM Roles Anywhere to authenticate AWS SDKs and tools](access-rolesanywhere.md) to get credentials for the AWS SDK. Those temporary credentials are then used by your code to access AWS resources. The specified role must have attached IAM permissions policies that allow the requested code to run, such as the command, AWS service, or API method. Every action that is taken by profile `A` has the role session name included in CloudTrail logs.
For a second example of role chaining, the following configuration can be used if you have an application on an Amazon Elastic Compute Cloud instance, and you want to have that application assume another role.
```
[profile A]
source_profile = B
role_arn = arn:aws:iam::123456789012:role/RoleA
role_session_name = ProfileARoleSession
[profile B]
credential_source=Ec2InstanceMetadata
```
Profile `A` will use the credentials from the Amazon EC2 instance to assume the specified role and will renew the credentials automatically.
**`web_identity_token_file` - shared AWS `config` file setting`AWS_WEB_IDENTITY_TOKEN_FILE` - environment variable`aws.webIdentityTokenFile` - JVM system property: Java/Kotlin only**
Specifies the path to a file that contains an access token from a [supported OAuth 2.0 provider](https://wikipedia.org/wiki/List_of_OAuth_providers) or [OpenID Connect ID identity provider](https://openid.net/developers/certified/).
This setting enables authentication by using web identity federation providers, such as [Google](https://developers.google.com/identity/protocols/OAuth2), [Facebook](https://developers.facebook.com/docs/facebook-login/overview), and [Amazon](https://login.amazon.com/), among many others. The SDK or developer tool loads the contents of this file and passes it as the `WebIdentityToken` argument when it calls the `AssumeRoleWithWebIdentity` operation on your behalf.
**Default value:** None.
**Valid values:** This value must be a path and file name. The file must contain an OAuth 2.0 access token or an OpenID Connect token that was provided to you by an identity provider. Relative paths are treated as relative to the working directory of the process.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Partial | credential\$1source not supported. duration\$1seconds not supported. mfa\$1serial not supported. |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Partial | mfa\$1serial not supported. duration\$1seconds not supported. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Partial | credential\$1source not supported. mfa\$1serial not supported. JVM system properties not supported. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Partial | credential\$1source not supported. |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Container credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
The container credential provider fetches credentials for customer's containerized application. This credential provider is useful for Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) customers. SDKs attempt to load credentials from the specified HTTP endpoint through a GET request.
If you use Amazon ECS, we recommend you use a task IAM Role for improved credential isolation, authorization, and auditability. When configured, Amazon ECS sets the `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` environment variable that the SDKs and tools use to obtain credentials. To configure Amazon ECS for this functionality, see [Task IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide*.
If you use Amazon EKS, we recommend you use Amazon EKS Pod Identity for improved credential isolation, least privilege, auditability, independent operation, reusability, and scalability. Both your Pod and an IAM role are associated with a Kubernetes service account to manage credentials for your applications. To learn more on Amazon EKS Pod Identity, see [Amazon EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) in the **Amazon EKS User Guide**. When configured, Amazon EKS sets the `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` environment variables that the SDKs and tools use to obtain credentials. For setup information, see [Setting up the Amazon EKS Pod Identity Agent](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html) in the **Amazon EKS User Guide** or [Amazon EKS Pod Identity simplifies IAM permissions for applications on Amazon EKS clusters](https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/) at the AWS Blog website.
Configure this functionality by using the following:
**`AWS_CONTAINER_CREDENTIALS_FULL_URI` - environment variable**
Specifies the full HTTP URL endpoint for the SDK to use when making a request for credentials. This includes both the scheme and the host.
**Default value:** None.
**Valid values:** Valid URI.
*Note: This setting is an alternative to `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` and will only be used if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is not set. *
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credentials
```
or
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:8080/get-credentials
```
**`AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` - environment variable**
Specifies the relative HTTP URL endpoint for the SDK to use when making a request for credentials. The value is appended to the default Amazon ECS hostname of `169.254.170.2`.
**Default value:** None.
**Valid values:** Valid relative URI.
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/get-credentials?a=1
```
**`AWS_CONTAINER_AUTHORIZATION_TOKEN` - environment variable**
Specifies an authorization token in plain text. If this variable is set, the SDK will set the Authorization header on the HTTP request with the environment variable's value.
**Default value:** None.
**Valid values:** String.
*Note: This setting is an alternative to `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` and will only be used if `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` is not set. *
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credential
export AWS_CONTAINER_AUTHORIZATION_TOKEN=Basic abcd
```
**`AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` - environment variable**
Specifies an absolute file path to a file that contains the authorization token in plain text.
**Default value:** None.
**Valid values:** String.
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credential
export AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE=/path/to/token
```
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# IAM Identity Center credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
This authentication mechanism uses AWS IAM Identity Center to get single sign-on (SSO) access to AWS services for your code.
**Note**
In the AWS SDK API documentation, the IAM Identity Center credential provider is called the SSO credential provider.
After you enable IAM Identity Center, you define a profile for its settings in your shared AWS `config` file. This profile is used to connect to the IAM Identity Center access portal. When a user successfully authenticates with IAM Identity Center, the portal returns short-term credentials for the IAM role associated with that user. To learn how the SDK gets temporary credentials from the configuration and uses them for AWS service requests, see [How IAM Identity Center authentication is resolved for AWS SDKs and tools](understanding-sso.md).
There are two ways to configure IAM Identity Center through the `config` file:
+ **(Recommended) SSO token provider configuration** – Extended session durations. Includes support for custom session durations.
+ **Legacy non-refreshable configuration** – Uses a fixed, eight-hour session.
In both configurations, you need to sign in again when your session expires.
The following two guides contain additional information about IAM Identity Center:
+ [AWS IAM Identity Center User Guide](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+ [AWS IAM Identity Center Portal API Reference](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/Welcome.html)
For a deep dive on how the SDKs and tools use and refresh credentials using this configuration, see [How IAM Identity Center authentication is resolved for AWS SDKs and tools](understanding-sso.md).
## Prerequisites
You must first enable IAM Identity Center. For details about enabling IAM Identity Center authentication, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
**Note**
Alternatively, for complete prerequisites **and** the necessary shared `config` file configuration that is detailed on this page, see the guided instructions for setting up [Using IAM Identity Center to authenticate AWS SDK and tools](access-sso.md).
## SSO token provider configuration
When you use the SSO token provider configuration, your AWS SDK or tool automatically refreshes your session up to your extended session period. For more information on session duration and maximum duration, see [Configure the session duration of the AWS access portal and IAM Identity Center integrated applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html) in the *AWS IAM Identity Center User Guide*.
The `sso-session` section of the `config` file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. For more details on this section within a `config` file, see [Format of the config file](file-format.md#file-format-config).
The following shared `config` file example configures the SDK or tool using a `dev` profile to request IAM Identity Center credentials.
```
[profile dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
```
The previous examples shows that you define an `sso-session` section and associate it to a profile. Typically, `sso_account_id` and `sso_role_name` must be set in the `profile` section so that the SDK can request AWS credentials. `sso_region`, `sso_start_url`, and `sso_registration_scopes` must be set within the `sso-session` section.
`sso_account_id` and `sso_role_name` aren't required for all scenarios of SSO token configuration. If your application only uses AWS services that support bearer authentication, then traditional AWS credentials are not needed. Bearer authentication is an HTTP authentication scheme that uses security tokens called bearer tokens. In this scenario, `sso_account_id` and `sso_role_name` aren't required. See the individual AWS service guide to determine if the service supports bearer token authorization.
Registration scopes are configured as part of an `sso-session`. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. The previous example sets `sso_registration_scopes` to provide necessary access for listing accounts and roles.
The following example shows how you can reuse the same `sso-session` configuration across multiple profiles.
```
[profile dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
[profile prod]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole2
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
```
The authentication token is cached to disk under the `~/.aws/sso/cache` directory with a file name based on the session name.
## Legacy non-refreshable configuration
Automated token refresh isn't supported using the legacy non-refreshable configuration. We recommend using the [SSO token provider configuration](#sso-token-config) instead.
To use the legacy non-refreshable configuration, you must specify the following settings within your profile:
+ `sso_start_url`
+ `sso_region`
+ `sso_account_id`
+ `sso_role_name`
You specify the user portal for a profile with the `sso_start_url` and `sso_region` settings. You specify permissions with the `sso_account_id` and `sso_role_name` settings.
The following example sets the four required values in the `config` file.
```
[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 111122223333
sso_role_name = SSOReadOnlyRole
```
The authentication token is cached to disk under the `~/.aws/sso/cache` directory with a file name based on the `sso_start_url`.
## IAM Identity Center credential provider settings
Configure this functionality by using the following:
**`sso_start_url` - shared AWS `config` file setting**
The URL that points to your organization's IAM Identity Center issuer URL or access portal URL. For more information, see [Using the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html) in the *AWS IAM Identity Center User Guide*.
To find this value, open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon), view the **Dashboard**, find **AWS access portal URL**.
+ Alternatively, starting with version **2.22.0** of the AWS CLI, you can instead use the value for **AWS Issuer URL**.
**`sso_region` - shared AWS `config` file setting**
The AWS Region that contains your IAM Identity Center portal host; that is, the Region you selected before enabling IAM Identity Center. This is independent from your default AWS Region, and can be different.
For a complete list of the AWS Regions and their codes, see [Regional Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the *Amazon Web Services General Reference*. To find this value, open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon), view the **Dashboard**, and find **Region**.
**`sso_account_id` - shared AWS `config` file setting**
The numeric ID of the AWS account that was added through the AWS Organizations service to use for authentication.
To see the list of available accounts, go to the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon) and open the **AWS accounts** page. You can also see the list of available accounts using the [ListAccounts](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccounts.html) API method in the *AWS IAM Identity Center Portal API Reference*. For example, you can call the AWS CLI method [list-accounts](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/list-accounts.html).
**`sso_role_name` - shared AWS `config` file setting**
The name of a permission set provisioned as an IAM role that defines the user's resulting permissions. The role must exist in the AWS account specified by `sso_account_id`. Use the role name, not the role Amazon Resource Name (ARN).
Permission sets have IAM policies and custom permissions policies attached to them and define the level of access that users have to their assigned AWS accounts.
To see the list of available permission sets per AWS account, go to the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon) and open the **AWS accounts** page. Choose the correct permission set name listed in the AWS accounts table. You can also see the list of available permission sets using the [ListAccountRoles](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccountRoles.html) API method in the *AWS IAM Identity Center Portal API Reference*. For example, you can call the AWS CLI method [list-account-roles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/list-account-roles.html).
**`sso_registration_scopes` - shared AWS `config` file setting**
A comma-delimited list of valid scope strings to be authorized for the `sso-session`. An application can request one or more scopes, and the access token issued to the application is limited to the scopes granted. A minimum scope of `sso:account:access` must be granted to get a refresh token back from the IAM Identity Center service. For the list of available access scope options, see [Access scopes](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-oauth2.html#oidc-concept) in the *AWS IAM Identity Center User Guide*.
These scopes define the permissions requested to be authorized for the registered OIDC client and access tokens retrieved by the client. Scopes authorize access to IAM Identity Center bearer token authorized endpoints.
This setting doesn't apply to the legacy non-refreshable configuration. Tokens issued using the legacy configuration are limited to scope `sso:account:access` implicitly.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | Configuration values also supported in credentials file. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Partial | Legacy non-refreshable configuration only. |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# IMDS credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Instance Metadata Service (IMDS) provides data about your instance that you can use to configure or manage the running instance. For more information about the data available, see [Work with instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*. Amazon EC2 provides a local endpoint available to instances that can provide various bits of information to the instance. If the instance has a role attached, it can provide a set of credentials that are valid for that role. The SDKs can use that endpoint to resolve credentials as part of their [default credential provider chain](standardized-credentials.md#credentialProviderChain). Instance Metadata Service Version 2 (IMDSv2), a more secure version of IMDS that uses a session token, is used by default. If that fails due to a non-retryable condition (HTTP error codes 403, 404, 405), IMDSv1 is used as a fallback.
Configure this functionality by using the following:
**`AWS_EC2_METADATA_DISABLED` - environment variable**
Whether or not to attempt to use Amazon EC2 Instance Metadata Service (IMDS) to obtain credentials.
**Default value:** `false`.
**Valid values:**
+ **`true`** – Do not use IMDS to obtain credentials.
+ **`false`** – Use IMDS to obtain credentials.
**`ec2_metadata_v1_disabled` - shared AWS `config` file setting`AWS_EC2_METADATA_V1_DISABLED` - environment variable`aws.disableEc2MetadataV1` - JVM system property: Java/Kotlin only**
Whether or not to use Instance Metadata Service Version 1 (IMDSv1) as a fallback if IMDSv2 fails.
New SDKs don't support IMDSv1 and, thus, don't support this setting. For details, see table [Support by AWS SDKs and tools](#feature-imds-credentials-sdk-compat).
**Default value:** `false`.
**Valid values:**
+ **`true`** – Do not use IMDSv1 as a fallback.
+ **`false`** – Use IMDSv1 as a fallback.
**`ec2_metadata_service_endpoint` - shared AWS `config` file setting`AWS_EC2_METADATA_SERVICE_ENDPOINT` - environment variable`aws.ec2MetadataServiceEndpoint` - JVM system property: Java/Kotlin only**
The endpoint of IMDS. This value overrides the default location that AWS SDKs and tools will search for Amazon EC2 instance metadata.
**Default value:** If `ec2_metadata_service_endpoint_mode` equals `IPv4`, then default endpoint is `http://169.254.169.254`. If `ec2_metadata_service_endpoint_mode` equals `IPv6`, then default endpoint is `http://[fd00:ec2::254]`.
**Valid values:** Valid URI.
**`ec2_metadata_service_endpoint_mode` - shared AWS `config` file setting`AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` - environment variable`aws.ec2MetadataServiceEndpointMode` - JVM system property: Java/Kotlin only**
The endpoint mode of IMDS.
**Default value:**`IPv4`.
**Valid values:** `IPv4`, `IPv6`.
**Note**
The IMDS credential provider is a part of the [Understand the credential provider chain](standardized-credentials.md#credentialProviderChain). However, the IMDS credential provider is only checked after several other providers that are in this series. Therefore, if you want your program use this provider's credentials, you must remove other valid credential providers from your configuration or use a different profile. Alternatively, instead of relying on the credential provider chain to automatically discover which provider returns valid credentials, specify the use of the IMDS credential provider in code. You can specify credential sources directly when you create service clients.
## Security for IMDS credentials
By default, when the AWS SDK is not configured with valid credentials the SDK will attempt to use the Amazon EC2 Instance Metadata Service (IMDS) to retrieve credentials for an AWS role. This behavior can be disabled by setting the `AWS_EC2_METADATA_DISABLED` environment variable to `true`. This prevents unnecessary network activity and enhances security on untrusted networks where the Amazon EC2 Instance Metadata Service may be impersonated.
**Note**
AWS SDK clients configured with valid credentials will never use IMDS to retrieve credentials, regardless of any of these settings.
### Disabling use of Amazon EC2 IMDS credentials
How you set this environment variable depends on what operating system is in use as well as whether or not you want the change to be persistent.
#### Linux and macOS
Customers using Linux or macOS can set this environment variable with the following command:
```
$ export AWS_EC2_METADATA_DISABLED=true
```
If you want this setting to be persistent across multiple shell sessions and system restarts, you can add the above command to your shell profile file, such as `.bash_profile`, `.zsh_profile`, or `.profile`.
