# AWS SDKs and Tools standardized credential providers
Many credential providers have been standardized to consistent defaults and to work the same way across many SDKs. This consistency increases productivity and clarity when coding across multiple SDKs. All settings can be overridden in code. For details, see your specific SDK API.
**Important**
Not all SDKs support all providers, or even all aspects within a provider.
**Topics**
+ [Understand the credential provider chain](#credentialProviderChain)
+ [SDK-specific and tool-specific credential provider chains](#sdk-chains)
+ [AWS access keys](feature-static-credentials.md)
+ [Login provider](feature-login-credentials.md)
+ [Assume role provider](feature-assume-role-credentials.md)
+ [Container provider](feature-container-credentials.md)
+ [IAM Identity Center provider](feature-sso-credentials.md)
+ [IMDS provider](feature-imds-credentials.md)
+ [Process provider](feature-process-credentials.md)
## Understand the credential provider chain
All SDKs have a series of places (or sources) that they check in order to find valid credentials to use to make a request to an AWS service. After valid credentials are found, the search is stopped. This systematic search is called the credential provider chain.
When using one of the standardized credential providers, the AWS SDKs always attempt to renew credentials automatically when they expire. The built-in credential provider chain provides your application with the ability to refresh your credentials regardless of which provider you are using in the chain. No additional code is required for the SDK to do this.
Although the distinct chain used by each SDK varies, they most often include sources such as the following:
| Credential provider | Description |
| --- | --- |
| [AWS access keys](feature-static-credentials.md) | AWS access keys for an IAM user (such as AWS\$1ACCESS\$1KEY\$1ID, and AWS\$1SECRET\$1ACCESS\$1KEY). |
| [Federate with web identity or OpenID Connect](access-assume-role-web.md#webidentity) - Assume role credential provider | Sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. Assume the permissions of an IAM role using a JSON Web Token (JWT) from AWS Security Token Service (AWS STS). |
| [Login credentials provider](feature-login-credentials.md) | Get credentials for a new or existing console session that you are logged in to. |
| [IAM Identity Center credential provider](feature-sso-credentials.md) | Get credentials from AWS IAM Identity Center. |
| [Assume role credential provider](feature-assume-role-credentials.md) | Get access to other resources by assuming the permissions of an IAM role. (Retrieve and then use temporary credentials for a role). |
| [Container credential provider](feature-container-credentials.md) | Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) credentials. The container credential provider fetches credentials for the customer's containerized application. |
| [Process credential provider](feature-process-credentials.md) | Custom credential provider. Get your credentials from an external source or process, including IAM Roles Anywhere. |
| [IMDS credential provider](feature-imds-credentials.md) | Amazon Elastic Compute Cloud (Amazon EC2) instance profile credentials. Associate an IAM role with each of your EC2 instances. Temporary credentials for that role are made available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. |
For each step in the chain, there are multiple ways to assign setting values. Setting values that are specified in code always take precedence. However, there are also [Environment variables](environment-variables.md) and the [Using shared `config` and `credentials` files to globally configure AWS SDKs and tools](file-format.md). For more information, see [Precedence of settings](settings-reference.md#precedenceOfSettings).
## SDK-specific and tool-specific credential provider chains
To go directly to your SDK's or tool's **specific** credential provider chain details, choose your SDK or tool from the following:
+ [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)
+ [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/credproviders.html)
+ [SDK for Go](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html)
+ [SDK for Java](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html)
+ [SDK for JavaScript](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/setting-credentials-node.html#credchain)
+ [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/credential-providers.html)
+ [SDK for .NET](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/creds-assign.html)
+ [SDK for PHP](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/guide_credentials.html)
+ [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html)
+ [SDK for Ruby](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/setup-config.html)
+ [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/credproviders.html)
+ [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/using-configuration.html)
+ [Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/creds-assign.html)
# AWS access keys
**Warning**
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
AWS access keys for an IAM user can be used as your AWS credentials. The AWS SDK automatically uses these AWS credentials to sign API requests to AWS, so that your workloads can access your AWS resources and data securely and conveniently. It is recommended to always use the `aws_session_token` so that the credentials are temporary and no longer valid after they expire. Using long-term credentials is not recommended.
**Note**
If AWS becomes unable to refresh these temporary credentials, AWS may extend the validity of the credentials so that your workloads are not impacted.
The shared AWS `credentials` file is the recommended location for storing credentials information because it is safely outside of application source directories and separate from the SDK-specific settings of the shared `config` file.
To learn more about AWS credentials and using access keys, see [AWS security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html) and [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in the *IAM User Guide*.
Configure this functionality by using the following:
**`aws_access_key_id` - shared AWS `config` file setting`aws_access_key_id` - shared AWS `credentials` file setting *(recommended method)*`AWS_ACCESS_KEY_ID` - environment variable`aws.accessKeyId` - JVM system property: Java/Kotlin only**
Specifies the AWS access key used as part of the credentials to authenticate the user.
