Default credentials provider chain - AWS SDK for Java 2.x (original) (raw)
Credential settings retrieval order
The default credentials provider chain is implemented by the DefaultCredentialsProvider class. It sequentially checks each place where you can set the default configuration for supplying temporary credentials, and then selects the first one you set.
To use the default credentials provider chain to supply temporary credentials, create a service client builder but don't specify a credentials provider. The following code snippet creates a DynamoDbClient that uses the default credentials provider chain to locate and retrieve default configuration settings.
Region region = Region.US_WEST_2;
DynamoDbClient ddb =
DynamoDbClient.builder()
.region(region)
.build();Credential settings retrieval order
The default credentials provider chain of the SDK for Java 2.x searches for configuration in your environment using a predefined sequence.
- Java system properties
- The SDK uses the SystemPropertyCredentialsProvider class to load temporary credentials from the
aws.accessKeyId,aws.secretAccessKey, andaws.sessionTokenJava system properties.
Note
For information on how to set Java system properties, see the System Properties tutorial on the official Java Tutorials website.
- The SDK uses the SystemPropertyCredentialsProvider class to load temporary credentials from the
- Environment variables
- The SDK uses the EnvironmentVariableCredentialsProvider class to load temporary credentials from the
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, andAWS_SESSION_TOKENenvironment variables.
- The SDK uses the EnvironmentVariableCredentialsProvider class to load temporary credentials from the
- Web identity token from AWS Security Token Service
- The SDK uses the WebIdentityTokenFileCredentialsProvider class to load temporary credentials from Java system properties or environment variables.
- The shared
credentialsandconfigfiles- The SDK uses the ProfileCredentialsProvider to load IAM Identity Center single sign-on settings or temporary credentials from the
[default]profile in the sharedcredentialsandconfigfiles.
The AWS SDKs and Tools Reference Guide has detailed information about how the SDK for Java works with the IAM Identity Center single sign-on token to get temporary credentials that the SDK uses to call AWS services.
- The SDK uses the ProfileCredentialsProvider to load IAM Identity Center single sign-on settings or temporary credentials from the
- Amazon ECS container credentials
- The SDK uses the ContainerCredentialsProvider class to load temporary credentials from the following environment variables:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URIorAWS_CONTAINER_CREDENTIALS_FULL_URIAWS_CONTAINER_AUTHORIZATION_TOKEN_FILEorAWS_CONTAINER_AUTHORIZATION_TOKEN
- The SDK uses the ContainerCredentialsProvider class to load temporary credentials from the following environment variables:
- Amazon EC2 instance IAM role-provided credentials
- The SDK uses the InstanceProfileCredentialsProvider class to load temporary credentials from the Amazon EC2 metadata service.
Configure access to temporary credentials
Use a specific credentials provider
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.