#### Windows
Customers using Windows can set this environment variable with the following command:
```
$ set AWS_EC2_METADATA_DISABLED=true
```
If you want this setting to be persistent across multiple shell sessions and system restarts can use the following command instead:
```
$ setx AWS_EC2_METADATA_DISABLED=true
```
**Note**
The **setx** command does not apply the value to the current shell session, so you will need to reload or reopen the shell for the change to take effect.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Partial | JVM system properties: Use com.amazonaws.sdk.disableEc2MetadataV1 instead of aws.disableEc2MetadataV1; aws.ec2MetadataServiceEndpoint and aws.ec2MetadataServiceEndpointMode not supported. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | Does not use IMDSv1 fallback. |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | Does not use IMDSv1 fallback. |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | You can disable IMDSv1 fallback explicitly in code using [Amazon.Util.EC2InstanceMetadata]::EC2MetadataV1Disabled = \$1true. |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | You can disable IMDSv1 fallback explicitly in code using [Amazon.Util.EC2InstanceMetadata]::EC2MetadataV1Disabled = \$1true. |
# Process credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
SDKs provide a way to extend the credential provider chain for custom use cases. This provider can be used to provide custom implementations, such as retrieving credentials from an on-premises credentials store or integrating with your on-premises identify provider.
For example, IAM Roles Anywhere uses `credential_process` to get temporary credentials on behalf of your application. To configure `credential_process` for this use, see [Using IAM Roles Anywhere to authenticate AWS SDKs and tools](access-rolesanywhere.md).
**Note**
The following describes a method of sourcing credentials from an external process and might be used if you are running software outside of AWS. If you are building on an AWS compute resource, use other credential providers. If using this option, you should make sure that the config file is as locked down as possible using security best practices for your operating system. Confirm that your custom credential tool does not write any secret information to `StdErr`, because the SDKs and AWS CLI can capture and log such information, potentially exposing it to unauthorized users.
Configure this functionality by using the following:
**`credential_process` - shared AWS `config` file setting**
Specifies an external command that the SDK or tool runs on your behalf to generate or retrieve authentication credentials to use. The setting specifies the name of a program/command that the SDK will invoke. When the SDK invokes the process, it waits for the process to write JSON data to `stdout`. The custom provider must return information in a specific format. That information contains the credentials that the SDK or tool can use to authenticate you.
**Note**
The process credential provider is a part of the [Understand the credential provider chain](standardized-credentials.md#credentialProviderChain). However, the process credential provider is only checked after several other providers that are in this series. Therefore, if you want your program use this provider's credentials, you must remove other valid credential providers from your configuration or use a different profile. Alternatively, instead of relying on the credential provider chain to automatically discover which provider returns valid credentials, specify the use of the process credential provider in code. You can specify credential sources directly when you create service clients.
## Specifying the path to the credentials program
The setting's value is a string that contains a path to a program that the SDK or development tool runs on your behalf:
+ The path and file name can consist of only these characters: A-Z, a-z, 0-9, hyphen ( - ), underscore ( \$1 ), period ( . ), forward slash ( / ), backslash ( \$1 ), and space.
+ If the path or file name contains a space, surround the complete path and file name with double-quotation marks (" ").
+ If a parameter name or a parameter value contains a space, surround that element with double-quotation marks (" "). Surround only the name or value, not the pair.
+ Don't include any environment variables in the strings. For example, don't include `$HOME` or `%USERPROFILE%`.
+ Don't specify the home folder as `~`. \$1 You must specify either the full path or a base file name. If there is a base file name, the system attempts to find the program within folders specified by the `PATH` environment variable. The path varies depending on the operating system:
The following example shows setting credential\$1process in the shared `config` file on Linux/macOS.
```
credential_process = "/path/to/credentials.sh" parameterWithoutSpaces "parameter with spaces"
```
The following example shows setting credential\$1process in the shared `config` file on Windows.
```
credential_process = "C:\Path\To\credentials.cmd" parameterWithoutSpaces "parameter with spaces"
```
+ Can be specified within a dedicated profile:
```
[profile cred_process]
credential_process = /Users/username/process.sh
region = us-east-1
```
## Valid output from the credentials program
The SDK runs the command as specified in the profile and then reads data from the standard output stream. The command you specify, whether a script or binary program, must generate JSON output on `STDOUT` that matches the following syntax.
```
{
"Version": 1,
"AccessKeyId": "an AWS access key",
"SecretAccessKey": "your AWS secret access key",
"SessionToken": "the AWS session token for temporary credentials",
"Expiration": "RFC3339 timestamp for when the credentials expire"
}
```
**Note**
As of this writing, the `Version` key must be set to `1`. This might increment over time as the structure evolves.
The `Expiration` key is an RFC3339 formatted timestamp. If the `Expiration` key isn't present in the tool's output, the SDK assumes that the credentials are long-term credentials that don't refresh. Otherwise, the credentials are considered temporary credentials, and they are automatically refreshed by rerunning the `credential_process` command before the credentials expire.
**Note**
The SDK does ***not*** cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process.
The external process can return a non-zero return code to indicate that an error occurred while retrieving the credentials.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# AWS SDKs and Tools standardized features
Many features have been standardized to consistent defaults and to work the same way across many SDKs. This consistency increases productivity and clarity when coding across multiple SDKs. All settings can be overridden in code, see your specific SDK API for details.
**Important**
Not all SDKs support all features, or even all aspects within a feature.
**Topics**
+ [Account-based endpoints](feature-account-endpoints.md)
+ [Application ID](feature-appid.md)
+ [Amazon EC2 instance metadata](feature-ec2-instance-metadata.md)
+ [Amazon S3 access points](feature-s3-access-point.md)
+ [Amazon S3 Multi-Region Access Points](feature-s3-mrap.md)
+ [S3 Express One Zone session authentication](feature-s3-express.md)
+ [Authentication scheme](feature-auth-scheme.md)
+ [AWS Region](feature-region.md)
+ [AWS STS Regional endpoints](feature-sts-regionalized-endpoints.md)
+ [Data Integrity Protections](feature-dataintegrity.md)
+ [Dual-stack and FIPS endpoints](feature-endpoints.md)
+ [Endpoint discovery](feature-endpoint-discovery.md)
+ [General configuration](feature-gen-config.md)
+ [Host prefix injection](feature-host-prefix.md)
+ [IMDS client](feature-imds-client.md)
+ [Retry behavior](feature-retry-behavior.md)
+ [Request compression](feature-compression.md)
+ [Service-specific endpoints](feature-ss-endpoints.md)
+ [Smart configuration defaults](feature-smart-config-defaults.md)
# Account-based endpoints
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Account-based endpoints help ensure high performance and scalability by using your AWS account ID to route requests for services that support this feature. When you use an AWS SDK and service that support account-based endpoints, the SDK client constructs and uses an account-based endpoint rather than a regional endpoint. If the account ID isn't visible to the SDK client, the client will use the regional endpoint. Account-based endpoints take the form of `https://.ddb..amazonaws.com`, where `` and `` are your AWS account ID and AWS Region.
Configure this functionality by using the following:
**`aws_account_id` - shared AWS `config` file setting`AWS_ACCOUNT_ID` - environment variable`aws.accountId` - JVM system property: Java/Kotlin only**
The AWS account ID. Used for account-based endpoint routing. An AWS account ID has a format like 111122223333.
Account-based endpoint routing provides better request performance for some services.
**`account_id_endpoint_mode` - shared AWS `config` file setting`AWS_ACCOUNT_ID_ENDPOINT_MODE` - environment variable`aws.accountIdEndpointMode` - JVM system property: Java/Kotlin only**
This setting is used to turn off account-based endpoint routing if necessary, and bypass account-based rules.
**Default value:** `preferred`
**Valid values:**
+ **`preferred`** – The endpoint should include account ID if available.
+ **`disabled`** – A resolved endpoint doesn't include account ID.
+ **`required`** – The endpoint must include account ID. If the account ID isn't available, the SDK throws an error.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Released in SDK version | Notes or more information |
| --- | --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | 2.25.0 | |
| [AWS CLI v1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html) | Yes | 1.38.0 | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | No | | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | v1.35.0 | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | v2.28.4 | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | v1.12.771 | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | v3.656.0 | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | v1.3.37 | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | 4.0.0 | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | No | | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | v3.318.0 | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | 1.37.0 | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | v1.123.0 | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | release-2025-04-24 | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | 1.2.0 | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | No | | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | No | | |
# Application ID
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
A single AWS account can be used by multiple customer applications to make calls to AWS services. Application ID provides a way for customers to identify which source application made a set of calls using an AWS account. AWS SDKs and services don't use or interpret this value other than to surface it back in customer communications. For example, this value can be included in operational emails or in the AWS Health Dashboard to uniquely identify which of your applications is associated with the notification.
Configure this functionality by using the following:
**`sdk_ua_app_id` - shared AWS `config` file setting`AWS_SDK_UA_APP_ID` - environment variable`sdk.ua.appId` - JVM system property: Java/Kotlin only**
This setting is a unique string you assign to your application to identify which of your applications within a particular AWS account makes calls to AWS.
**Default value:** `None`
**Valid values:** String with maximum length of 50. Letters, numbers and the following special characters are allowed: `!`,`#`,`$`,`%`,`&`,`'`,`*`,`+`,`-`,`.`,`^`,`_`,```,`|`,`~`.
Example of setting this value in the `config` file:
```
[default]
sdk_ua_app_id=ABCDEF
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_SDK_UA_APP_ID=ABCDEF
export AWS_SDK_UA_APP_ID="ABC DEF"
```
Windows example of setting environment variables via command line:
```
setx AWS_SDK_UA_APP_ID ABCDEF
setx AWS_SDK_UA_APP_ID="ABC DEF"
```
If you include symbols that have a special meaning to the shell being used, escape the value as appropriate.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | shared config file not supported. |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Partial | Shared config file setting not supported; environment variable not supported. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | The JVM system property is aws.userAgentAppId. |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Amazon EC2 instance metadata
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Amazon EC2 provides a service on instances called the Instance Metadata Service (IMDS). To learn more about this service, see [Work with instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*. When attempting to retrieve credentials on an Amazon EC2 instance that has been configured with an IAM role, the connection to the instance metadata service is adjustable.
Configure this functionality by using the following:
**`metadata_service_num_attempts` - shared AWS `config` file setting`AWS_METADATA_SERVICE_NUM_ATTEMPTS` - environment variable**
This setting specifies the number of total attempts to make before giving up when attempting to retrieve data from the instance metadata service.
**Default value:** 1
**Valid values:** Number greater than or equal to 1.
**`metadata_service_timeout` - shared AWS `config` file setting`AWS_METADATA_SERVICE_TIMEOUT` - environment variable**
Specifies the number of seconds before timing out when attempting to retrieve data from the instance metadata service.
**Default value:** 1
**Valid values:** Number greater than or equal to 1.
Example of setting these values in the `config` file:
```
[default]
metadata_service_num_attempts=10
metadata_service_timeout=10
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_METADATA_SERVICE_NUM_ATTEMPTS=10
export AWS_METADATA_SERVICE_TIMEOUT=10
```
Windows example of setting environment variables via command line:
```
setx AWS_METADATA_SERVICE_NUM_ATTEMPTS 10
setx AWS_METADATA_SERVICE_TIMEOUT 10
```
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | No | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | No | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Partial | Only AWS\$1METADATA\$1SERVICE\$1TIMEOUT is supported. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Partial | Only AWS\$1METADATA\$1SERVICE\$1TIMEOUT is supported. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | No | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | No | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | No | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | No | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | No | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | No | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | No | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | No | |
# Amazon S3 access points
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
The Amazon S3 service provides access points as an alternative way to interact with Amazon S3 buckets. Access points have unique policies and configurations that can be applied to them instead of directly to the bucket. With AWS SDKs, you can use access point Amazon Resource Names (ARNs) in the bucket field for API operations instead of specifying the bucket name explicitly. They are used for specific operations such as using an access point ARN with [https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) to fetch an object from a bucket, or using an access point ARN with [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) to add an object to a bucket.
To learn more about Amazon S3 access points and ARNs, see [Using access points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-access-points.html) in the *Amazon S3 User Guide*.
Configure this functionality by using the following:
**`s3_use_arn_region` - shared AWS `config` file setting`AWS_S3_USE_ARN_REGION` - environment variable`aws.s3UseArnRegion` - JVM system property: Java/Kotlin onlyTo configure value directly in code, consult your specific SDK directly. **
This setting controls whether the SDK uses the access point ARN AWS Region to construct the Regional endpoint for the request. The SDK validates that the ARN AWS Region is served by the same AWS partition as the client's configured AWS Region to prevent cross-partition calls that most likely will fail. If multiply defined, the code-configured setting takes precedence, followed by the environment variable setting.
**Default value:** `false`
**Valid values:**
+ **`true`** – The SDK uses the ARN's AWS Region when constructing the endpoint instead of the client's configured AWS Region. Exception: If the client's configured AWS Region is a FIPS AWS Region, then it must match the ARN's AWS Region. Otherwise, an error will result.
+ **`false`** – The SDK uses the client's configured AWS Region when constructing the endpoint.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | JVM system property not supported. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | Doesn't follow standard precedence; shared config file value takes precedence over environment variable. |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | No | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | Doesn't follow standard precedence; shared config file value takes precedence over environment variable. |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | Doesn't follow standard precedence; shared config file value takes precedence over environment variable. |
# Amazon S3 Multi-Region Access Points
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Amazon S3 Multi-Region Access Points provide a global endpoint that applications can use to fulfill requests from Amazon S3 buckets located in multiple AWS Regions. You can use Multi-Region Access Points to build multi-Region applications with the same architecture used in a single Region, and then run those applications anywhere in the world.
To learn more about Multi-Region Access Points, see [Multi-Region Access Points in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPoints.html) in the *Amazon S3 User Guide*.
To learn more about Multi-Region Access Point Amazon Resource Names (ARNs), see [Making requests using a Multi-Region Access Point](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRequests.html) in the *Amazon S3 User Guide*.
To learn more about creating Multi-Region Access Points, see [Managing Multi-Region Access Points](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManagingMultiRegionAccessPoints.html) in the *Amazon S3 User Guide*.
The SigV4A algorithm is the signing implementation used to sign the global Region requests. This algorithm is obtained by the SDK through a dependency on the [AWS Common Runtime (CRT) libraries](common-runtime.md).
Configure this functionality by using the following:
**`s3_disable_multiregion_access_points` - shared AWS `config` file setting`AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS` - environment variable`aws.s3DisableMultiRegionAccessPoints` - JVM system property: Java/Kotlin onlyTo configure value directly in code, consult your specific SDK directly. **
This setting controls whether the SDK potentially attempts cross-Region requests. If multiply defined, the code-configured setting takes precedence, followed by the environment variable setting.
**Default value:** `false`
**Valid values:**
+ **`true`** – Stops the use of cross-Region requests.
+ **`false`** – Enables cross-Region requests using Multi-Region Access Points.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# S3 Express One Zone session authentication
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
S3 Express One Zone is Amazon S3's high-performance storage class that provides single-digit millisecond latency for frequently accessed data. When you use S3 Express One Zone buckets, AWS SDKs and tools automatically use session-based authentication that is optimized for low-latency authorization of data requests. You use session tokens with Zonal (object-level) operations to distribute the latency that's associated with authorization over a number of requests in a session, reducing the authentication overhead and improving overall request performance.
S3 Express One Zone buckets use a specific naming format that includes the Availability Zone ID, such as `bucket-name--usw2-az1--x-s3`. When the SDK detects this naming pattern, it automatically routes requests to the appropriate S3 Express One Zone endpoints and applies the optimized authentication flow. The session authentication creates temporary, bucket-specific credentials that provide low-latency access to your bucket and are cached and refreshed automatically by the SDK. See [S3 Express One Zone](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-high-performance.html#s3-express-one-zone) in the *Amazon S3 User Guide* to learn more.
By default, session authentication is enabled for S3 Express One Zone buckets.
Configure this functionality by using the following:
**`s3_disable_express_session_auth` - shared AWS `config` file setting`AWS_S3_DISABLE_EXPRESS_SESSION_AUTH` - environment variable`aws.disableS3ExpressAuth` - JVM system property: Java/Kotlin only**
Controls whether S3 Express One Zone session authentication is disabled. When set to `true`, the SDK uses standard SigV4 authentication for S3 Express One Zone buckets instead of session authentication.
**Default value:** `false`
**Valid values:**
+ **`true`** – Disable S3 Express One Zone session authentication.