**`aws_secret_access_key` - shared AWS `config` file setting`aws_secret_access_key` - shared AWS `credentials` file setting *(recommended method)*`AWS_SECRET_ACCESS_KEY` - environment variable`aws.secretAccessKey` - JVM system property: Java/Kotlin only**
Specifies the AWS secret key used as part of the credentials to authenticate the user.
**`aws_session_token` - shared AWS `config` file setting`aws_session_token` - shared AWS `credentials` file setting *(recommended method)*`AWS_SESSION_TOKEN` - environment variable`aws.sessionToken` - JVM system property: Java/Kotlin only**
Specifies an AWS session token used as part of the credentials to authenticate the user. You receive this value as part of the temporary credentials returned by successful requests to assume a role. A session token is required only if you manually specify temporary security credentials. However, we recommend you always use temporary security credentials instead of long-term credentials. For security recommendations, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).
For instructions on how to obtain these values, see [Using short-term credentials to authenticate AWS SDKs and toolsShort-term credentials](access-temp-idc.md).
Example of setting these required values in the `config` or `credentials` file:
```
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
```
Linux/macOS example of setting environment variables via command line:
```
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
```
Windows example of setting environment variables via command line:
```
setx AWS_ACCESS_KEY_ID AKIAIOSFODNN7EXAMPLE
setx AWS_SECRET_ACCESS_KEY wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
setx AWS_SESSION_TOKEN AQoEXAMPLEH4aoAH0gNCAPy...truncated...zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
```
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | shared config file not supported. |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | Environment variables not supported. |
# Login credentials provider
You can [use your existing AWS Management Console sign-in credentials](https://docs.amazon.aws.com/sdkref/latest/guide/access-login.html) to acquire short-term credentials that can be used for programmatic access. After you complete the browser-based authentication flow, AWS generates temporary credentials that work across local development tools like the AWS CLI, AWS Tools for PowerShell and AWS SDKs.
To generate these credentials, run the `aws login` command in the AWS CLI, or the `Invoke-AWSLogin` cmdlet in AWS Tools for PowerShell. The resulting short-term credentials will be cached locally, where they can be reused by the AWS SDKs. The short-term credentials expire in 15 minutes, but the CLI and SDKs will automatically refresh them as needed up to 12 hours. When the refresh token expires, you'll be prompted to log in again via the CLI or PowerShell.
The login command will update the profile you specify with the `login_session` setting, which stores the identity of the management console session that you selected during the login workflow.
```
[profile console]
login_session = arn:aws:iam::0123456789012:user/username
region = us-west-2
```
By default, the short-term credentials and refresh token are stored in a JSON file in the `~/.aws/login/cache` directory on Linux and macOS, or `%USERPROFILE%\.aws\login\cache` on Windows. The filename is based on the login session name. You can override the directory by setting the `AWS_LOGIN_CACHE_DIRECTORY` environment variable.
## Login Provider Settings
Configure this functionality by using the following:
**`AWS_LOGIN_CACHE_DIRECTORY` - environment variable**
Alternative directory where the CLI and SDKs will store the cached credentials that map to a login session profile.
Default value: `~/.aws/login/cache` on Linux and macOS, or `%USERPROFILE%\.aws\login\cache` on Windows.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | No | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | No | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | Requires CRT |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | No | |
# Assume role credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Assuming a role involves using a set of temporary security credentials to access AWS resources that you might not have access to otherwise. These temporary credentials consist of an access key ID, a secret access key, and a security token.
To set up your SDK or tool to assume a role, you must first create or identify a specific *role* to assume. IAM roles are uniquely identified by a role Amazon Resource Name ([ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)). Roles establish trust relationships with another entity. The trusted entity that uses the role might be an AWS service, another AWS account, a web identity provider or OIDC, or SAML federation.
After the IAM role is identified, if you are trusted by that role, you can configure your SDK or tool to use the permissions that are granted by the role. To do this, use the following settings.
For guidance on getting started using these settings, see [Assuming a role with AWS credentials to authenticate AWS SDKs and tools](access-assume-role.md) in this guide.
## Assume role credential provider settings
Configure this functionality by using the following:
**`credential_source` - shared AWS `config` file setting**
Used within Amazon EC2 instances or Amazon Elastic Container Service containers to specify where the SDK or tool can find credentials that have permission to assume the role that you specify with the `role_arn` parameter.
**Default value:** None
**Valid values:**
+ **Environment** – Specifies that the SDK or tool is to retrieve source credentials from the environment variables [`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`](feature-static-credentials.md).
+ **Ec2InstanceMetadata** – Specifies that the SDK or tool is to use the [IAM role attached to the EC2 instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) to get source credentials.
+ **EcsContainer** – Specifies that the SDK or tool is to use the [IAM role attached to the Amazon ECS container](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) or the [IAM role attached to the Amazon EKS container](https://docs.aws.amazon.com/eks/latest/userguide/security-iam-service-with-iam.html) to get source credentials.
