Authentication information used by Boto3 (AWS SDK for Python)

The authentication information used by Boto 3 is summarized in "Credentials — Boto 3" from 8 locations. The credentials are searched in the specified order.

Credential search order

Boto3 tries to get credentials in multiple ways, such as parameters and profiles. The method and order can be found in "Configuring Credentials --Credentials — Boto 3". My translation of the part is as follows.

boto3's credential search mechanism is to search according to the list below and stop there when it finds the credential. The order in which Boto3 searches for credentials is:

  1. Credentials passed as parameters to the boto.client () method
  2. Credentials passed as parameters when creating the Session object
  3. Environment variables
  4. Shared credentials file (~ / .aws / credentials)
  5. AWS configuration file (~ / .aws / config)
  6. Offering roll underwriting
  7. Boto2 configuration file (/etc/boto.cfg and ~ / .boto)
  8. On an Amazon EC2 instance configured with an IAM role, that instance metadata service

We'll look at some of these that use API access keys and API secret keys, or named profiles below.

1. Direct specification in client () method and resource () method

In the boto3.client () method or the boto3.session.Session (). Client () method, specify the following with parameters.

Key Specified value
aws_access_key_id API access key
aws_secret_access_key API secret key
aws_session_token (At the time of multi-factor authentication) Session token

The following is an example of execution in an interactive shell.

>>> import boto3
>>> client = boto3.client('iam', aws_access_key_id='YOURACCESSKEY', aws_secret_access_key='YOURSECRETKEY')
>>> client.list_users()

You can specify the above three parameters even if you use the resource () (boto3.resource () or boto3.session.Session (). Resource ()) method instead of client ().

>>> import boto3
>>> resource = boto3.resource('iam', aws_access_key_id='YOURACCESSKEY', aws_secret_access_key='YOURSECRETKEY')
>>> list(resource.users.all())

2. Credentials passed as parameters when creating the Session object

Specifying authentication information

When creating a session object with boto3.session.Session (), specify the following with parameters. Clients generated by the client () method and resources generated by the resource () method from the generated Session object use this credential.

Key Specified value
aws_access_key_id API access key
aws_secret_access_key API secret key
aws_session_token (At the time of multi-factor authentication) Session token

The following is an example of execution in an interactive shell.

>>> import boto3
>>> session = boto3.session.Session(aws_access_key_id='YOURACCESSKEY', aws_secret_access_key='YOURSECRETKEY')
>>> client = session.client('iam')
>>> client.list_users()

Specifying a profile

When creating a session object with boto3.session.Session (), specify the following with parameters. The credentials configured in the specified Named Profile (https://docs.aws.amazon.com/ja_jp/cli/latest/userguide/cli-configure-profiles.html) will be used. Clients generated by the client () method and resources generated by the resource () method from the generated Session object use this credential.

Key Specified value
profile_name Profile name

The following is an example of execution in an interactive shell.

>>> import boto3
>>> session = boto3.session.Session(profile_name='YOURPROFILENAME')
>>> client = session.client('iam')
>>> client.list_users()

3. Environment variables

Specifying authentication information

Specify the following with environment variables. If no explicit credentials are specified up to the previous section, this will be used.

Environment variable name Specified value
AWS_ACCESS_KEY_ID API access key
AWS_SECRET_ACCESS_KEY API secret key
AWS_SESSION_TOKEN (At the time of multi-factor authentication) Session token

The following is an execution example of calling the Python interactive shell after setting the above environment variables in the bash environment.

$ export AWS_ACCESS_KEY_ID=YOURACCESSKEY
$ export AWS_SECRET_ACCESS_KEY=YOURSECRETKEY
$ python3
Python 3.6.9 (default, Nov  7 2019, 10:44:02)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> client = boto3.client('iam')
>>> client.list_users()

Specifying a profile

Specify the following with environment variables. If you do not specify the explicit authentication information in the previous section, this specified Named Profile The credentials configured in .html) will be used.

Environment variable name Specified value
AWS_PROFILE Profile name

The following is an execution example of calling the Python interactive shell after setting the above environment variables in the bash environment.

$ export AWS_PROFILE=YOURPROFILENAME
$ python3
Python 3.6.9 (default, Nov  7 2019, 10:44:02)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> client = boto3.client('iam')
>>> client.list_users()

4. Shared credentials file (~ / .aws / credentials)

If you don't have the credentials so far, the credentials configured as the default profile in the credentials file (~ / .aws / credentials) will be used. This is usually set with the ʻaws configure` command when you first use the AWS CLI. For details, refer to [AWS CLI Easy Setting". Please give me.

5. AWS configuration file (~ / .aws / config)

If you don't have the credentials so far, any credentials configured as a default profile in your AWS configuration file (~ / .aws / config) will be used. However, normally, the profile information managed in the AWS configuration file is the region (region) and the default output format (ʻoutput`), and does not include the authentication information.

7. Boto2 configuration file (/etc/boto.cfg and ~ / .boto)

If there is no authentication information so far, the authentication information stored in the Boto2 configuration file will be checked if it exists. The Boto2 configuration file is placed in /etc/boto.cfg or ~ / .boto by default. The following is an example of the contents.

 Example ~/.boto file
[Credentials]
aws_access_key_id = foo
aws_secret_access_key = bar

This is for backwards compatibility and the Boto2 config file will be ignored except in the Credentials section.

Authentication method, specification method and priority

The credentials available in Boto3 include (1) API access and API secret keys, (2) default profiles, (3) named profiles, and (4) roles (details not mentioned here). Four types are possible. Corresponding this with the specification method so far, it becomes as follows.

Authentication method How to specify
API access key and API secret key 1、2、3、4、5、7
Default profile 4
Named profile 2、3
roll 6、8

If you think that the expected authentication method is not used, it seems necessary to check if another specification is made with a higher priority specification method.

For example, if you specify a named profile in the ʻAWS_PROFILEenvironment variable, but a different profile name is specified inboto3.session.Session ()`, that will take precedence. You'll notice if you're doing it intentionally, but it can be confusing if the default values are somewhere in it.

reference

About boto3 authentication.

About AWS credentials and configuration files.

About each method of boto3.

About Boto2 configuration file.

Recommended Posts

Authentication information used by Boto3 (AWS SDK for Python)
boto3 (AWS SDK for Python) Note
AWS SDK for Python (Boto3) development in Visual Studio 2017
Use AWS SDK for Python (boto) under Proxy environment
Use Resource API rather than Client API in AWS SDK for Python (Boto3)
[Cloudian # 1] Try to access object storage with AWS SDK for Python (boto3)
Get note information using Evernote SDK for Python 3
Call Polly from the AWS SDK for Python
Fleet provisioning with AWS IoT SDK for Python v2
Run AWS IoT Device SDK for Python on Raspberry Pi
What is Python? What is it used for?
AWS Layer Creation Script for python
Get property information by scraping with python
[Python] Visualize the information acquired by Wireshark
Pandas of the beginner, by the beginner, for the beginner [Python]
A textbook for beginners made by Python beginners
Boto3 (manipulate AWS resources with Python library) API that is often used privately
++ and-cannot be used for increment / decrement in python
Upgrade the Azure Machine Learning SDK for Python
A verification of AWS SDK performance by language
Manage AWS nicely with the Python library Boto
GCP Key Management Service + Python for secret information management
[Python] f strings should be used for embedding strings
Summary of frequently used Python arrays (for myself)
List the AMIs used by AWS Data Pipeline
A memo for creating a python environment by a beginner
Astro: Python modules / functions often used for analysis
Check! How to use Azure Key Vault with Azure SDK for Python! (Measures around authentication)