+ **`false`** – Enable S3 Express One Zone session authentication.
Example of setting this value in the `config` file:
```
[default]
s3_disable_express_session_auth=true
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_S3_DISABLE_EXPRESS_SESSION_AUTH=true
```
Windows example of setting environment variables via command line:
```
setx AWS_S3_DISABLE_EXPRESS_SESSION_AUTH true
```
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [AWS CLI v1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | The JVM system property is aws.s3DisableExpressSessionAuth. |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Authentication scheme
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
AWS services support multiple authentication schemes, such as AWS Signature Version 4 (SigV4) and AWS Signature Version 4a (SigV4a). By default, SDKs select authentication schemes based on service model definitions and prioritize schemes that provide the best compatibility. However, you can configure your preferred authentication scheme to optimize for specific requirements.
Unlike SigV4, requests signed with SigV4a are valid in multiple AWS Regions. SigV4a provides enhanced availability through cross-region request signing, which enables automatic failover to backup regions during regional disruptions. This is particularly beneficial for global services like AWS Identity and Access Management or Amazon CloudFront.
For more information on these two authentication schemes, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
Configure this functionality by using the following:
**`auth_scheme_preference` - shared AWS `config` file setting`AWS_AUTH_SCHEME_PREFERENCE` - environment variable`aws.authSchemePreference` - JVM system property: Java/Kotlin only**
Specifies a comma-separated list of preferred authentication schemes in priority order. When a service supports multiple authentication schemes, the SDK attempts to use schemes from this list in the specified order, falling back to default behavior if none of the preferred schemes are available.
**Default value:** None.
**Valid values:** A comma-separated list of one or more of the following:
+ **`sigv4`** – Signature Version 4 (fastest performance, single-region)
+ **`sigv4a`** – Signature Version 4a (enhanced availability, cross-region support, has a slower signing performance than SigV4)
+ **`httpBearerAuth`** – HTTP Bearer token authentication
Space and tab characters between scheme names are ignored.
Example of setting this value in the `config` file to prefer SigV4a:
```
[default]
auth_scheme_preference=sigv4a,sigv4
```
**`sigv4a_signing_region_set` - shared AWS `config` file setting`AWS_SIGV4A_SIGNING_REGION_SET` - environment variable**
Specifies comma-separated list of AWS Regions for SigV4a multi-region signing. This is used as the default Region set for the request if SigV4a is the selected authentication scheme.
**Default value:** Determined by the request.
**Valid values:** Comma-separated list of AWS Regions. Space and tab characters between Regions are ignored.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | No | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | No | |
# AWS Region
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
AWS Regions are an important concept to understand when working with AWS services.
With AWS Regions, you can access AWS services that physically reside in a specific geographic area. This can be useful to keep your data and applications running close to where you and your users will access them. Regions provide fault tolerance, stability, and resilience, and can also reduce latency. With Regions, you can create redundant resources that remain available and unaffected by a Regional outage.
Most AWS service requests are associated with a particular geographic region. The resources that you create in one Region do not exist in any other Region unless you explicitly use a replication feature offered by an AWS service. For example, Amazon S3 and Amazon EC2 support cross-Region replication. Some services, such as IAM, do not have Regional resources.
The *AWS General Reference* contains information on the following:
+ To understand the relationship between Regions and endpoints, and to view a list of existing Regional endpoints, see [AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
+ To view the current list of all supported Regions and endpoints for each AWS service, see [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html).
**Creating service clients**
To programmatically access AWS services, SDKs use a client class/object for each AWS service. If your application needs to access Amazon EC2, for example, your application would create an Amazon EC2 client object to interface with that service.
If no Region is explicitly specified for the client in the code itself, the client defaults to using the Region that is set through the following `region` setting. However, the active Region for a client can be explicitly set for any individual client object. Setting the Region in this way takes precedence over any global setting for that particular service client. The alternative Region is specified during instantiation of that client, specific to your SDK (check your specific SDK Guide or your SDK's code base).
Configure this functionality by using the following:
**`region` - shared AWS `config` file setting`AWS_REGION` - environment variable`aws.region` - JVM system property: Java/Kotlin only**
Specifies the default AWS Region to use for AWS requests. This Region is used for SDK service requests that aren't provided with a specific Region to use.
**Default value:** None. You must specify this value explicitly.
**Valid values:**
+ Any of the Region codes available for the chosen service, as listed in [AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *AWS General Reference*. For example, the value `us-east-1` sets the endpoint to the AWS Region US East (N. Virginia).
+ `aws-global` specifies the global endpoint for services that support a separate global endpoint in addition to Regional endpoints, such as AWS Security Token Service (AWS STS) and Amazon Simple Storage Service (Amazon S3).
Example of setting this value in the `config` file:
```
[default]
region = us-west-2
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_REGION=us-west-2
```
Windows example of setting environment variables via command line:
```
setx AWS_REGION us-west-2
```
Most SDKs have a "configuration" object that is available for setting the default Region from within the application code. For details, see your specific AWS SDK developer guide.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | AWS CLI v2 uses any value in AWS\$1REGION before any value in AWS\$1DEFAULT\$1REGION (both variables are checked). |
| [AWS CLI v1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html) | Yes | AWS CLI v1 uses environment variable named AWS\$1DEFAULT\$1REGION for this purpose. |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | This SDK uses environment variable named AWS\$1DEFAULT\$1REGION for this purpose. |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# AWS STS Regional endpoints
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
AWS Security Token Service (AWS STS) is available both as a global and Regional service. Some of AWS SDKs and CLIs use the global service endpoint (`https://sts.amazonaws.com`) by default, while some use the Regional service endpoints (`https://sts.{region_identifier}.{partition_domain}`). In Regions that are [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html), requests to the AWS STS global endpoint are automatically served in the same Region where the request originates. In opt-in Regions, requests to the AWS STS global endpoint are served by a single AWS Region, US East (N. Virginia). For more information on AWS STS endpoints, see [Endpoints](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints) in the *AWS Security Token Service API Reference* or [Manage AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the *AWS Identity and Access Management User Guide*.
It is an AWS best practice to use Regional endpoints whenever possible and to configure your [AWS Region](feature-region.md). Customers in [partitions](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?id=docs_gateway#partition) other than commercial must use Regional endpoints. Not all SDKs and tools support this setting, but all have defined behavior around global and Regional endpoints. See the following section for more information.
**Note**
AWS has made changes to the AWS Security Token Service (AWS STS) global endpoint (`https://sts.amazonaws.com`) in Regions [enabled by default](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) to enhance its resiliency and performance. AWS STS requests to the global endpoint are automatically served in the same AWS Region as your workloads. These changes will not be deployed to opt-in Regions. We recommend that you use the appropriate AWS STS regional endpoints. For more information, see [AWS STS global endpoint changes](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_region-endpoints.html#reference_sts_global_endpoint_changes) in the *AWS Identity and Access Management User Guide*.
For SDKs and tools that support this setting, customers can configure the functionality by using the following:
**`sts_regional_endpoints` - shared AWS `config` file setting`AWS_STS_REGIONAL_ENDPOINTS` - environment variable**
This setting specifies how the SDK or tool determines the AWS service endpoint that it uses to talk to the AWS Security Token Service (AWS STS).
**Default value:** `regional`, see exceptions in the following table.
All new SDK major versions releasing after July 2022 will default to `regional`. New SDK major versions might remove this setting and use `regional` behavior. To reduce future impact regarding this change, we recommend you start using `regional` in your application when possible.
**Valid values:** *(Recommended value: `regional`)*
+ **`legacy`** – Uses the global AWS STS endpoint, `sts.amazonaws.com`.
+ **`regional`** – The SDK or tool always uses the AWS STS endpoint for the currently configured Region. For example, if the client is configured to use `us-west-2`, all calls to AWS STS are made to the Regional endpoint `sts.us-west-2.amazonaws.com`, instead of the global `sts.amazonaws.com` endpoint. To send a request to the global endpoint while this setting is enabled, you can set the Region to `aws-global`.
Example of setting these values in the `config` file:
```
[default]
sts_regional_endpoints = regional
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_STS_REGIONAL_ENDPOINTS=regional
```
Windows example of setting environment variables via command line:
```
setx AWS_STS_REGIONAL_ENDPOINTS regional
```
## Support by AWS SDKs and tools
**Note**
It is an AWS best practice to use Regional endpoints whenever possible and to configure your [AWS Region](feature-region.md).
The table that follows summarizes, for your SDK or tool:
+ **Supports setting**: Whether the shared `config` file variable and environment variable for STS Regional endpoints are supported.
+ **Default setting value**: The default value of the setting if it is supported.
+ **Default service client target STS Endpoint**: What default endpoint is used by the client even if the setting to change it is not available.
+ **Service client fallback behavior**: What the SDK does when it is supposed to use a Regional endpoint but no Region has been configured. This is the behavior regardless of if it is using a Regional endpoint because of a default or because `regional` has been selected by the setting.
The table also uses the following values:
+ **Global endpoint**: `https://sts.amazonaws.com`.
+ **Regional endpoint**: Based on the configured [AWS Region](feature-region.md) used by your application.
+ **`us-east-1` (Regional)**: Uses the `us-east-1` Region endpoint but with longer session tokens than typical global requests.
| SDK | Supports setting | Default setting value | Default service client target STS Endpoint | Service client fallback behavior | Notes or more information |
| --- | --- | --- | --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | No | N/A | Regional endpoint | Global endpoint | |
| [AWS CLI v1](https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html) | Yes | legacy | Global endpoint | Global endpoint | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | No | N/A | Regional endpoint | us-east-1 (Regional) | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | No | N/A | Regional endpoint | Request failure | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | legacy | Global endpoint | Global endpoint | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | No | N/A | Regional endpoint | Request failure | If no Region is configured, the `AssumeRole` and `AssumeRoleWithWebIdentity` will use the global STS endpoint. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | legacy | Global endpoint | Global endpoint | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | No | N/A | Regional endpoint | us-east-1 (Regional) | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | legacy | Global endpoint | Global endpoint | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | No | N/A | Regional endpoint | Global endpoint | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | No | N/A | Regional endpoint | us-east-1 (Regional) | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | regional | Global endpoint | Global endpoint | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | regional | Global endpoint | Request failure | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | regional | Global endpoint | Global endpoint | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | regional | Regional endpoint | Request failure | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | No | N/A | Regional endpoint | Request failure | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | N/A | Regional endpoint | Request failure | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | regional | Global endpoint | Global endpoint | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | regional | Global endpoint | Global endpoint | |
# Data Integrity Protections for Amazon S3
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
For some time, AWS SDKs have supported data integrity checks when uploading data to or downloading data from Amazon Simple Storage Service. Previously, these checks were opt-in. Now, we've enabled these checks by default, using CRC-based algorithms such as CRC32 or CRC64NVME. Although each SDK or tool has a default algorithm, you can choose a different algorithm. You can also continue to still manually supply a pre-calculated checksum for uploads if you want. Consistent behavior across uploads, multipart uploads, downloads, and encryption modes simplifies client-side integrity checks.
The latest versions of our AWS SDKs and AWS CLI automatically calculate a [cyclic redundancy check (CRC)-based checksum](https://en.wikipedia.org/wiki/Cyclic_redundancy_check) for each upload and sends it to Amazon S3. Amazon S3 independently calculates a checksum on the server side and validates it against the provided value before durably storing the object and its checksum in the object's metadata. By storing the checksum in the metadata alongside the object, when the object is downloaded, the same checksum can be automatically returned and used to validate downloads as well. You can also verify the checksum stored in the object's metadata at any time.
To learn more about checksum operations, multipart uploads, or the list of supported checksum algorithms, see [Checking object integrity in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html) in the *Amazon Simple Storage Service User Guide*.
**Multipart uploads:**
Amazon S3 also provides developers with consistent full object checksums across single part and multipart uploads.
When uploading files in multiple parts, the SDKs calculate checksums for each part. Amazon S3 uses these checksums to verify the integrity of each part through the `UploadPart` API. Additionally, Amazon S3 validates the entire file's size and checksum when you call the `CompleteMultipartUpload` API.
If your SDK has an Amazon S3 Transfer Manager to assist with multipart uploads, the checksums are validated for the parts using the SDK-specific default algorithm found in the [Support by AWS SDKs and tools](#dataintegrity-sdk-compat) table. You can opt-in to a full object checksum by setting setting `checksum_type` to `FULL_OBJECT` or by choosing to use the CRC64NVME algorithm.
** If you are using an older version of SDK or AWS CLI:**
If your application uses a version prior to December 2024 of the SDK or tool, Amazon S3 still computes a CRC64NVME checksum on new objects and stores it in the object metadata for future reference. You can later compare the stored CRC with a CRC computed on your side and verify the network transmission was correct. Also, you can still manually extend the integrity protection by providing your own precomputed checksums with your [https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) or [https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPart.html) requests, which is the standard technique for addressing this in older versions.
Configure this functionality by using the following:
**`request_checksum_calculation` - shared AWS `config` file setting`AWS_REQUEST_CHECKSUM_CALCULATION` - environment variable`aws.requestChecksumCalculation` - JVM system property: Java/Kotlin only**
By default, users are opted-in to calculating a request checksum when sending a request. The user can choose any of the [available checksum algorithms](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html) as a part of building the request. Otherwise, an SDK-specific default algorithm is used. See the [Support by AWS SDKs and tools](#dataintegrity-sdk-compat) table for the default algorithm for each SDK or tool.
**Default value:** `WHEN_SUPPORTED`
**Valid values:**
+ **`WHEN_SUPPORTED`** – Checksum validation is performed on all request payloads when supported by the API operation, such as data transfers to Amazon S3.
+ **`WHEN_REQUIRED`** – Checksum validation is performed only when required by the API operation.
**`response_checksum_validation` - shared AWS `config` file setting`AWS_RESPONSE_CHECKSUM_VALIDATION` - environment variable`aws.responseChecksumValidation` - JVM system property: Java/Kotlin only**
By default, users are opted-in to a response checksum validation when sending a request. A checksum is calculated for the response payload and compared against the checksum response header. If checksum validation fails, an error is raised to the user when the payload is read.
The checksum response header also indicates the algorithm for the checksum. The Amazon S3 client attempts to validate response checksums for all Amazon S3 API operations that support checksums. However, if the SDK has not implemented the specified checksum algorithm then this validation is skipped.
**Default value:** `WHEN_SUPPORTED`
**Valid values:**
+ **`WHEN_SUPPORTED`** – Checksum validation is performed on all response payloads when supported by the API operation, such as data transfers to Amazon S3.
+ **`WHEN_REQUIRED`** – Checksum validation is performed only when supported by the API operation and the caller has explicitly enabled checksum for the operation. For example, when the Amazon S3 `GetObject` API is called and the `ChecksumMode` parameter is set to enabled.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
**Note**
In the following table, 'CRT' refers to the [AWS Common Runtime (CRT) libraries](common-runtime.md) and might require adding an additional dependency to your project.
| SDK | Supported | Default checksum algorithm | Supported checksum algorithms | Notes or more information |
| --- | --- | --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | CRC64NVME | CRC64NVME, CRC32, CRC32C, SHA1, SHA256 | For AWS CLI v1, the default algorithm and the supported algorithms will be identical to Python (Boto3). |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | CRC64NVME | CRC64NVME, CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | CRC32 | CRC64NVME, CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | | | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | CRC32 | CRC64NVME (via CRT only), CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | | | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | CRC32 | CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | | | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | CRC32 | CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | CRC32 | CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | CRC32 | CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | CRC32 | CRC32, CRC32C (via CRT only), SHA1, SHA256 | awscrt extension is required in order to use CRC32C. |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | CRC32 | CRC64NVME (via CRT only), CRC32, CRC32C (via CRT only), SHA1, SHA256 | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | CRC32 | CRC64NVME (via CRT only), CRC32, CRC32C (via CRT only), SHA1, SHA256 | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | CRC32 | CRC64NVME, CRC32, CRC32C, SHA1, SHA256 | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | CRC32 | CRC64NVME, CRC32, CRC32C, SHA1, SHA256 | CRT dependency required for all algorithms. |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | CRC32 | CRC32, CRC32C, SHA1, SHA256 | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | CRC32 | CRC32, CRC32C, SHA1, SHA256 | |
# Dual-stack and FIPS endpoints
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Configure this functionality by using the following:
**`use_dualstack_endpoint` - shared AWS `config` file setting`AWS_USE_DUALSTACK_ENDPOINT` - environment variable`aws.useDualstackEndpoint` - JVM system property: Java/Kotlin only**
Turns on or off whether the SDK will send requests to dual-stack endpoints. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions.