You cannot specify both `credential_source` and `source_profile` in the same profile.
Example of setting this in a `config` file to indicate that credentials should be sourced from Amazon EC2:
```
credential_source = Ec2InstanceMetadata
role_arn = arn:aws:iam::123456789012:role/my-role-name
```
**`duration_seconds` - shared AWS `config` file setting**
Specifies the maximum duration of the role session, in seconds.
This setting applies only when the profile specifies to assume a role.
**Default value:** 3600 seconds (one hour)
**Valid values:** The value can range from 900 seconds (15 minutes) up to the maximum session duration setting configured for the role (which can be a maximum of 43200 seconds, or 12 hours). For more information, see [View the Maximum Session Duration Setting for a Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) in the *IAM User Guide*.
Example of setting this in a `config` file:
```
duration_seconds = 43200
```
**`external_id` - shared AWS `config` file setting**
Specifies a unique identifier that is used by third parties to assume a role in their customers' accounts.
This setting applies only when the profile specifies to assume a role and the trust policy for the role requires a value for `ExternalId`. The value maps to the `ExternalId` parameter that is passed to the `AssumeRole` operation when the profile specifies a role.
**Default value:** None.
**Valid values:** See [How to use an External ID When Granting Access to Your AWS Resources to a Third Party](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) in the *IAM User Guide*.
Example of setting this in a `config` file:
```
external_id = unique_value_assigned_by_3rd_party
```
**`mfa_serial` - shared AWS `config` file setting**
Specifies the identification or serial number of a multi-factor authentication (MFA) device that the user must use when assuming a role.
Required when assuming a role where the trust policy for that role includes a condition that requires MFA authentication. For more information about MFA, see [AWS Multi-factor authentication in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*.
**Default value:** None.
**Valid values:** The value can be either a serial number for a hardware device (such as `GAHT12345678`), or an Amazon Resource Name (ARN) for a virtual MFA device. The format of the ARN is: `arn:aws:iam::account-id:mfa/mfa-device-name`
Example of setting this in a `config` file:
This example assumes a virtual MFA device, called `MyMFADevice`, that has been created for the account and enabled for a user.
```
mfa_serial = arn:aws:iam::123456789012:mfa/MyMFADevice
```
**`role_arn` - shared AWS `config` file setting`AWS_ROLE_ARN` - environment variable`aws.roleArn` - JVM system property: Java/Kotlin only**
Specifies the Amazon Resource Name (ARN) of an IAM role that you want to use to perform operations requested using this profile.
**Default value:** None.
**Valid values:** The value must be the ARN of an IAM role, formatted as follows: `arn:aws:iam::account-id:role/role-name`
In addition, you must also specify **one** of the following settings:
+ `source_profile` – To identify another profile to use to find credentials that have permission to assume the role in this profile.
+ `credential_source` – To use either credentials identified by the current environment variables or credentials attached to an Amazon EC2 instance profile, or an Amazon ECS container instance.
+ `web_identity_token_file` – To use public identity providers or any OpenID Connect (OIDC)-compatible identity provider for users who have been authenticated in a mobile or web application.
**`role_session_name` - shared AWS `config` file setting`AWS_ROLE_SESSION_NAME` - environment variable`aws.roleSessionName` - JVM system property: Java/Kotlin only**
Specifies the name to attach to the role session. This name appears in AWS CloudTrail logs for entries associated with this session, which can be useful when auditing. For details, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *AWS CloudTrail User Guide*.
**Default value:** An optional parameter. If you don't provide this value, a session name is generated automatically if the profile assumes a role.
**Valid values:** Provided to the `RoleSessionName` parameter when the AWS CLI or AWS API calls the `AssumeRole` operation (or operations such as the `AssumeRoleWithWebIdentity` operation) on your behalf. The value becomes part of the assumed role user Amazon Resource Name (ARN) that you can query, and shows up as part of the CloudTrail log entries for operations invoked by this profile.
`arn:aws:sts::123456789012:assumed-role/my-role-name/my-role_session_name`.
Example of setting this in a `config` file:
```
role_session_name = my-role-session-name
```
**`source_profile` - shared AWS `config` file setting**
Specifies another profile whose credentials are used to assume the role specified by the `role_arn` setting in the original profile. To understand how profiles are used in the shared AWS `config` and `credentials` files, see [Shared `config` and `credentials` files](file-format.md).
If you specify a profile that is also an assume role profile, each role will be assumed in sequential order to fully resolve the credentials. This chain is stopped when the SDK encounters a profile with credentials. Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour and can't be increased. For more information, see [Roles terms and concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) in the *IAM User Guide*.
**Default value:** None.
**Valid values:** A text string that consists of the name of a profile defined in the `config` and `credentials` files. You must also specify a value for `role_arn` in the current profile.
You cannot specify both `credential_source` and `source_profile` in the same profile.