**Default value:** `false`
**Valid values:**
+ **`true`** – The SDK or tool will attempt to use dual-stack endpoints to make network requests. If a dual-stack endpoint does not exist for the service and/or AWS Region, the request will fail.
+ **`false`** – The SDK or tool will not use dual-stack endpoints to make network requests.
**`use_fips_endpoint` - shared AWS `config` file setting`AWS_USE_FIPS_ENDPOINT` - environment variable`aws.useFipsEndpoint` - JVM system property: Java/Kotlin only**
Turns on or off whether the SDK or tool will send requests to FIPS-compliant endpoints. The Federal Information Processing Standards (FIPS) are a set of US Government security requirements for data and its encryption. Government agencies, partners, and those wanting to do business with the federal government are required to adhere to FIPS guidelines. Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that is validated against FIPS 140. If this setting is enabled and a FIPS endpoint does not exist for the service in your AWS Region, the AWS call may fail. [Service-specific endpoints](feature-ss-endpoints.md) and the `--endpoint-url` option for the AWS Command Line Interface override this setting.
To learn more about other ways to specify FIPS endpoints by AWS Region, see [FIPS Endpoints by Service](https://aws.amazon.com/compliance/fips/). For more information on Amazon Elastic Compute Cloud service endpoints, see [Dual-stack (IPv4 and IPv6) endpoints](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Using_Endpoints.html#ipv6) in the *Amazon EC2 API Reference*.
**Default value:** `false`
**Valid values:**
+ **`true`** – The SDK or tool will send requests to FIPS-compliant endpoints.
+ **`false`** – The SDK or tool will not send requests to FIPS-compliant endpoints.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Endpoint discovery
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
SDKs use endpoint discovery to access service endpoints (URLs to access various resources), while still maintaining flexibility for AWS to alter URLs as needed. This way, your code can automatically detect new endpoints. There are no fixed endpoints for some services. Instead, you get the available endpoints during runtime by making a request to get the endpoints first. After retrieving the available endpoints, the code then uses the endpoint to access other operations. For example, for Amazon Timestream, the SDK makes a `DescribeEndpoints` request to retrieve the available endpoints, and then uses those endpoints to complete specific operations such as `CreateDatabase` or `CreateTable`.
Configure this functionality by using the following:
**`endpoint_discovery_enabled` - shared AWS `config` file setting`AWS_ENABLE_ENDPOINT_DISCOVERY` - environment variable`aws.endpointDiscoveryEnabled` - JVM system property: Java/Kotlin onlyTo configure value directly in code, consult your specific SDK directly. **
Turns on or off endpoint discovery for DynamoDB.
Endpoint discovery is required in Timestream and optional in Amazon DynamoDB. This setting defaults to either `true` or `false` depending on whether the service requires endpoint discovery. Timestream requests default to `true`, and Amazon DynamoDB requests default to `false`.
**Valid values:**
+ **`true`** – The SDK should automatically attempt to discover an endpoint for services where endpoint discovery is optional.
+ **`false`** – The SDK should not automatically attempt to discover an endpoint for services where endpoint discovery is optional.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | The SDK for Java 2.x uses AWS\$1ENDPOINT\$1DISCOVERY\$1ENABLED for the environment variable name. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Partial | JVM system property not supported. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Partial | Supported for Timestream only. |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# General configuration settings
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
SDKs support some general settings that configure overall SDK behaviors.
Configure this functionality by using the following:
**`api_versions` - shared AWS `config` file setting**
Some AWS services maintain multiple API versions to support backward compatibility. By default, SDK and AWS CLI operations use the latest available API version. To require a specific API version to use for your requests, include the `api_versions` setting in your profile.
**Default value:** None. (Latest API version is used by the SDK.)
**Valid values:** This is a nested setting that's followed by one or more indented lines that each identify one AWS service and the API version to use. See the documentation for the AWS service to understand which API versions are available.
The example sets a specific API version for two AWS services in the `config` file. These API versions are used only for commands that run under the profile that contains these settings. Commands for any other service use the latest version of that service's API.
```
api_versions =
ec2 = 2015-03-01
cloudfront = 2015-09-017
```
**`ca_bundle` - shared AWS `config` file setting`AWS_CA_BUNDLE` - environment variable**
Specifies the path to a custom certificate bundle (a file with a `.pem` extension) to use when establishing SSL/TLS connections.
**Default value:** none
**Valid values:** Specify either the full path or a base file name. If there is a base file name, the system attempts to find the program within folders specified by the `PATH` environment variable.
Example of setting this value in the `config` file:
```
[default]
ca_bundle = dev/apps/ca-certs/cabundle-2019mar05.pem
```
Due to differences in how operating systems handle paths and escaping of path characters, the following is an example of setting this value in the `config` file on Windows:
```
[default]
ca_bundle = C:\\Users\\username\\.aws\\aws-custom-bundle.pem
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_CA_BUNDLE=/dev/apps/ca-certs/cabundle-2019mar05.pem
```
Windows example of setting environment variables via command line:
```
setx AWS_CA_BUNDLE C:\dev\apps\ca-certs\cabundle-2019mar05.pem
```
**`output` - shared AWS `config` file setting**
Specifies how results are formatted in the AWS CLI and other AWS SDKs and tools.
**Default value:** `json`
**Valid values:**
+ **[https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#json-output](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#json-output)** – The output is formatted as a [JSON](https://json.org/) string.
+ **[https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#yaml-output](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#yaml-output)** – The output is formatted as a [YAML](https://yaml.org/) string.
+ **[https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#yaml-stream-output](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#yaml-stream-output)** – The output is streamed and formatted as a [YAML](https://yaml.org/) string. Streaming allows for faster handling of large data types.
+ **[https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#text-output](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#text-output)** – The output is formatted as multiple lines of tab-separated string values. This can be useful to pass the output to a text processor, like `grep`, `sed`, or `awk`.
+ **[https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#table-output](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html#table-output)** – The output is formatted as a table using the characters \$1\$1- to form the cell borders. It typically presents the information in a "human-friendly" format that is much easier to read than the others, but not as programmatically useful.
**`parameter_validation` - shared AWS `config` file setting**
Specifies whether the SDK or tool attempts to validate command line parameters before sending them to the AWS service endpoint.
**Default value:** `true`
**Valid values:**
+ **`true`** – The default. The SDK or tool performs client-side validation of command line parameters. This helps the SDK or tool confirm that parameters are valid, and catches some errors. The SDK or tool can reject requests that aren't valid before sending requests to the AWS service endpoint.
+ **`false`** – The SDK or tool doesn't validate command line parameters before sending them to the AWS service endpoint. The AWS service endpoint is responsible for validating all requests and rejecting requests that aren't valid.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Partial | api\$1versions not supported. |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Partial | api\$1versions and parameter\$1validation not supported. |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Partial | api\$1versions and parameter\$1validation not supported. To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | No | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | No | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | No | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | No | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | No | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | No | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | No | |
# Host prefix injection
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Host prefix injection is a feature where AWS SDKs automatically prepend a prefix to the hostname of service endpoints for certain API operations. This prefix can be either a static string or a dynamic value that includes data from your request parameters.
For example, when using Amazon Simple Storage Service to perform actions on Amazon S3 objects or buckets, the SDK replaces your bucket name and AWS account ID in the final API endpoint.
While this behavior is required for normal AWS service endpoints, it can cause problems when using custom endpoints such as VPC endpoints or local testing tools. In these cases, you might need to disable host prefix injection.
Configure this functionality by using the following:
**`disable_host_prefix_injection` - shared AWS `config` file setting`AWS_DISABLE_HOST_PREFIX_INJECTION` - environment variable`aws.disableHostPrefixInjection` - JVM system property: Java/Kotlin only**
This setting controls whether the SDK or tool will modify the endpoint hostname by prepending a host prefix as defined in your SDK's client object or variable.
**Default value:** `false`
**Valid values:**
+ **`true`** – Disable host prefix injection. The SDK will not modify the endpoint hostname.
+ **`false`** – Enable host prefix injection. The SDK will prepend the host prefix to the endpoint hostname.
Example of setting this value in the `config` file:
```
[default]
disable_host_prefix_injection = true
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_DISABLE_HOST_PREFIX_INJECTION=true
```
Windows example of setting environment variables via command line:
```
setx AWS_DISABLE_HOST_PREFIX_INJECTION true
```
## Examples of host prefix injection
The following table of examples show how SDKs modify the final endpoint when host prefix injection is enabled and disabled.
+ **Host prefix**: The template of the host prefix property string set on the SDK's client object or variable in code.
+ **Inputs**: Additional inputs set on the SDK's client object or variable in code.
+ **Client endpoint**: The client's derived endpoint.
+ **Setting value**: Resolved value for the previous setting.
+ **Resulting endpoint**: The resulting endpoint the SDK client uses to make the API call.
| Host prefix | Inputs | Client endpoint | Setting value | Resulting endpoint |
| --- |--- |--- |--- |--- |
| "data." | \$1\$1 | "https://service.us-west-2.amazonaws.com" | false | "https://data.service.us-west-2.amazonaws.com" |
| "\$1Bucket\$1-\$1AccountId\$1." | Bucket: "amzn-s3-demo-bucket1", AccountId:"123456789012" | "https://service.us-west-2.amazonaws.com" | false | "https://amzn-s3-demo-bucket1-123456789012.service.us-west-2.amazonaws.com" |
| "data." | \$1\$1 | "https://override.us-west-2.amazonaws.com" (as an override endpoint) | true | "https://override.us-west-2.amazonaws.com" |
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://sdk.amazonaws.com/cpp/api/LATEST/aws-cpp-sdk-core/html/struct_aws_1_1_client_1_1_client_configuration.html](https://sdk.amazonaws.com/cpp/api/LATEST/aws-cpp-sdk-core/html/struct_aws_1_1_client_1_1_client_configuration.html). |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | No | Can be disabled [using middleware](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-endpoints.html). |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/core/client/config/SdkAdvancedClientOption.html#DISABLE_HOST_PREFIX_INJECTION](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/core/client/config/SdkAdvancedClientOption.html#DISABLE_HOST_PREFIX_INJECTION). |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html). |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/s3-control/](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/s3-control/). |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Config.html](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Config.html). |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | No | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://docs.aws.amazon.com/sdkfornet/v4/apidocs/items/Runtime/TClientConfig.html](https://docs.aws.amazon.com/sdkfornet/v4/apidocs/items/Runtime/TClientConfig.html). |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Runtime/TClientConfig.html](https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/Runtime/TClientConfig.html). |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.AwsClient.html](https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.AwsClient.html). |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | Can be configured in code on the client using: [https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html](https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html). |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | No | Setting not supported, but can be configured in code on the client using: [https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/lib/aws-sdk-core/plugins/endpoint_pattern.rb#L8](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/lib/aws-sdk-core/plugins/endpoint_pattern.rb#L8). |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | No | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | No | Setting not supported, but can be included in specific cmdlets using parameter -ClientConfig @\$1DisableHostPrefixInjection = \$1true\$1. |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | No | Setting not supported, but can be included in specific cmdlets using parameter -ClientConfig @\$1DisableHostPrefixInjection = \$1true\$1. |
# IMDS client
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
SDKs implement an Instance Metadata Service Version 2 (IMDSv2) client using session-oriented requests. For more information on IMDSv2, see [Use IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) in the *Amazon EC2 User Guide*. The IMDS client is configurable via a client configuration object available in the SDK code base.
Configure this functionality by using the following:
**`retries` - client configuration object member**
The number of additional retry attempts for any failed request.
**Default value:** 3
**Valid values:** Number greater than 0.
**`port` - client configuration object member**
The port for the endpoint.
**Default value:** 80
**Valid values:** Number.
**`token_ttl` - client configuration object member**
The TTL of the token.
**Default value:** 21,600 seconds (6 hours, the maximum time allotted).
**Valid values:** Number.
**`endpoint` - client configuration object member**
The endpoint of IMDS.
**Default value:** If `endpoint_mode` equals `IPv4`, then default endpoint is `http://169.254.169.254`. If `endpoint_mode` equals `IPv6`, then default endpoint is `http://[fd00:ec2::254]`.
**Valid values:** Valid URI.
The following options are supported by most SDKs. See your specific SDK code base for details.
**`endpoint_mode` - client configuration object member**
The endpoint mode of IMDS.
**Default value:** `IPv4`
**Valid values:** `IPv4`, `IPv6`
**`http_open_timeout` - client configuration object member (name may vary)**
The number of seconds to wait for the connection to open.
**Default value:** 1 second.
**Valid values:** Number greater than 0.
**`http_read_timeout` - client configuration object member (name may vary)**
The number of seconds for one chunk of data to be read.
**Default value:** 1 second.
**Valid values:** Number greater than 0.
**`http_debug_output` - client configuration object member (name may vary)**
Sets an output stream for debugging.
**Default value:** None.
**Valid values:** A valid I/O stream, like STDOUT.
**`backoff` - client configuration object member (name may vary)**
The number of seconds to sleep in between retries or a customer provided backoff function to call. This overrides the default exponential backoff strategy.
**Default value:** Varies by SDK.
**Valid values:** Varies by SDK. Can be either a numeric value or a call out to a custom function.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | No | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | No | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Retry behavior
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Retry behavior includes settings regarding how the SDKs attempt to recover from failures resulting from requests made to AWS services.
Configure this functionality by using the following:
**`retry_mode` - shared AWS `config` file setting`AWS_RETRY_MODE` - environment variable`aws.retryMode` - JVM system property: Java/Kotlin only**
Specifies how the SDK or developer tool attempts retries.
**Default value:** This value is specific to your SDK. Check your specific SDK guide or your SDK's code base for its default `retry_mode`.
**Valid values:**
+ `standard` – (Recommended) The recommended set of retry rules across AWS SDKs. This mode includes a standard set of errors that are retried, and automatically adjusts the number of retries to maximize availability and stability. This mode is safe for use in multi-tenant applications. The default maximum number of attempts with this mode is three, unless `max_attempts` is explicitly configured.
+ `adaptive` – A retry mode, appropriate only for specialized use-cases, that includes the functionality of standard mode as well as automatic client-side rate limiting. This retry mode is not recommended for multi-tenant applications, unless you take care to isolate application tenants. See [Choosing between `standard` and `adaptive` retry modes](#standardvsadaptive) for more information. This mode is experimental and it might change behavior in the future.
+ `legacy` – (Not Recommended) Specific to your SDK (check your specific SDK guide or your SDK's code base).
**`max_attempts` - shared AWS `config` file setting`AWS_MAX_ATTEMPTS` - environment variable`aws.maxAttempts` - JVM system property: Java/Kotlin only**
Specifies the maximum number attempts to make on a request.
**Default value:** If this value is not specified, its default depends on the value of the `retry_mode` setting:
+ If `retry_mode` is `legacy` – Uses a default value specific to your SDK (check your specific SDK guide or your SDK's code base for `max_attempts` default).
+ If `retry_mode` is `standard` – Makes three attempts.
+ If `retry_mode` is `adaptive` – Makes three attempts.
**Valid values:** Number greater than 0.
## Choosing between `standard` and `adaptive` retry modes
We recommend you use the `standard` retry mode unless you are certain that your usage is better suited for `adaptive`.
**Note**
The `adaptive` mode assumes that you are pooling clients based on the scope at which the backend service may throttle requests. If you don't do this, throttles in one resource could delay requests for an unrelated resource if you are using the same client for both resources.
| Standard | Adaptive |
| --- | --- |
| Application use-cases: All. | Application use-cases: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/sdkref/latest/guide/feature-retry-behavior.html) |
| Supports circuit-breaking to prevent the SDK from retrying during outages. | Supports circuit-breaking to prevent the SDK from retrying during outages. |
| Uses jittered exponential backoff in the event of failures. | Uses dynamic backoff durations to attempt to minimize the number of failed requests, in exchange for the potential for increased latency. |
| Never delays the first request attempt, only the retries. | Can throttle or delay the initial request attempt. |
If you choose to use `adaptive` mode, your application must construct clients that are designed around each resource that might be throttled. A resource, in this case, is finer-tuned than just thinking of each AWS service. AWS services can have additional dimensions that they use to throttle requests. Let's use the Amazon DynamoDB service as an example. DynamoDB uses AWS Region plus the table being accessed to throttle requests. This means that one table that your code is accessing might be throttled more than others. If your code used the same client to access all the tables, and requests to one of those tables is throttled, then adaptive retry mode will reduce the request rate for all tables. Your code should be designed to have one client per Region-and-table pair. If you experience unexpected latency when using `adaptive` mode, see the specific AWS documentation guide for the service you are using.
## Retry mode implementation details
The AWS SDKs make use of [token buckets](https://en.wikipedia.org/wiki/Token_bucket) to decide whether a request should be retried and (in the case of the `adaptive` retry mode) how quickly requests should be sent. Two token buckets are used by the SDK: a retry token bucket and a request rate token bucket.
+ The retry token bucket is used to determine whether the SDK should temporarily disable retries in order to protect the upstream and downstream services during outages. Tokens are acquired from the bucket before retries are attempted, and tokens are returned to the bucket when requests succeed. If the bucket is empty when a retry is attempted, the SDK will not retry the request.
+ The request rate token bucket is used only in the `adaptive` retry mode to determine the rate at which to send requests. Tokens are acquired from the bucket before a request is sent, and tokens are returned to the bucket at a dynamically-determined rate based on throttling responses returned by the service.
Following is the high-level pseudocode for both the `standard` and `adaptive` retry modes:
```
MakeSDKRequest() {
attempts = 0
loop {
GetSendToken()
response = SendHTTPRequest()
RequestBookkeeping(response)
if not Retryable(response)
return response
attempts += 1
if attempts >= MAX_ATTEMPTS:
return response
if not HasRetryQuota(response)
return response
delay = ExponentialBackoff(attempts)
sleep(delay)
}
}
```
Following are more details about the components used in the pseudocode:
**`GetSendToken`:**
This step is only used in `adaptive` retry mode. This step acquires a token from the request rate token bucket. If a token is not available, it will wait for one to become available. Your SDK might have configuration options available to fail the request instead of wait. Tokens in the bucket are refilled at a rate that is determined dynamically, based on the number of throttling responses received by the client.
**`SendHTTPRequest`:**
This step sends the request to AWS. Most AWS SDKs use an HTTP library that uses connection pools to reuse an existing connection when making an HTTP request. Generally, connections are reused if a request failed due to throttling errors but not if a request fails due to a transient error.
**`RequestBookkeeping`:**
Tokens are added to the token bucket if the request is successful. For `adaptive` retry mode only, the fill rate of the request rate token bucket is updated based on the type of response received.
**`Retryable`:**
This step determines whether a response can be retried based on the following:
+ The HTTP status code.
+ The error code returned from the service.
+ Connection errors, defined as any error received by the SDK in which an HTTP response from the service is not received.
Transient errors (HTTP status codes 400, 408, 500, 502, 503, and 504) and throttling errors (HTTP status codes 400, 403, 429, 502, 503, and 509) can all potentially be retried. SDK retry behavior is determined in combination with error codes or other data from the service.
**`MAX_ATTEMPTS`:**
The default number of maximum attempts is set by the `retry_mode` setting, unless overridden by the `max_attempts` setting.
**`HasRetryQuota`**
This step acquires a token from the retry token bucket. If the retry token bucket is empty, the request will not be retried.
**`ExponentialBackoff`**
For an error that can be retried, the retry delay is calculated using truncated exponential backoff. The SDKs use truncated binary exponential backoff with jitter. The following algorithm shows how the amount of time to sleep, in seconds, is defined for a response for request `i`:
```
seconds_to_sleep_i = min(b*r^i, MAX_BACKOFF)
```
In the preceding algorithm, the following values apply:
`b = random number within the range of: 0 <= b <= 1`
`r = 2`
`MAX_BACKOFF = 20 seconds` for most SDKs. See your specific SDK guide or source code for confirmation.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | JVM system properties: use com.amazonaws.sdk.maxAttempts instead of aws.maxAttempts; use com.amazonaws.sdk.retryMode instead of aws.retryMode. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | Supports a maximum number of retries, exponential backoff with jitter, and an option for a custom method for retry backoff. |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Request compression
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
AWS SDKs and tools can automatically compress payloads when sending requests to AWS services that support receiving compressed payloads. Compressing the payload on the client prior to sending it to a service may reduce the overall number of requests and bandwidth required to send data to the service, as well as reduce unsuccessful requests due to service limitations on the payload size. For compression, the SDK or tool selects an encoding algorithm that is supported by both the service and the SDK. However, the current list of possible encodings consists only of gzip, but it may expand in the future.
Request compression can be especially useful if your application is using [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/). CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events. One example of a service operation that supports compression is CloudWatch's [PutMetricDataAPI](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_PutMetricData.html) method.
Configure this functionality by using the following:
**`disable_request_compression` - shared AWS `config` file setting`AWS_DISABLE_REQUEST_COMPRESSION` - environment variable`aws.disableRequestCompression` - JVM system property: Java/Kotlin only**
Turns on or off whether the SDK or tool will compress a payload prior to sending a request.
**Default value:** `false`
**Valid values:**
+ **`true`** – Turn off request compression.
+ **`false`** – Use request compression when possible.
**`request_min_compression_size_bytes` - shared AWS `config` file setting`AWS_REQUEST_MIN_COMPRESSION_SIZE_BYTES` - environment variable`aws.requestMinCompressionSizeBytes` - JVM system property: Java/Kotlin only**
Sets the minimum size in bytes of the request body that the SDK or tool should compress. Small payloads may become longer when compressed, thus, there is a lower limit where it makes sense to perform compression. This value is inclusive, a request size greater than or equal to the value is compressed.
**Default value:** 10240 bytes
**Valid values:** Integer value between 0 and 10485760 bytes inclusive.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Service-specific endpoints
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Service-specific endpoint configuration provides the option to use an endpoint of your choosing for API requests and to have that choice persist. These settings provide flexibility to support local endpoints, VPC endpoints, and third-party local AWS development environments. Different endpoints can be used for testing and production environments. You can specify an endpoint URL for individual AWS services.
Configure this functionality by using the following:
**`endpoint_url` - shared AWS `config` file setting`AWS_ENDPOINT_URL` - environment variable`aws.endpointUrl` - JVM system property: Java/Kotlin only**
When specified directly within a profile or as an environment variable, this setting specifies the endpoint that is used for all service requests. This endpoint is overridden by any configured service-specific endpoint.
You can also use this setting within a `services` section of a shared AWS `config` file to set a custom endpoint for a specific service. For a list of all service identifier keys to use for subsections within the `services` section, see [Identifiers for service-specific endpoints](ss-endpoints-table.md).
**Default value:** `none`
**Valid values:** A URL including the scheme and host for the endpoint. The URL can optionally contain a path component that contains one or more path segments.
**`AWS_ENDPOINT_URL_` - environment variable`aws.endpointUrl` - JVM system property: Java/Kotlin only**
`AWS_ENDPOINT_URL_`, where `` is the AWS service identifier, sets a custom endpoint for a specific service. For a list of all service-specific environment variables, see [Identifiers for service-specific endpoints](ss-endpoints-table.md).
This service-specific endpoint overrides any global endpoint set in `AWS_ENDPOINT_URL`.
**Default value:** `none`
**Valid values:** A URL including the scheme and host for the endpoint. The URL can optionally contain a path component that contains one or more path segments.
**`ignore_configured_endpoint_urls` - shared AWS `config` file setting`AWS_IGNORE_CONFIGURED_ENDPOINT_URLS` - environment variable`aws.ignoreConfiguredEndpointUrls` - JVM system property: Java/Kotlin only**
This setting is used to ignore all custom endpoints configurations.
Note that any explicit endpoint set in the code or on a service client itself is used regardless of this setting. For example, including the `--endpoint-url` command line parameter with an AWS CLI command or passing an endpoint URL into a client constructor will always take effect.
**Default value:** `false`
**Valid values:**
+ **`true`** – The SDK or tool does not read any custom configuration options from the shared `config` file or from environment variables for setting an endpoint URL.
+ **`false`** – The SDK or tool uses any available user-provided endpoints from the shared `config` file or from environment variables.
## Configure endpoints using environment variables
To route requests for all services to a custom endpoint URL, set the `AWS_ENDPOINT_URL` global environment variable.
```
export AWS_ENDPOINT_URL=http://localhost:4567
```
To route requests for a specific AWS service to a custom endpoint URL, use the `AWS_ENDPOINT_URL_` environment variable. Amazon DynamoDB has a `serviceId` of [https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/dynamodb/2012-08-10/service-2.json#L10](https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/dynamodb/2012-08-10/service-2.json#L10). For this service, the endpoint URL environment variable is `AWS_ENDPOINT_URL_DYNAMODB`. This endpoint takes precedence over the global endpoint set in `AWS_ENDPOINT_URL` for this service.
```
export AWS_ENDPOINT_URL_DYNAMODB=http://localhost:5678
```
As another example, AWS Elastic Beanstalk has a `serviceId` of [https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/elasticbeanstalk/2010-12-01/service-2.json#L9](https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/elasticbeanstalk/2010-12-01/service-2.json#L9). The AWS service identifier is based on the API model's `serviceId` by replacing all spaces with underscores and uppercasing all letters. To set the endpoint for this service, the corresponding environment variable is `AWS_ENDPOINT_URL_ELASTIC_BEANSTALK`. For a list of all service-specific environment variables, see [Identifiers for service-specific endpoints](ss-endpoints-table.md).
```
export AWS_ENDPOINT_URL_ELASTIC_BEANSTALK=http://localhost:5567
```
## Configure endpoints using the shared `config` file
In the shared `config` file, `endpoint_url` is used in different places for different functionality.
+ `endpoint_url` specified directly within a `profile` makes that endpoint the global endpoint.
+ `endpoint_url` nested under a service identifier key within a `services` section makes that endpoint apply to requests made only to that service. For details on defining a `services` section in your shared `config` file, see [Format of the config file](file-format.md#file-format-config).
The following example uses a `services` definition to configure a service-specific endpoint URL to be used for Amazon S3 and a custom global endpoint to be used for all other services:
```
[profile dev-s3-specific-and-global]
endpoint_url = http://localhost:1234
services = s3-specific
[services s3-specific]
s3 =
endpoint_url = https://play.min.io:9000
```
A single profile can configure endpoints for multiple services. This example shows how to set the service-specific endpoint URLs for Amazon S3 and AWS Elastic Beanstalk in the same profile. AWS Elastic Beanstalk has a `serviceId` of [https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/elasticbeanstalk/2010-12-01/service-2.json#L9](https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/elasticbeanstalk/2010-12-01/service-2.json#L9). The AWS service identifier is based on the API model's `serviceId` by replacing all spaces with underscores and lowercasing all letters. Thus, the service identifier key becomes `elastic_beanstalk` and settings for this service begin on the line `elastic_beanstalk = `. For a list of all service identifier keys to use in the `services` section, see [Identifiers for service-specific endpoints](ss-endpoints-table.md).
```
[services testing-s3-and-eb]
s3 =
endpoint_url = http://localhost:4567
elastic_beanstalk =
endpoint_url = http://localhost:8000
[profile dev]
services = testing-s3-and-eb
```
The service configuration section can be used from multiple profiles. For example, two profiles can use the same `services` definition while altering other profile properties:
```
[services testing-s3]
s3 =
endpoint_url = https://localhost:4567
[profile testing-json]
output = json
services = testing-s3
[profile testing-text]
output = text
services = testing-s3
```
## Configure endpoints in profiles using role-based credentials
If your profile has role-based credentials configured through a `source_profile` parameter for IAM assume role functionality, the SDK only uses service configurations for the specified profile. It does not use profiles that are role chained to it. For example, using the following shared `config` file:
```
[profile A]
credential_source = Ec2InstanceMetadata
endpoint_url = https://profile-a-endpoint.aws/
[profile B]
source_profile = A
role_arn = arn:aws:iam::123456789012:role/roleB
services = profileB
[services profileB]
ec2 =
endpoint_url = https://profile-b-ec2-endpoint.aws
```
If you use profile `B` and make a call in your code to Amazon EC2, the endpoint resolves as `https://profile-b-ec2-endpoint.aws`. If your code makes a request to any other service, the endpoint resolution will not follow any custom logic. The endpoint does not resolve to the global endpoint defined in profile `A`. For a global endpoint to take effect for profile `B`, you would need to set `endpoint_url` directly within profile `B`. For more information on the `source_profile` setting, see [Assume role credential provider](feature-assume-role-credentials.md).
## Precedence of settings
The settings for this feature can be used at the same time but only one value will take priority per service. For API calls made to a given AWS service, the following order is used to select a value:
1. Any explicit setting set in the code or on a service client itself takes precedence over anything else.
+ For the AWS CLI, this is the value provided by the `--endpoint-url` command line parameter. For an SDK, explicit assignments can take the form of a parameter that you set when you instantiate an AWS service client or configuration object.
1. The value provided by a service-specific environment variable such as `AWS_ENDPOINT_URL_DYNAMODB`.
1. The value provided by the `AWS_ENDPOINT_URL` global endpoint environment variable.
1. The value provided by the `endpoint_url` setting nested under a service identifier key within a `services` section of the shared `config` file.