Example of setting this in a config file:
```
[profile A]
source_profile = B
role_arn = arn:aws:iam::123456789012:role/RoleA
role_session_name = ProfileARoleSession
[profile B]
credential_process = ./aws_signing_helper credential-process --certificate /path/to/certificate --private-key /path/to/private-key --trust-anchor-arn arn:aws:rolesanywhere:region:account:trust-anchor/TA_ID --profile-arn arn:aws:rolesanywhere:region:account:profile/PROFILE_ID --role-arn arn:aws:iam::account:role/ROLE_ID
```
In the previous example, the `A` profile tells the SDK or tool to automatically look up the credentials for the linked `B` profile. In this case, the `B` profile uses the credential helper tool provided by [Using IAM Roles Anywhere to authenticate AWS SDKs and tools](access-rolesanywhere.md) to get credentials for the AWS SDK. Those temporary credentials are then used by your code to access AWS resources. The specified role must have attached IAM permissions policies that allow the requested code to run, such as the command, AWS service, or API method. Every action that is taken by profile `A` has the role session name included in CloudTrail logs.
For a second example of role chaining, the following configuration can be used if you have an application on an Amazon Elastic Compute Cloud instance, and you want to have that application assume another role.
```
[profile A]
source_profile = B
role_arn = arn:aws:iam::123456789012:role/RoleA
role_session_name = ProfileARoleSession
[profile B]
credential_source=Ec2InstanceMetadata
```
Profile `A` will use the credentials from the Amazon EC2 instance to assume the specified role and will renew the credentials automatically.
**`web_identity_token_file` - shared AWS `config` file setting`AWS_WEB_IDENTITY_TOKEN_FILE` - environment variable`aws.webIdentityTokenFile` - JVM system property: Java/Kotlin only**
Specifies the path to a file that contains an access token from a [supported OAuth 2.0 provider](https://wikipedia.org/wiki/List_of_OAuth_providers) or [OpenID Connect ID identity provider](https://openid.net/developers/certified/).
This setting enables authentication by using web identity federation providers, such as [Google](https://developers.google.com/identity/protocols/OAuth2), [Facebook](https://developers.facebook.com/docs/facebook-login/overview), and [Amazon](https://login.amazon.com/), among many others. The SDK or developer tool loads the contents of this file and passes it as the `WebIdentityToken` argument when it calls the `AssumeRoleWithWebIdentity` operation on your behalf.
**Default value:** None.
**Valid values:** This value must be a path and file name. The file must contain an OAuth 2.0 access token or an OpenID Connect token that was provided to you by an identity provider. Relative paths are treated as relative to the working directory of the process.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Partial | credential\$1source not supported. duration\$1seconds not supported. mfa\$1serial not supported. |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Partial | mfa\$1serial not supported. duration\$1seconds not supported. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Partial | credential\$1source not supported. mfa\$1serial not supported. JVM system properties not supported. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Partial | credential\$1source not supported. |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# Container credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
The container credential provider fetches credentials for customer's containerized application. This credential provider is useful for Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS) customers. SDKs attempt to load credentials from the specified HTTP endpoint through a GET request.
If you use Amazon ECS, we recommend you use a task IAM Role for improved credential isolation, authorization, and auditability. When configured, Amazon ECS sets the `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` environment variable that the SDKs and tools use to obtain credentials. To configure Amazon ECS for this functionality, see [Task IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide*.
If you use Amazon EKS, we recommend you use Amazon EKS Pod Identity for improved credential isolation, least privilege, auditability, independent operation, reusability, and scalability. Both your Pod and an IAM role are associated with a Kubernetes service account to manage credentials for your applications. To learn more on Amazon EKS Pod Identity, see [Amazon EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) in the **Amazon EKS User Guide**. When configured, Amazon EKS sets the `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` environment variables that the SDKs and tools use to obtain credentials. For setup information, see [Setting up the Amazon EKS Pod Identity Agent](https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-setup.html) in the **Amazon EKS User Guide** or [Amazon EKS Pod Identity simplifies IAM permissions for applications on Amazon EKS clusters](https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/) at the AWS Blog website.
Configure this functionality by using the following:
**`AWS_CONTAINER_CREDENTIALS_FULL_URI` - environment variable**
Specifies the full HTTP URL endpoint for the SDK to use when making a request for credentials. This includes both the scheme and the host.
**Default value:** None.
**Valid values:** Valid URI.
*Note: This setting is an alternative to `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` and will only be used if `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` is not set. *
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credentials
```
or
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost:8080/get-credentials
```
**`AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` - environment variable**
Specifies the relative HTTP URL endpoint for the SDK to use when making a request for credentials. The value is appended to the default Amazon ECS hostname of `169.254.170.2`.
**Default value:** None.
**Valid values:** Valid relative URI.
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/get-credentials?a=1
```
**`AWS_CONTAINER_AUTHORIZATION_TOKEN` - environment variable**
Specifies an authorization token in plain text. If this variable is set, the SDK will set the Authorization header on the HTTP request with the environment variable's value.
**Default value:** None.
**Valid values:** String.
*Note: This setting is an alternative to `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` and will only be used if `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` is not set. *
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credential
export AWS_CONTAINER_AUTHORIZATION_TOKEN=Basic abcd
```
**`AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` - environment variable**
Specifies an absolute file path to a file that contains the authorization token in plain text.
**Default value:** None.
**Valid values:** String.
Linux/macOS example of setting environment variables via command line:
```
export AWS_CONTAINER_CREDENTIALS_FULL_URI=http://localhost/get-credential
export AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE=/path/to/token
```
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html#snapstart-runtimes) is activated, AWS\$1CONTAINER\$1CREDENTIALS\$1FULL\$1URI and AWS\$1CONTAINER\$1AUTHORIZATION\$1TOKEN are automatically used for authentication. |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# IAM Identity Center credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
This authentication mechanism uses AWS IAM Identity Center to get single sign-on (SSO) access to AWS services for your code.
**Note**
In the AWS SDK API documentation, the IAM Identity Center credential provider is called the SSO credential provider.
After you enable IAM Identity Center, you define a profile for its settings in your shared AWS `config` file. This profile is used to connect to the IAM Identity Center access portal. When a user successfully authenticates with IAM Identity Center, the portal returns short-term credentials for the IAM role associated with that user. To learn how the SDK gets temporary credentials from the configuration and uses them for AWS service requests, see [How IAM Identity Center authentication is resolved for AWS SDKs and tools](understanding-sso.md).
There are two ways to configure IAM Identity Center through the `config` file:
+ **(Recommended) SSO token provider configuration** – Extended session durations. Includes support for custom session durations.
+ **Legacy non-refreshable configuration** – Uses a fixed, eight-hour session.
In both configurations, you need to sign in again when your session expires.
The following two guides contain additional information about IAM Identity Center:
+ [AWS IAM Identity Center User Guide](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+ [AWS IAM Identity Center Portal API Reference](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/Welcome.html)
For a deep dive on how the SDKs and tools use and refresh credentials using this configuration, see [How IAM Identity Center authentication is resolved for AWS SDKs and tools](understanding-sso.md).
## Prerequisites
You must first enable IAM Identity Center. For details about enabling IAM Identity Center authentication, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
**Note**
Alternatively, for complete prerequisites **and** the necessary shared `config` file configuration that is detailed on this page, see the guided instructions for setting up [Using IAM Identity Center to authenticate AWS SDK and tools](access-sso.md).
## SSO token provider configuration
When you use the SSO token provider configuration, your AWS SDK or tool automatically refreshes your session up to your extended session period. For more information on session duration and maximum duration, see [Configure the session duration of the AWS access portal and IAM Identity Center integrated applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html) in the *AWS IAM Identity Center User Guide*.
The `sso-session` section of the `config` file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. For more details on this section within a `config` file, see [Format of the config file](file-format.md#file-format-config).
The following shared `config` file example configures the SDK or tool using a `dev` profile to request IAM Identity Center credentials.
```
[profile dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
```
The previous examples shows that you define an `sso-session` section and associate it to a profile. Typically, `sso_account_id` and `sso_role_name` must be set in the `profile` section so that the SDK can request AWS credentials. `sso_region`, `sso_start_url`, and `sso_registration_scopes` must be set within the `sso-session` section.
`sso_account_id` and `sso_role_name` aren't required for all scenarios of SSO token configuration. If your application only uses AWS services that support bearer authentication, then traditional AWS credentials are not needed. Bearer authentication is an HTTP authentication scheme that uses security tokens called bearer tokens. In this scenario, `sso_account_id` and `sso_role_name` aren't required. See the individual AWS service guide to determine if the service supports bearer token authorization.
Registration scopes are configured as part of an `sso-session`. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. The previous example sets `sso_registration_scopes` to provide necessary access for listing accounts and roles.
The following example shows how you can reuse the same `sso-session` configuration across multiple profiles.
```
[profile dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
[profile prod]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole2
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
```
The authentication token is cached to disk under the `~/.aws/sso/cache` directory with a file name based on the session name.
## Legacy non-refreshable configuration
Automated token refresh isn't supported using the legacy non-refreshable configuration. We recommend using the [SSO token provider configuration](#sso-token-config) instead.
To use the legacy non-refreshable configuration, you must specify the following settings within your profile:
+ `sso_start_url`
+ `sso_region`
+ `sso_account_id`
+ `sso_role_name`
You specify the user portal for a profile with the `sso_start_url` and `sso_region` settings. You specify permissions with the `sso_account_id` and `sso_role_name` settings.
The following example sets the four required values in the `config` file.