1. The value provided by the `endpoint_url` setting specified directly within a `profile` of the shared `config` file.
1. Any default endpoint URL for the respective AWS service is used last.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Identifiers for service-specific endpoints
For information on how and where to use the identifiers in the following table, see [Service-specific endpoints](feature-ss-endpoints.md).
| `serviceId` | Service identifier key for shared AWS `config` file | `AWS_ENDPOINT_URL_` environment variable |
| --- | --- | --- |
| AccessAnalyzer | accessanalyzer | AWS\$1ENDPOINT\$1URL\$1ACCESSANALYZER |
| Account | account | AWS\$1ENDPOINT\$1URL\$1ACCOUNT |
| ACM | acm | AWS\$1ENDPOINT\$1URL\$1ACM |
| ACM PCA | acm\$1pca | AWS\$1ENDPOINT\$1URL\$1ACM\$1PCA |
| Alexa For Business | alexa\$1for\$1business | AWS\$1ENDPOINT\$1URL\$1ALEXA\$1FOR\$1BUSINESS |
| amp | amp | AWS\$1ENDPOINT\$1URL\$1AMP |
| Amplify | amplify | AWS\$1ENDPOINT\$1URL\$1AMPLIFY |
| AmplifyBackend | amplifybackend | AWS\$1ENDPOINT\$1URL\$1AMPLIFYBACKEND |
| AmplifyUIBuilder | amplifyuibuilder | AWS\$1ENDPOINT\$1URL\$1AMPLIFYUIBUILDER |
| API Gateway | api\$1gateway | AWS\$1ENDPOINT\$1URL\$1API\$1GATEWAY |
| ApiGatewayManagementApi | apigatewaymanagementapi | AWS\$1ENDPOINT\$1URL\$1APIGATEWAYMANAGEMENTAPI |
| ApiGatewayV2 | apigatewayv2 | AWS\$1ENDPOINT\$1URL\$1APIGATEWAYV2 |
| AppConfig | appconfig | AWS\$1ENDPOINT\$1URL\$1APPCONFIG |
| AppConfigData | appconfigdata | AWS\$1ENDPOINT\$1URL\$1APPCONFIGDATA |
| AppFabric | appfabric | AWS\$1ENDPOINT\$1URL\$1APPFABRIC |
| Appflow | appflow | AWS\$1ENDPOINT\$1URL\$1APPFLOW |
| AppIntegrations | appintegrations | AWS\$1ENDPOINT\$1URL\$1APPINTEGRATIONS |
| Application Auto Scaling | application\$1auto\$1scaling | AWS\$1ENDPOINT\$1URL\$1APPLICATION\$1AUTO\$1SCALING |
| Application Insights | application\$1insights | AWS\$1ENDPOINT\$1URL\$1APPLICATION\$1INSIGHTS |
| ApplicationCostProfiler | applicationcostprofiler | AWS\$1ENDPOINT\$1URL\$1APPLICATIONCOSTPROFILER |
| App Mesh | app\$1mesh | AWS\$1ENDPOINT\$1URL\$1APP\$1MESH |
| AppRunner | apprunner | AWS\$1ENDPOINT\$1URL\$1APPRUNNER |
| AppStream | appstream | AWS\$1ENDPOINT\$1URL\$1APPSTREAM |
| AppSync | appsync | AWS\$1ENDPOINT\$1URL\$1APPSYNC |
| ARC Zonal Shift | arc\$1zonal\$1shift | AWS\$1ENDPOINT\$1URL\$1ARC\$1ZONAL\$1SHIFT |
| Artifact | artifact | AWS\$1ENDPOINT\$1URL\$1ARTIFACT |
| Athena | athena | AWS\$1ENDPOINT\$1URL\$1ATHENA |
| AuditManager | auditmanager | AWS\$1ENDPOINT\$1URL\$1AUDITMANAGER |
| Auto Scaling | auto\$1scaling | AWS\$1ENDPOINT\$1URL\$1AUTO\$1SCALING |
| Auto Scaling Plans | auto\$1scaling\$1plans | AWS\$1ENDPOINT\$1URL\$1AUTO\$1SCALING\$1PLANS |
| b2bi | b2bi | AWS\$1ENDPOINT\$1URL\$1B2BI |
| Backup | backup | AWS\$1ENDPOINT\$1URL\$1BACKUP |
| Backup Gateway | backup\$1gateway | AWS\$1ENDPOINT\$1URL\$1BACKUP\$1GATEWAY |
| BackupStorage | backupstorage | AWS\$1ENDPOINT\$1URL\$1BACKUPSTORAGE |
| Batch | batch | AWS\$1ENDPOINT\$1URL\$1BATCH |
| BCM Data Exports | bcm\$1data\$1exports | AWS\$1ENDPOINT\$1URL\$1BCM\$1DATA\$1EXPORTS |
| Bedrock | bedrock | AWS\$1ENDPOINT\$1URL\$1BEDROCK |
| Bedrock Agent | bedrock\$1agent | AWS\$1ENDPOINT\$1URL\$1BEDROCK\$1AGENT |
| Bedrock Agent Runtime | bedrock\$1agent\$1runtime | AWS\$1ENDPOINT\$1URL\$1BEDROCK\$1AGENT\$1RUNTIME |
| Bedrock Runtime | bedrock\$1runtime | AWS\$1ENDPOINT\$1URL\$1BEDROCK\$1RUNTIME |
| billingconductor | billingconductor | AWS\$1ENDPOINT\$1URL\$1BILLINGCONDUCTOR |
| Braket | braket | AWS\$1ENDPOINT\$1URL\$1BRAKET |
| Budgets | budgets | AWS\$1ENDPOINT\$1URL\$1BUDGETS |
| Cost Explorer | cost\$1explorer | AWS\$1ENDPOINT\$1URL\$1COST\$1EXPLORER |
| chatbot | chatbot | AWS\$1ENDPOINT\$1URL\$1CHATBOT |
| Chime | chime | AWS\$1ENDPOINT\$1URL\$1CHIME |
| Chime SDK Identity | chime\$1sdk\$1identity | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1IDENTITY |
| Chime SDK Media Pipelines | chime\$1sdk\$1media\$1pipelines | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1MEDIA\$1PIPELINES |
| Chime SDK Meetings | chime\$1sdk\$1meetings | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1MEETINGS |
| Chime SDK Messaging | chime\$1sdk\$1messaging | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1MESSAGING |
| Chime SDK Voice | chime\$1sdk\$1voice | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1VOICE |
| CleanRooms | cleanrooms | AWS\$1ENDPOINT\$1URL\$1CLEANROOMS |
| CleanRoomsML | cleanroomsml | AWS\$1ENDPOINT\$1URL\$1CLEANROOMSML |
| Cloud9 | cloud9 | AWS\$1ENDPOINT\$1URL\$1CLOUD9 |
| CloudControl | cloudcontrol | AWS\$1ENDPOINT\$1URL\$1CLOUDCONTROL |
| CloudDirectory | clouddirectory | AWS\$1ENDPOINT\$1URL\$1CLOUDDIRECTORY |
| CloudFormation | cloudformation | AWS\$1ENDPOINT\$1URL\$1CLOUDFORMATION |
| CloudFront | cloudfront | AWS\$1ENDPOINT\$1URL\$1CLOUDFRONT |
| CloudFront KeyValueStore | cloudfront\$1keyvaluestore | AWS\$1ENDPOINT\$1URL\$1CLOUDFRONT\$1KEYVALUESTORE |
| CloudHSM | cloudhsm | AWS\$1ENDPOINT\$1URL\$1CLOUDHSM |
| CloudHSM V2 | cloudhsm\$1v2 | AWS\$1ENDPOINT\$1URL\$1CLOUDHSM\$1V2 |
| CloudSearch | cloudsearch | AWS\$1ENDPOINT\$1URL\$1CLOUDSEARCH |
| CloudSearch Domain | cloudsearch\$1domain | AWS\$1ENDPOINT\$1URL\$1CLOUDSEARCH\$1DOMAIN |
| CloudTrail | cloudtrail | AWS\$1ENDPOINT\$1URL\$1CLOUDTRAIL |
| CloudTrail Data | cloudtrail\$1data | AWS\$1ENDPOINT\$1URL\$1CLOUDTRAIL\$1DATA |
| CloudWatch | cloudwatch | AWS\$1ENDPOINT\$1URL\$1CLOUDWATCH |
| codeartifact | codeartifact | AWS\$1ENDPOINT\$1URL\$1CODEARTIFACT |
| CodeBuild | codebuild | AWS\$1ENDPOINT\$1URL\$1CODEBUILD |
| CodeCatalyst | codecatalyst | AWS\$1ENDPOINT\$1URL\$1CODECATALYST |
| CodeCommit | codecommit | AWS\$1ENDPOINT\$1URL\$1CODECOMMIT |
| CodeDeploy | codedeploy | AWS\$1ENDPOINT\$1URL\$1CODEDEPLOY |
| CodeGuru Reviewer | codeguru\$1reviewer | AWS\$1ENDPOINT\$1URL\$1CODEGURU\$1REVIEWER |
| CodeGuru Security | codeguru\$1security | AWS\$1ENDPOINT\$1URL\$1CODEGURU\$1SECURITY |
| CodeGuruProfiler | codeguruprofiler | AWS\$1ENDPOINT\$1URL\$1CODEGURUPROFILER |
| CodePipeline | codepipeline | AWS\$1ENDPOINT\$1URL\$1CODEPIPELINE |
| CodeStar | codestar | AWS\$1ENDPOINT\$1URL\$1CODESTAR |
| CodeStar connections | codestar\$1connections | AWS\$1ENDPOINT\$1URL\$1CODESTAR\$1CONNECTIONS |
| codestar notifications | codestar\$1notifications | AWS\$1ENDPOINT\$1URL\$1CODESTAR\$1NOTIFICATIONS |
| Cognito Identity | cognito\$1identity | AWS\$1ENDPOINT\$1URL\$1COGNITO\$1IDENTITY |
| Cognito Identity Provider | cognito\$1identity\$1provider | AWS\$1ENDPOINT\$1URL\$1COGNITO\$1IDENTITY\$1PROVIDER |
| Cognito Sync | cognito\$1sync | AWS\$1ENDPOINT\$1URL\$1COGNITO\$1SYNC |
| Comprehend | comprehend | AWS\$1ENDPOINT\$1URL\$1COMPREHEND |
| ComprehendMedical | comprehendmedical | AWS\$1ENDPOINT\$1URL\$1COMPREHENDMEDICAL |
| Compute Optimizer | compute\$1optimizer | AWS\$1ENDPOINT\$1URL\$1COMPUTE\$1OPTIMIZER |
| Config Service | config\$1service | AWS\$1ENDPOINT\$1URL\$1CONFIG\$1SERVICE |
| Connect | connect | AWS\$1ENDPOINT\$1URL\$1CONNECT |
| Connect Contact Lens | connect\$1contact\$1lens | AWS\$1ENDPOINT\$1URL\$1CONNECT\$1CONTACT\$1LENS |
| ConnectCampaigns | connectcampaigns | AWS\$1ENDPOINT\$1URL\$1CONNECTCAMPAIGNS |
| ConnectCases | connectcases | AWS\$1ENDPOINT\$1URL\$1CONNECTCASES |
| ConnectParticipant | connectparticipant | AWS\$1ENDPOINT\$1URL\$1CONNECTPARTICIPANT |
| ControlTower | controltower | AWS\$1ENDPOINT\$1URL\$1CONTROLTOWER |
| Cost Optimization Hub | cost\$1optimization\$1hub | AWS\$1ENDPOINT\$1URL\$1COST\$1OPTIMIZATION\$1HUB |
| Cost and Usage Report Service | cost\$1and\$1usage\$1report\$1service | AWS\$1ENDPOINT\$1URL\$1COST\$1AND\$1USAGE\$1REPORT\$1SERVICE |
| Customer Profiles | customer\$1profiles | AWS\$1ENDPOINT\$1URL\$1CUSTOMER\$1PROFILES |
| DataBrew | databrew | AWS\$1ENDPOINT\$1URL\$1DATABREW |
| DataExchange | dataexchange | AWS\$1ENDPOINT\$1URL\$1DATAEXCHANGE |
| Data Pipeline | data\$1pipeline | AWS\$1ENDPOINT\$1URL\$1DATA\$1PIPELINE |
| DataSync | datasync | AWS\$1ENDPOINT\$1URL\$1DATASYNC |
| DataZone | datazone | AWS\$1ENDPOINT\$1URL\$1DATAZONE |
| DAX | dax | AWS\$1ENDPOINT\$1URL\$1DAX |
| Detective | detective | AWS\$1ENDPOINT\$1URL\$1DETECTIVE |
| Device Farm | device\$1farm | AWS\$1ENDPOINT\$1URL\$1DEVICE\$1FARM |
| DevOps Guru | devops\$1guru | AWS\$1ENDPOINT\$1URL\$1DEVOPS\$1GURU |
| Direct Connect | direct\$1connect | AWS\$1ENDPOINT\$1URL\$1DIRECT\$1CONNECT |
| Application Discovery Service | application\$1discovery\$1service | AWS\$1ENDPOINT\$1URL\$1APPLICATION\$1DISCOVERY\$1SERVICE |
| DLM | dlm | AWS\$1ENDPOINT\$1URL\$1DLM |
| Database Migration Service | database\$1migration\$1service | AWS\$1ENDPOINT\$1URL\$1DATABASE\$1MIGRATION\$1SERVICE |
| DocDB | docdb | AWS\$1ENDPOINT\$1URL\$1DOCDB |
| DocDB Elastic | docdb\$1elastic | AWS\$1ENDPOINT\$1URL\$1DOCDB\$1ELASTIC |
| drs | drs | AWS\$1ENDPOINT\$1URL\$1DRS |
| Directory Service | directory\$1service | AWS\$1ENDPOINT\$1URL\$1DIRECTORY\$1SERVICE |
| DynamoDB | dynamodb | AWS\$1ENDPOINT\$1URL\$1DYNAMODB |
| DynamoDB Streams | dynamodb\$1streams | AWS\$1ENDPOINT\$1URL\$1DYNAMODB\$1STREAMS |
| EBS | ebs | AWS\$1ENDPOINT\$1URL\$1EBS |
| EC2 | ec2 | AWS\$1ENDPOINT\$1URL\$1EC2 |
| EC2 Instance Connect | ec2\$1instance\$1connect | AWS\$1ENDPOINT\$1URL\$1EC2\$1INSTANCE\$1CONNECT |
| ECR | ecr | AWS\$1ENDPOINT\$1URL\$1ECR |
| ECR PUBLIC | ecr\$1public | AWS\$1ENDPOINT\$1URL\$1ECR\$1PUBLIC |
| ECS | ecs | AWS\$1ENDPOINT\$1URL\$1ECS |
| EFS | efs | AWS\$1ENDPOINT\$1URL\$1EFS |
| EKS | eks | AWS\$1ENDPOINT\$1URL\$1EKS |
| EKS Auth | eks\$1auth | AWS\$1ENDPOINT\$1URL\$1EKS\$1AUTH |
| Elastic Inference | elastic\$1inference | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1INFERENCE |
| ElastiCache | elasticache | AWS\$1ENDPOINT\$1URL\$1ELASTICACHE |
| Elastic Beanstalk | elastic\$1beanstalk | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1BEANSTALK |
| Elastic Transcoder | elastic\$1transcoder | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1TRANSCODER |
| Elastic Load Balancing | elastic\$1load\$1balancing | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1LOAD\$1BALANCING |
| Elastic Load Balancing v2 | elastic\$1load\$1balancing\$1v2 | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1LOAD\$1BALANCING\$1V2 |
| EMR | emr | AWS\$1ENDPOINT\$1URL\$1EMR |
| EMR containers | emr\$1containers | AWS\$1ENDPOINT\$1URL\$1EMR\$1CONTAINERS |
| EMR Serverless | emr\$1serverless | AWS\$1ENDPOINT\$1URL\$1EMR\$1SERVERLESS |
| EntityResolution | entityresolution | AWS\$1ENDPOINT\$1URL\$1ENTITYRESOLUTION |
| Elasticsearch Service | elasticsearch\$1service | AWS\$1ENDPOINT\$1URL\$1ELASTICSEARCH\$1SERVICE |
| EventBridge | eventbridge | AWS\$1ENDPOINT\$1URL\$1EVENTBRIDGE |
| Evidently | evidently | AWS\$1ENDPOINT\$1URL\$1EVIDENTLY |
| finspace | finspace | AWS\$1ENDPOINT\$1URL\$1FINSPACE |
| finspace data | finspace\$1data | AWS\$1ENDPOINT\$1URL\$1FINSPACE\$1DATA |
| Firehose | firehose | AWS\$1ENDPOINT\$1URL\$1FIREHOSE |
| fis | fis | AWS\$1ENDPOINT\$1URL\$1FIS |
| FMS | fms | AWS\$1ENDPOINT\$1URL\$1FMS |
| forecast | forecast | AWS\$1ENDPOINT\$1URL\$1FORECAST |
| forecastquery | forecastquery | AWS\$1ENDPOINT\$1URL\$1FORECASTQUERY |
| FraudDetector | frauddetector | AWS\$1ENDPOINT\$1URL\$1FRAUDDETECTOR |
| FreeTier | freetier | AWS\$1ENDPOINT\$1URL\$1FREETIER |
| FSx | fsx | AWS\$1ENDPOINT\$1URL\$1FSX |
| GameLift | gamelift | AWS\$1ENDPOINT\$1URL\$1GAMELIFT |
| Glacier | glacier | AWS\$1ENDPOINT\$1URL\$1GLACIER |
| Global Accelerator | global\$1accelerator | AWS\$1ENDPOINT\$1URL\$1GLOBAL\$1ACCELERATOR |
| Glue | glue | AWS\$1ENDPOINT\$1URL\$1GLUE |
| grafana | grafana | AWS\$1ENDPOINT\$1URL\$1GRAFANA |
| Greengrass | greengrass | AWS\$1ENDPOINT\$1URL\$1GREENGRASS |
| GreengrassV2 | greengrassv2 | AWS\$1ENDPOINT\$1URL\$1GREENGRASSV2 |
| GroundStation | groundstation | AWS\$1ENDPOINT\$1URL\$1GROUNDSTATION |
| GuardDuty | guardduty | AWS\$1ENDPOINT\$1URL\$1GUARDDUTY |
| Health | health | AWS\$1ENDPOINT\$1URL\$1HEALTH |
| HealthLake | healthlake | AWS\$1ENDPOINT\$1URL\$1HEALTHLAKE |
| Honeycode | honeycode | AWS\$1ENDPOINT\$1URL\$1HONEYCODE |
| IAM | iam | AWS\$1ENDPOINT\$1URL\$1IAM |
| identitystore | identitystore | AWS\$1ENDPOINT\$1URL\$1IDENTITYSTORE |
| imagebuilder | imagebuilder | AWS\$1ENDPOINT\$1URL\$1IMAGEBUILDER |
| ImportExport | importexport | AWS\$1ENDPOINT\$1URL\$1IMPORTEXPORT |
| Inspector | inspector | AWS\$1ENDPOINT\$1URL\$1INSPECTOR |
| Inspector Scan | inspector\$1scan | AWS\$1ENDPOINT\$1URL\$1INSPECTOR\$1SCAN |
| Inspector2 | inspector2 | AWS\$1ENDPOINT\$1URL\$1INSPECTOR2 |
| InternetMonitor | internetmonitor | AWS\$1ENDPOINT\$1URL\$1INTERNETMONITOR |
| IoT | iot | AWS\$1ENDPOINT\$1URL\$1IOT |
| IoT Data Plane | iot\$1data\$1plane | AWS\$1ENDPOINT\$1URL\$1IOT\$1DATA\$1PLANE |
| IoT Jobs Data Plane | iot\$1jobs\$1data\$1plane | AWS\$1ENDPOINT\$1URL\$1IOT\$1JOBS\$1DATA\$1PLANE |
| IoT 1Click Devices Service | iot\$11click\$1devices\$1service | AWS\$1ENDPOINT\$1URL\$1IOT\$11CLICK\$1DEVICES\$1SERVICE |
| IoT 1Click Projects | iot\$11click\$1projects | AWS\$1ENDPOINT\$1URL\$1IOT\$11CLICK\$1PROJECTS |
| IoTAnalytics | iotanalytics | AWS\$1ENDPOINT\$1URL\$1IOTANALYTICS |
| IotDeviceAdvisor | iotdeviceadvisor | AWS\$1ENDPOINT\$1URL\$1IOTDEVICEADVISOR |
| IoT Events | iot\$1events | AWS\$1ENDPOINT\$1URL\$1IOT\$1EVENTS |
| IoT Events Data | iot\$1events\$1data | AWS\$1ENDPOINT\$1URL\$1IOT\$1EVENTS\$1DATA |
| IoTFleetHub | iotfleethub | AWS\$1ENDPOINT\$1URL\$1IOTFLEETHUB |
| IoTFleetWise | iotfleetwise | AWS\$1ENDPOINT\$1URL\$1IOTFLEETWISE |
| IoTSecureTunneling | iotsecuretunneling | AWS\$1ENDPOINT\$1URL\$1IOTSECURETUNNELING |
| IoTSiteWise | iotsitewise | AWS\$1ENDPOINT\$1URL\$1IOTSITEWISE |
| IoTThingsGraph | iotthingsgraph | AWS\$1ENDPOINT\$1URL\$1IOTTHINGSGRAPH |
| IoTTwinMaker | iottwinmaker | AWS\$1ENDPOINT\$1URL\$1IOTTWINMAKER |
| IoT Wireless | iot\$1wireless | AWS\$1ENDPOINT\$1URL\$1IOT\$1WIRELESS |
| ivs | ivs | AWS\$1ENDPOINT\$1URL\$1IVS |
| IVS RealTime | ivs\$1realtime | AWS\$1ENDPOINT\$1URL\$1IVS\$1REALTIME |
| ivschat | ivschat | AWS\$1ENDPOINT\$1URL\$1IVSCHAT |
| Kafka | kafka | AWS\$1ENDPOINT\$1URL\$1KAFKA |
| KafkaConnect | kafkaconnect | AWS\$1ENDPOINT\$1URL\$1KAFKACONNECT |
| kendra | kendra | AWS\$1ENDPOINT\$1URL\$1KENDRA |
| Kendra Ranking | kendra\$1ranking | AWS\$1ENDPOINT\$1URL\$1KENDRA\$1RANKING |
| Keyspaces | keyspaces | AWS\$1ENDPOINT\$1URL\$1KEYSPACES |
| Kinesis | kinesis | AWS\$1ENDPOINT\$1URL\$1KINESIS |
| Kinesis Video Archived Media | kinesis\$1video\$1archived\$1media | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1ARCHIVED\$1MEDIA |
| Kinesis Video Media | kinesis\$1video\$1media | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1MEDIA |
| Kinesis Video Signaling | kinesis\$1video\$1signaling | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1SIGNALING |
| Kinesis Video WebRTC Storage | kinesis\$1video\$1webrtc\$1storage | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1WEBRTC\$1STORAGE |
| Kinesis Analytics | kinesis\$1analytics | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1ANALYTICS |
| Kinesis Analytics V2 | kinesis\$1analytics\$1v2 | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1ANALYTICS\$1V2 |
| Kinesis Video | kinesis\$1video | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO |
| KMS | kms | AWS\$1ENDPOINT\$1URL\$1KMS |
| LakeFormation | lakeformation | AWS\$1ENDPOINT\$1URL\$1LAKEFORMATION |
| Lambda | lambda | AWS\$1ENDPOINT\$1URL\$1LAMBDA |
| Launch Wizard | launch\$1wizard | AWS\$1ENDPOINT\$1URL\$1LAUNCH\$1WIZARD |
| Lex Model Building Service | lex\$1model\$1building\$1service | AWS\$1ENDPOINT\$1URL\$1LEX\$1MODEL\$1BUILDING\$1SERVICE |
| Lex Runtime Service | lex\$1runtime\$1service | AWS\$1ENDPOINT\$1URL\$1LEX\$1RUNTIME\$1SERVICE |
| Lex Models V2 | lex\$1models\$1v2 | AWS\$1ENDPOINT\$1URL\$1LEX\$1MODELS\$1V2 |
| Lex Runtime V2 | lex\$1runtime\$1v2 | AWS\$1ENDPOINT\$1URL\$1LEX\$1RUNTIME\$1V2 |
| License Manager | license\$1manager | AWS\$1ENDPOINT\$1URL\$1LICENSE\$1MANAGER |
| License Manager Linux Subscriptions | license\$1manager\$1linux\$1subscriptions | AWS\$1ENDPOINT\$1URL\$1LICENSE\$1MANAGER\$1LINUX\$1SUBSCRIPTIONS |
| License Manager User Subscriptions | license\$1manager\$1user\$1subscriptions | AWS\$1ENDPOINT\$1URL\$1LICENSE\$1MANAGER\$1USER\$1SUBSCRIPTIONS |
| Lightsail | lightsail | AWS\$1ENDPOINT\$1URL\$1LIGHTSAIL |
| Location | location | AWS\$1ENDPOINT\$1URL\$1LOCATION |
| CloudWatch Logs | cloudwatch\$1logs | AWS\$1ENDPOINT\$1URL\$1CLOUDWATCH\$1LOGS |
| LookoutEquipment | lookoutequipment | AWS\$1ENDPOINT\$1URL\$1LOOKOUTEQUIPMENT |
| LookoutMetrics | lookoutmetrics | AWS\$1ENDPOINT\$1URL\$1LOOKOUTMETRICS |
| LookoutVision | lookoutvision | AWS\$1ENDPOINT\$1URL\$1LOOKOUTVISION |
| m2 | m2 | AWS\$1ENDPOINT\$1URL\$1M2 |
| Machine Learning | machine\$1learning | AWS\$1ENDPOINT\$1URL\$1MACHINE\$1LEARNING |
| Macie2 | macie2 | AWS\$1ENDPOINT\$1URL\$1MACIE2 |
| ManagedBlockchain | managedblockchain | AWS\$1ENDPOINT\$1URL\$1MANAGEDBLOCKCHAIN |
| ManagedBlockchain Query | managedblockchain\$1query | AWS\$1ENDPOINT\$1URL\$1MANAGEDBLOCKCHAIN\$1QUERY |
| Marketplace Agreement | marketplace\$1agreement | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1AGREEMENT |
| Marketplace Catalog | marketplace\$1catalog | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1CATALOG |
| Marketplace Deployment | marketplace\$1deployment | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1DEPLOYMENT |
| Marketplace Entitlement Service | marketplace\$1entitlement\$1service | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1ENTITLEMENT\$1SERVICE |
| Marketplace Commerce Analytics | marketplace\$1commerce\$1analytics | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1COMMERCE\$1ANALYTICS |
| MediaConnect | mediaconnect | AWS\$1ENDPOINT\$1URL\$1MEDIACONNECT |
| MediaConvert | mediaconvert | AWS\$1ENDPOINT\$1URL\$1MEDIACONVERT |
| MediaLive | medialive | AWS\$1ENDPOINT\$1URL\$1MEDIALIVE |
| MediaPackage | mediapackage | AWS\$1ENDPOINT\$1URL\$1MEDIAPACKAGE |
| MediaPackage Vod | mediapackage\$1vod | AWS\$1ENDPOINT\$1URL\$1MEDIAPACKAGE\$1VOD |
| MediaPackageV2 | mediapackagev2 | AWS\$1ENDPOINT\$1URL\$1MEDIAPACKAGEV2 |
| MediaStore | mediastore | AWS\$1ENDPOINT\$1URL\$1MEDIASTORE |
| MediaStore Data | mediastore\$1data | AWS\$1ENDPOINT\$1URL\$1MEDIASTORE\$1DATA |
| MediaTailor | mediatailor | AWS\$1ENDPOINT\$1URL\$1MEDIATAILOR |
| Medical Imaging | medical\$1imaging | AWS\$1ENDPOINT\$1URL\$1MEDICAL\$1IMAGING |
| MemoryDB | memorydb | AWS\$1ENDPOINT\$1URL\$1MEMORYDB |
| Marketplace Metering | marketplace\$1metering | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1METERING |
| Migration Hub | migration\$1hub | AWS\$1ENDPOINT\$1URL\$1MIGRATION\$1HUB |
| mgn | mgn | AWS\$1ENDPOINT\$1URL\$1MGN |
| Migration Hub Refactor Spaces | migration\$1hub\$1refactor\$1spaces | AWS\$1ENDPOINT\$1URL\$1MIGRATION\$1HUB\$1REFACTOR\$1SPACES |
| MigrationHub Config | migrationhub\$1config | AWS\$1ENDPOINT\$1URL\$1MIGRATIONHUB\$1CONFIG |
| MigrationHubOrchestrator | migrationhuborchestrator | AWS\$1ENDPOINT\$1URL\$1MIGRATIONHUBORCHESTRATOR |
| MigrationHubStrategy | migrationhubstrategy | AWS\$1ENDPOINT\$1URL\$1MIGRATIONHUBSTRATEGY |
| Mobile | mobile | AWS\$1ENDPOINT\$1URL\$1MOBILE |
| mq | mq | AWS\$1ENDPOINT\$1URL\$1MQ |
| MTurk | mturk | AWS\$1ENDPOINT\$1URL\$1MTURK |
| MWAA | mwaa | AWS\$1ENDPOINT\$1URL\$1MWAA |
| Neptune | neptune | AWS\$1ENDPOINT\$1URL\$1NEPTUNE |
| Neptune Graph | neptune\$1graph | AWS\$1ENDPOINT\$1URL\$1NEPTUNE\$1GRAPH |
| neptunedata | neptunedata | AWS\$1ENDPOINT\$1URL\$1NEPTUNEDATA |
| Network Firewall | network\$1firewall | AWS\$1ENDPOINT\$1URL\$1NETWORK\$1FIREWALL |
| NetworkManager | networkmanager | AWS\$1ENDPOINT\$1URL\$1NETWORKMANAGER |
| NetworkMonitor | networkmonitor | AWS\$1ENDPOINT\$1URL\$1NETWORKMONITOR |
| nimble | nimble | AWS\$1ENDPOINT\$1URL\$1NIMBLE |
| OAM | oam | AWS\$1ENDPOINT\$1URL\$1OAM |
| Omics | omics | AWS\$1ENDPOINT\$1URL\$1OMICS |
| OpenSearch | opensearch | AWS\$1ENDPOINT\$1URL\$1OPENSEARCH |
| OpenSearchServerless | opensearchserverless | AWS\$1ENDPOINT\$1URL\$1OPENSEARCHSERVERLESS |
| OpsWorks | opsworks | AWS\$1ENDPOINT\$1URL\$1OPSWORKS |
| OpsWorksCM | opsworkscm | AWS\$1ENDPOINT\$1URL\$1OPSWORKSCM |
| Organizations | organizations | AWS\$1ENDPOINT\$1URL\$1ORGANIZATIONS |
| OSIS | osis | AWS\$1ENDPOINT\$1URL\$1OSIS |
| Outposts | outposts | AWS\$1ENDPOINT\$1URL\$1OUTPOSTS |
| p8data | p8data | AWS\$1ENDPOINT\$1URL\$1P8DATA |
| p8data | p8data | AWS\$1ENDPOINT\$1URL\$1P8DATA |
| Panorama | panorama | AWS\$1ENDPOINT\$1URL\$1PANORAMA |
| Payment Cryptography | payment\$1cryptography | AWS\$1ENDPOINT\$1URL\$1PAYMENT\$1CRYPTOGRAPHY |
| Payment Cryptography Data | payment\$1cryptography\$1data | AWS\$1ENDPOINT\$1URL\$1PAYMENT\$1CRYPTOGRAPHY\$1DATA |
| Pca Connector Ad | pca\$1connector\$1ad | AWS\$1ENDPOINT\$1URL\$1PCA\$1CONNECTOR\$1AD |
| Personalize | personalize | AWS\$1ENDPOINT\$1URL\$1PERSONALIZE |
| Personalize Events | personalize\$1events | AWS\$1ENDPOINT\$1URL\$1PERSONALIZE\$1EVENTS |
| Personalize Runtime | personalize\$1runtime | AWS\$1ENDPOINT\$1URL\$1PERSONALIZE\$1RUNTIME |
| PI | pi | AWS\$1ENDPOINT\$1URL\$1PI |
| Pinpoint | pinpoint | AWS\$1ENDPOINT\$1URL\$1PINPOINT |
| Pinpoint Email | pinpoint\$1email | AWS\$1ENDPOINT\$1URL\$1PINPOINT\$1EMAIL |
| Pinpoint SMS Voice | pinpoint\$1sms\$1voice | AWS\$1ENDPOINT\$1URL\$1PINPOINT\$1SMS\$1VOICE |
| Pinpoint SMS Voice V2 | pinpoint\$1sms\$1voice\$1v2 | AWS\$1ENDPOINT\$1URL\$1PINPOINT\$1SMS\$1VOICE\$1V2 |
| Pipes | pipes | AWS\$1ENDPOINT\$1URL\$1PIPES |
| Polly | polly | AWS\$1ENDPOINT\$1URL\$1POLLY |
| Pricing | pricing | AWS\$1ENDPOINT\$1URL\$1PRICING |
| PrivateNetworks | privatenetworks | AWS\$1ENDPOINT\$1URL\$1PRIVATENETWORKS |
| Proton | proton | AWS\$1ENDPOINT\$1URL\$1PROTON |
| QBusiness | qbusiness | AWS\$1ENDPOINT\$1URL\$1QBUSINESS |
| QConnect | qconnect | AWS\$1ENDPOINT\$1URL\$1QCONNECT |
| QLDB | qldb | AWS\$1ENDPOINT\$1URL\$1QLDB |
| QLDB Session | qldb\$1session | AWS\$1ENDPOINT\$1URL\$1QLDB\$1SESSION |
| QuickSight | quicksight | AWS\$1ENDPOINT\$1URL\$1QUICKSIGHT |
| RAM | ram | AWS\$1ENDPOINT\$1URL\$1RAM |
| rbin | rbin | AWS\$1ENDPOINT\$1URL\$1RBIN |
| RDS | rds | AWS\$1ENDPOINT\$1URL\$1RDS |
| RDS Data | rds\$1data | AWS\$1ENDPOINT\$1URL\$1RDS\$1DATA |
| Redshift | redshift | AWS\$1ENDPOINT\$1URL\$1REDSHIFT |
| Redshift Data | redshift\$1data | AWS\$1ENDPOINT\$1URL\$1REDSHIFT\$1DATA |
| Redshift Serverless | redshift\$1serverless | AWS\$1ENDPOINT\$1URL\$1REDSHIFT\$1SERVERLESS |
| Rekognition | rekognition | AWS\$1ENDPOINT\$1URL\$1REKOGNITION |
| repostspace | repostspace | AWS\$1ENDPOINT\$1URL\$1REPOSTSPACE |
| resiliencehub | resiliencehub | AWS\$1ENDPOINT\$1URL\$1RESILIENCEHUB |
| Resource Explorer 2 | resource\$1explorer\$12 | AWS\$1ENDPOINT\$1URL\$1RESOURCE\$1EXPLORER\$12 |
| Resource Groups | resource\$1groups | AWS\$1ENDPOINT\$1URL\$1RESOURCE\$1GROUPS |
| Resource Groups Tagging API | resource\$1groups\$1tagging\$1api | AWS\$1ENDPOINT\$1URL\$1RESOURCE\$1GROUPS\$1TAGGING\$1API |
| RoboMaker | robomaker | AWS\$1ENDPOINT\$1URL\$1ROBOMAKER |
| RolesAnywhere | rolesanywhere | AWS\$1ENDPOINT\$1URL\$1ROLESANYWHERE |
| Route 53 | route\$153 | AWS\$1ENDPOINT\$1URL\$1ROUTE\$153 |
| Route53 Recovery Cluster | route53\$1recovery\$1cluster | AWS\$1ENDPOINT\$1URL\$1ROUTE53\$1RECOVERY\$1CLUSTER |
| Route53 Recovery Control Config | route53\$1recovery\$1control\$1config | AWS\$1ENDPOINT\$1URL\$1ROUTE53\$1RECOVERY\$1CONTROL\$1CONFIG |