```
[profile my-sso-profile]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-west-2
sso_account_id = 111122223333
sso_role_name = SSOReadOnlyRole
```
The authentication token is cached to disk under the `~/.aws/sso/cache` directory with a file name based on the `sso_start_url`.
## IAM Identity Center credential provider settings
Configure this functionality by using the following:
**`sso_start_url` - shared AWS `config` file setting**
The URL that points to your organization's IAM Identity Center issuer URL or access portal URL. For more information, see [Using the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html) in the *AWS IAM Identity Center User Guide*.
To find this value, open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon), view the **Dashboard**, find **AWS access portal URL**.
+ Alternatively, starting with version **2.22.0** of the AWS CLI, you can instead use the value for **AWS Issuer URL**.
**`sso_region` - shared AWS `config` file setting**
The AWS Region that contains your IAM Identity Center portal host; that is, the Region you selected before enabling IAM Identity Center. This is independent from your default AWS Region, and can be different.
For a complete list of the AWS Regions and their codes, see [Regional Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the *Amazon Web Services General Reference*. To find this value, open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon), view the **Dashboard**, and find **Region**.
**`sso_account_id` - shared AWS `config` file setting**
The numeric ID of the AWS account that was added through the AWS Organizations service to use for authentication.
To see the list of available accounts, go to the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon) and open the **AWS accounts** page. You can also see the list of available accounts using the [ListAccounts](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccounts.html) API method in the *AWS IAM Identity Center Portal API Reference*. For example, you can call the AWS CLI method [list-accounts](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/list-accounts.html).
**`sso_role_name` - shared AWS `config` file setting**
The name of a permission set provisioned as an IAM role that defines the user's resulting permissions. The role must exist in the AWS account specified by `sso_account_id`. Use the role name, not the role Amazon Resource Name (ARN).
Permission sets have IAM policies and custom permissions policies attached to them and define the level of access that users have to their assigned AWS accounts.
To see the list of available permission sets per AWS account, go to the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon) and open the **AWS accounts** page. Choose the correct permission set name listed in the AWS accounts table. You can also see the list of available permission sets using the [ListAccountRoles](https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_ListAccountRoles.html) API method in the *AWS IAM Identity Center Portal API Reference*. For example, you can call the AWS CLI method [list-account-roles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso/list-account-roles.html).
**`sso_registration_scopes` - shared AWS `config` file setting**
A comma-delimited list of valid scope strings to be authorized for the `sso-session`. An application can request one or more scopes, and the access token issued to the application is limited to the scopes granted. A minimum scope of `sso:account:access` must be granted to get a refresh token back from the IAM Identity Center service. For the list of available access scope options, see [Access scopes](https://docs.aws.amazon.com/singlesignon/latest/userguide/customermanagedapps-saml2-oauth2.html#oidc-concept) in the *AWS IAM Identity Center User Guide*.
These scopes define the permissions requested to be authorized for the registered OIDC client and access tokens retrieved by the client. Scopes authorize access to IAM Identity Center bearer token authorized endpoints.
This setting doesn't apply to the legacy non-refreshable configuration. Tokens issued using the legacy configuration are limited to scope `sso:account:access` implicitly.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | Configuration values also supported in credentials file. |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | No | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Partial | Legacy non-refreshable configuration only. |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |
# IMDS credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
Instance Metadata Service (IMDS) provides data about your instance that you can use to configure or manage the running instance. For more information about the data available, see [Work with instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) in the *Amazon EC2 User Guide*. Amazon EC2 provides a local endpoint available to instances that can provide various bits of information to the instance. If the instance has a role attached, it can provide a set of credentials that are valid for that role. The SDKs can use that endpoint to resolve credentials as part of their [default credential provider chain](standardized-credentials.md#credentialProviderChain). Instance Metadata Service Version 2 (IMDSv2), a more secure version of IMDS that uses a session token, is used by default. If that fails due to a non-retryable condition (HTTP error codes 403, 404, 405), IMDSv1 is used as a fallback.
Configure this functionality by using the following:
**`AWS_EC2_METADATA_DISABLED` - environment variable**
Whether or not to attempt to use Amazon EC2 Instance Metadata Service (IMDS) to obtain credentials.
**Default value:** `false`.
**Valid values:**
+ **`true`** – Do not use IMDS to obtain credentials.
+ **`false`** – Use IMDS to obtain credentials.
**`ec2_metadata_v1_disabled` - shared AWS `config` file setting`AWS_EC2_METADATA_V1_DISABLED` - environment variable`aws.disableEc2MetadataV1` - JVM system property: Java/Kotlin only**
Whether or not to use Instance Metadata Service Version 1 (IMDSv1) as a fallback if IMDSv2 fails.
New SDKs don't support IMDSv1 and, thus, don't support this setting. For details, see table [Support by AWS SDKs and tools](#feature-imds-credentials-sdk-compat).
**Default value:** `false`.
**Valid values:**
+ **`true`** – Do not use IMDSv1 as a fallback.
+ **`false`** – Use IMDSv1 as a fallback.
**`ec2_metadata_service_endpoint` - shared AWS `config` file setting`AWS_EC2_METADATA_SERVICE_ENDPOINT` - environment variable`aws.ec2MetadataServiceEndpoint` - JVM system property: Java/Kotlin only**
The endpoint of IMDS. This value overrides the default location that AWS SDKs and tools will search for Amazon EC2 instance metadata.
**Default value:** If `ec2_metadata_service_endpoint_mode` equals `IPv4`, then default endpoint is `http://169.254.169.254`. If `ec2_metadata_service_endpoint_mode` equals `IPv6`, then default endpoint is `http://[fd00:ec2::254]`.
**Valid values:** Valid URI.
**`ec2_metadata_service_endpoint_mode` - shared AWS `config` file setting`AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE` - environment variable`aws.ec2MetadataServiceEndpointMode` - JVM system property: Java/Kotlin only**
The endpoint mode of IMDS.
**Default value:**`IPv4`.
**Valid values:** `IPv4`, `IPv6`.
**Note**
The IMDS credential provider is a part of the [Understand the credential provider chain](standardized-credentials.md#credentialProviderChain). However, the IMDS credential provider is only checked after several other providers that are in this series. Therefore, if you want your program use this provider's credentials, you must remove other valid credential providers from your configuration or use a different profile. Alternatively, instead of relying on the credential provider chain to automatically discover which provider returns valid credentials, specify the use of the IMDS credential provider in code. You can specify credential sources directly when you create service clients.
## Security for IMDS credentials
By default, when the AWS SDK is not configured with valid credentials the SDK will attempt to use the Amazon EC2 Instance Metadata Service (IMDS) to retrieve credentials for an AWS role. This behavior can be disabled by setting the `AWS_EC2_METADATA_DISABLED` environment variable to `true`. This prevents unnecessary network activity and enhances security on untrusted networks where the Amazon EC2 Instance Metadata Service may be impersonated.
**Note**
AWS SDK clients configured with valid credentials will never use IMDS to retrieve credentials, regardless of any of these settings.
### Disabling use of Amazon EC2 IMDS credentials
How you set this environment variable depends on what operating system is in use as well as whether or not you want the change to be persistent.
#### Linux and macOS
Customers using Linux or macOS can set this environment variable with the following command:
```
$ export AWS_EC2_METADATA_DISABLED=true
```
If you want this setting to be persistent across multiple shell sessions and system restarts, you can add the above command to your shell profile file, such as `.bash_profile`, `.zsh_profile`, or `.profile`.
#### Windows
Customers using Windows can set this environment variable with the following command:
```
$ set AWS_EC2_METADATA_DISABLED=true
```
If you want this setting to be persistent across multiple shell sessions and system restarts can use the following command instead:
```
$ setx AWS_EC2_METADATA_DISABLED=true
```
**Note**
The **setx** command does not apply the value to the current shell session, so you will need to reload or reopen the shell for the change to take effect.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Partial | JVM system properties: Use com.amazonaws.sdk.disableEc2MetadataV1 instead of aws.disableEc2MetadataV1; aws.ec2MetadataServiceEndpoint and aws.ec2MetadataServiceEndpointMode not supported. |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | Does not use IMDSv1 fallback. |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | Does not use IMDSv1 fallback. |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | You can disable IMDSv1 fallback explicitly in code using [Amazon.Util.EC2InstanceMetadata]::EC2MetadataV1Disabled = \$1true. |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | You can disable IMDSv1 fallback explicitly in code using [Amazon.Util.EC2InstanceMetadata]::EC2MetadataV1Disabled = \$1true. |
# Process credential provider
**Note**
For help in understanding the layout of settings pages, or in interpreting the **Support by AWS SDKs and tools** table that follows, see [Understanding the settings pages of this guide](settings-reference.md#settingsPages).
SDKs provide a way to extend the credential provider chain for custom use cases. This provider can be used to provide custom implementations, such as retrieving credentials from an on-premises credentials store or integrating with your on-premises identify provider.
For example, IAM Roles Anywhere uses `credential_process` to get temporary credentials on behalf of your application. To configure `credential_process` for this use, see [Using IAM Roles Anywhere to authenticate AWS SDKs and tools](access-rolesanywhere.md).
**Note**
The following describes a method of sourcing credentials from an external process and might be used if you are running software outside of AWS. If you are building on an AWS compute resource, use other credential providers. If using this option, you should make sure that the config file is as locked down as possible using security best practices for your operating system. Confirm that your custom credential tool does not write any secret information to `StdErr`, because the SDKs and AWS CLI can capture and log such information, potentially exposing it to unauthorized users.
Configure this functionality by using the following:
**`credential_process` - shared AWS `config` file setting**
Specifies an external command that the SDK or tool runs on your behalf to generate or retrieve authentication credentials to use. The setting specifies the name of a program/command that the SDK will invoke. When the SDK invokes the process, it waits for the process to write JSON data to `stdout`. The custom provider must return information in a specific format. That information contains the credentials that the SDK or tool can use to authenticate you.