| Route53 Recovery Readiness | route53\$1recovery\$1readiness | AWS\$1ENDPOINT\$1URL\$1ROUTE53\$1RECOVERY\$1READINESS |
| Route 53 Domains | route\$153\$1domains | AWS\$1ENDPOINT\$1URL\$1ROUTE\$153\$1DOMAINS |
| Route53Resolver | route53resolver | AWS\$1ENDPOINT\$1URL\$1ROUTE53RESOLVER |
| RUM | rum | AWS\$1ENDPOINT\$1URL\$1RUM |
| S3 | s3 | AWS\$1ENDPOINT\$1URL\$1S3 |
| S3 Control | s3\$1control | AWS\$1ENDPOINT\$1URL\$1S3\$1CONTROL |
| S3Outposts | s3outposts | AWS\$1ENDPOINT\$1URL\$1S3OUTPOSTS |
| SageMaker | sagemaker | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER |
| SageMaker A2I Runtime | sagemaker\$1a2i\$1runtime | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1A2I\$1RUNTIME |
| Sagemaker Edge | sagemaker\$1edge | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1EDGE |
| SageMaker FeatureStore Runtime | sagemaker\$1featurestore\$1runtime | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1FEATURESTORE\$1RUNTIME |
| SageMaker Geospatial | sagemaker\$1geospatial | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1GEOSPATIAL |
| SageMaker Metrics | sagemaker\$1metrics | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1METRICS |
| SageMaker Runtime | sagemaker\$1runtime | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1RUNTIME |
| savingsplans | savingsplans | AWS\$1ENDPOINT\$1URL\$1SAVINGSPLANS |
| Scheduler | scheduler | AWS\$1ENDPOINT\$1URL\$1SCHEDULER |
| schemas | schemas | AWS\$1ENDPOINT\$1URL\$1SCHEMAS |
| SimpleDB | simpledb | AWS\$1ENDPOINT\$1URL\$1SIMPLEDB |
| Secrets Manager | secrets\$1manager | AWS\$1ENDPOINT\$1URL\$1SECRETS\$1MANAGER |
| SecurityHub | securityhub | AWS\$1ENDPOINT\$1URL\$1SECURITYHUB |
| SecurityLake | securitylake | AWS\$1ENDPOINT\$1URL\$1SECURITYLAKE |
| ServerlessApplicationRepository | serverlessapplicationrepository | AWS\$1ENDPOINT\$1URL\$1SERVERLESSAPPLICATIONREPOSITORY |
| Service Quotas | service\$1quotas | AWS\$1ENDPOINT\$1URL\$1SERVICE\$1QUOTAS |
| Service Catalog | service\$1catalog | AWS\$1ENDPOINT\$1URL\$1SERVICE\$1CATALOG |
| Service Catalog AppRegistry | service\$1catalog\$1appregistry | AWS\$1ENDPOINT\$1URL\$1SERVICE\$1CATALOG\$1APPREGISTRY |
| ServiceDiscovery | servicediscovery | AWS\$1ENDPOINT\$1URL\$1SERVICEDISCOVERY |
| SES | ses | AWS\$1ENDPOINT\$1URL\$1SES |
| SESv2 | sesv2 | AWS\$1ENDPOINT\$1URL\$1SESV2 |
| Shield | shield | AWS\$1ENDPOINT\$1URL\$1SHIELD |
| signer | signer | AWS\$1ENDPOINT\$1URL\$1SIGNER |
| SimSpaceWeaver | simspaceweaver | AWS\$1ENDPOINT\$1URL\$1SIMSPACEWEAVER |
| SMS | sms | AWS\$1ENDPOINT\$1URL\$1SMS |
| Snow Device Management | snow\$1device\$1management | AWS\$1ENDPOINT\$1URL\$1SNOW\$1DEVICE\$1MANAGEMENT |
| Snowball | snowball | AWS\$1ENDPOINT\$1URL\$1SNOWBALL |
| SNS | sns | AWS\$1ENDPOINT\$1URL\$1SNS |
| SQS | sqs | AWS\$1ENDPOINT\$1URL\$1SQS |
| SSM | ssm | AWS\$1ENDPOINT\$1URL\$1SSM |
| SSM Contacts | ssm\$1contacts | AWS\$1ENDPOINT\$1URL\$1SSM\$1CONTACTS |
| SSM Incidents | ssm\$1incidents | AWS\$1ENDPOINT\$1URL\$1SSM\$1INCIDENTS |
| Ssm Sap | ssm\$1sap | AWS\$1ENDPOINT\$1URL\$1SSM\$1SAP |
| SSO | sso | AWS\$1ENDPOINT\$1URL\$1SSO |
| SSO Admin | sso\$1admin | AWS\$1ENDPOINT\$1URL\$1SSO\$1ADMIN |
| SSO OIDC | sso\$1oidc | AWS\$1ENDPOINT\$1URL\$1SSO\$1OIDC |
| SFN | sfn | AWS\$1ENDPOINT\$1URL\$1SFN |
| Storage Gateway | storage\$1gateway | AWS\$1ENDPOINT\$1URL\$1STORAGE\$1GATEWAY |
| STS | sts | AWS\$1ENDPOINT\$1URL\$1STS |
| SupplyChain | supplychain | AWS\$1ENDPOINT\$1URL\$1SUPPLYCHAIN |
| Support | support | AWS\$1ENDPOINT\$1URL\$1SUPPORT |
| Support App | support\$1app | AWS\$1ENDPOINT\$1URL\$1SUPPORT\$1APP |
| SWF | swf | AWS\$1ENDPOINT\$1URL\$1SWF |
| synthetics | synthetics | AWS\$1ENDPOINT\$1URL\$1SYNTHETICS |
| Textract | textract | AWS\$1ENDPOINT\$1URL\$1TEXTRACT |
| Timestream InfluxDB | timestream\$1influxdb | AWS\$1ENDPOINT\$1URL\$1TIMESTREAM\$1INFLUXDB |
| Timestream Query | timestream\$1query | AWS\$1ENDPOINT\$1URL\$1TIMESTREAM\$1QUERY |
| Timestream Write | timestream\$1write | AWS\$1ENDPOINT\$1URL\$1TIMESTREAM\$1WRITE |
| tnb | tnb | AWS\$1ENDPOINT\$1URL\$1TNB |
| Transcribe | transcribe | AWS\$1ENDPOINT\$1URL\$1TRANSCRIBE |
| Transfer | transfer | AWS\$1ENDPOINT\$1URL\$1TRANSFER |
| Translate | translate | AWS\$1ENDPOINT\$1URL\$1TRANSLATE |
| TrustedAdvisor | trustedadvisor | AWS\$1ENDPOINT\$1URL\$1TRUSTEDADVISOR |
| VerifiedPermissions | verifiedpermissions | AWS\$1ENDPOINT\$1URL\$1VERIFIEDPERMISSIONS |
| Voice ID | voice\$1id | AWS\$1ENDPOINT\$1URL\$1VOICE\$1ID |
| VPC Lattice | vpc\$1lattice | AWS\$1ENDPOINT\$1URL\$1VPC\$1LATTICE |
| WAF | waf | AWS\$1ENDPOINT\$1URL\$1WAF |
| WAF Regional | waf\$1regional | AWS\$1ENDPOINT\$1URL\$1WAF\$1REGIONAL |
| WAFV2 | wafv2 | AWS\$1ENDPOINT\$1URL\$1WAFV2 |
| WellArchitected | wellarchitected | AWS\$1ENDPOINT\$1URL\$1WELLARCHITECTED |
| Wisdom | wisdom | AWS\$1ENDPOINT\$1URL\$1WISDOM |
| WorkDocs | workdocs | AWS\$1ENDPOINT\$1URL\$1WORKDOCS |
| WorkLink | worklink | AWS\$1ENDPOINT\$1URL\$1WORKLINK |
| WorkMail | workmail | AWS\$1ENDPOINT\$1URL\$1WORKMAIL |
| WorkMailMessageFlow | workmailmessageflow | AWS\$1ENDPOINT\$1URL\$1WORKMAILMESSAGEFLOW |
| WorkSpaces | workspaces | AWS\$1ENDPOINT\$1URL\$1WORKSPACES |
| WorkSpaces Thin Client | workspaces\$1thin\$1client | AWS\$1ENDPOINT\$1URL\$1WORKSPACES\$1THIN\$1CLIENT |
| WorkSpaces Web | workspaces\$1web | AWS\$1ENDPOINT\$1URL\$1WORKSPACES\$1WEB |
| XRay | xray | AWS\$1ENDPOINT\$1URL\$1XRAY |
# Smart configuration defaults
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
With the smart configuration defaults feature, AWS SDKs can provide predefined, optimized default values for other configuration settings.
Configure this functionality by using the following:
**`defaults_mode` - shared AWS `config` file setting`AWS_DEFAULTS_MODE` - environment variable`aws.defaultsMode` - JVM system property: Java/Kotlin only**
With this setting, you can choose a mode that aligns with your application architecture, which then provides optimized default values for your application. If an AWS SDK setting has a value explicitly set, then that value always takes precedence. If an AWS SDK setting does not have a value explicitly set, and `defaults_mode` is not equal to legacy, then this feature can provide different default values for various settings optimized for your application. Settings may include the following: HTTP communication settings, retry behavior, service Regional endpoint settings, and, potentially, any SDK-related configuration. Customers who use this feature can get new configuration defaults tailored to common usage scenarios. If your `defaults_mode` is not equal to `legacy`, we recommend performing tests of your application when you upgrade the SDK, because the default values provided might change as best practices evolve.
**Default value:** `legacy`
Note: New major versions of SDKs will default to `standard`.
**Valid values:**
+ `legacy` – Provides default settings that vary by SDK and existed before establishment of `defaults_mode`.
+ `standard` – Provides the latest recommended default values that should be safe to run in most scenarios.
+ `in-region` – Builds on the standard mode and includes optimization tailored for applications that call AWS services from within the same AWS Region.
+ `cross-region` – Builds on the standard mode and includes optimization tailored for applications that call AWS services in a different Region.
+ `mobile` – Builds on the standard mode and includes optimization tailored for mobile applications.
+ `auto` – Builds on the standard mode and includes experimental features. The SDK attempts to discover the runtime environment to determine the appropriate settings automatically. The auto detection is heuristics-based and does not provide 100% accuracy. If the runtime environment can't be determined, `standard` mode is used. The auto detection might query [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html), which might introduce latency. If startup latency is critical to your application, we recommend choosing an explicit `defaults_mode` instead.
Example of setting this value in the `config` file:
```
[default]
defaults_mode = standard
```
The following parameters might be optimized based on the selection of `defaults_mode`:
+ `retryMode` – Specifies how the SDK attempts retries. See [Retry behavior](feature-retry-behavior.md).
+ `stsRegionalEndpoints` – Specifies how the SDK determines the AWS service endpoint that it uses to talk to the AWS Security Token Service (AWS STS). See [AWS STS Regional endpoints](feature-sts-regionalized-endpoints.md).
+ `s3UsEast1RegionalEndpoints` – Specifies how the SDK determines the AWS service endpoint that it uses to talk to the Amazon S3 for the `us-east-1` Region.
+ `connectTimeoutInMillis` – After making an initial connection attempt on a socket, the amount of time before timing out. If the client does not receive a completion of the connect handshake, the client gives up and fails the operation.
+ `tlsNegotiationTimeoutInMillis` – The maximum amount of time that a TLS handshake can take from the time the CLIENT HELLO message is sent to the time the client and server have fully negotiated ciphers and exchanged keys.
The default value for each setting changes depending on the `defaults_mode` selected for your application. These values are currently set as follows (subject to change):
| Parameter | `standard` mode | `in-region` mode | `cross-region` mode | `mobile` mode |
| --- | --- | --- | --- | --- |
| retryMode | standard | standard | standard | standard |
| stsRegionalEndpoints | regional | regional | regional | regional |
| s3UsEast1RegionalEndpoints | regional | regional | regional | regional |
| connectTimeoutInMillis | 3100 | 1100 | 3100 | 30000 |
| tlsNegotiationTimeoutInMillis | 3100 | 1100 | 3100 | 30000 |
For example, if the `defaults_mode` you selected was `standard`, then the value of `standard` would be assigned for `retry_mode` (from the valid `retry_mode` options) and the value of `regional` would be assigned for `stsRegionalEndpoints` (from the valid `stsRegionalEndpoints` options).
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | No | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | Parameters not optimized: stsRegionalEndpoints, s3UsEast1RegionalEndpoints, tlsNegotiationTimeoutInMillis. |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | Parameters not optimized: retryMode, stsRegionalEndpoints, s3UsEast1RegionalEndpoints. |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | No | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | Parameters not optimized: stsRegionalEndpoints. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | Parameters not optimized: stsRegionalEndpoints, s3UsEast1RegionalEndpoints, tlsNegotiationTimeoutInMillis. connectTimeoutInMillis is called connectionTimeout. |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | No | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | Parameters not optimized: connectTimeoutInMillis, tlsNegotiationTimeoutInMillis. |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | Parameters not optimized: connectTimeoutInMillis, tlsNegotiationTimeoutInMillis. |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | Parameters not optimized: tlsNegotiationTimeoutInMillis. |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | Parameters not optimized: tlsNegotiationTimeoutInMillis. |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | No | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | No | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | Parameters not optimized: connectTimeoutInMillis, tlsNegotiationTimeoutInMillis. |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | Parameters not optimized: connectTimeoutInMillis, tlsNegotiationTimeoutInMillis. |