**Note**
The process credential provider is a part of the [Understand the credential provider chain](standardized-credentials.md#credentialProviderChain). However, the process credential provider is only checked after several other providers that are in this series. Therefore, if you want your program use this provider's credentials, you must remove other valid credential providers from your configuration or use a different profile. Alternatively, instead of relying on the credential provider chain to automatically discover which provider returns valid credentials, specify the use of the process credential provider in code. You can specify credential sources directly when you create service clients.
## Specifying the path to the credentials program
The setting's value is a string that contains a path to a program that the SDK or development tool runs on your behalf:
+ The path and file name can consist of only these characters: A-Z, a-z, 0-9, hyphen ( - ), underscore ( \$1 ), period ( . ), forward slash ( / ), backslash ( \$1 ), and space.
+ If the path or file name contains a space, surround the complete path and file name with double-quotation marks (" ").
+ If a parameter name or a parameter value contains a space, surround that element with double-quotation marks (" "). Surround only the name or value, not the pair.
+ Don't include any environment variables in the strings. For example, don't include `$HOME` or `%USERPROFILE%`.
+ Don't specify the home folder as `~`. \$1 You must specify either the full path or a base file name. If there is a base file name, the system attempts to find the program within folders specified by the `PATH` environment variable. The path varies depending on the operating system:
The following example shows setting credential\$1process in the shared `config` file on Linux/macOS.
```
credential_process = "/path/to/credentials.sh" parameterWithoutSpaces "parameter with spaces"
```
The following example shows setting credential\$1process in the shared `config` file on Windows.
```
credential_process = "C:\Path\To\credentials.cmd" parameterWithoutSpaces "parameter with spaces"
```
+ Can be specified within a dedicated profile:
```
[profile cred_process]
credential_process = /Users/username/process.sh
region = us-east-1
```
## Valid output from the credentials program
The SDK runs the command as specified in the profile and then reads data from the standard output stream. The command you specify, whether a script or binary program, must generate JSON output on `STDOUT` that matches the following syntax.
```
{
"Version": 1,
"AccessKeyId": "an AWS access key",
"SecretAccessKey": "your AWS secret access key",
"SessionToken": "the AWS session token for temporary credentials",
"Expiration": "RFC3339 timestamp for when the credentials expire"
}
```
**Note**
As of this writing, the `Version` key must be set to `1`. This might increment over time as the structure evolves.
The `Expiration` key is an RFC3339 formatted timestamp. If the `Expiration` key isn't present in the tool's output, the SDK assumes that the credentials are long-term credentials that don't refresh. Otherwise, the credentials are considered temporary credentials, and they are automatically refreshed by rerunning the `credential_process` command before the credentials expire.
**Note**
The SDK does ***not*** cache external process credentials the way it does assume-role credentials. If caching is required, you must implement it in the external process.
The external process can return a non-zero return code to indicate that an error occurred while retrieving the credentials.
## Support by AWS SDKs and tools
The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the AWS SDK for Java and the AWS SDK for Kotlin only.
| SDK | Supported | Notes or more information |
| --- | --- | --- |
| [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/) | Yes | |
| [SDK for C\$1\$1](https://docs.aws.amazon.com/sdk-for-cpp/latest/developer-guide/) | Yes | |
| [SDK for Go V2 (1.x)](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/) | Yes | |
| [SDK for Go 1.x (V1)](https://docs.aws.amazon.com/sdk-for-go/latest/developer-guide/) | Yes | To use shared config file settings, you must turn on loading from the config file; see [Sessions](https://docs.aws.amazon.com/sdk-for-go/api/aws/session/). |
| [SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/) | Yes | |
| [SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/) | Yes | |
| [SDK for JavaScript 3.x](https://docs.aws.amazon.com/sdk-for-javascript/latest/developer-guide/) | Yes | |
| [SDK for JavaScript 2.x](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/) | Yes | |
| [SDK for Kotlin](https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/) | Yes | |
| [SDK for .NET 4.x](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/) | Yes | |
| [SDK for .NET 3.x](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/) | Yes | |
| [SDK for PHP 3.x](https://docs.aws.amazon.com/sdk-for-php/latest/developer-guide/) | Yes | |
| [SDK for Python (Boto3)](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html) | Yes | |
| [SDK for Ruby 3.x](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/) | Yes | |
| [SDK for Rust](https://docs.aws.amazon.com/sdk-for-rust/latest/dg/) | Yes | |
| [SDK for Swift](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/) | Yes | |
| [Tools for PowerShell V5](https://docs.aws.amazon.com/powershell/latest/userguide/) | Yes | |
| [Tools for PowerShell V4](https://docs.aws.amazon.com/powershell/v4/userguide/) | Yes | |