Geek Answers Handbook

Credential Location for AWS PHP SDK

I created an EC2 Ubuntu instance.

The following works using the AWS 2.6 SDK for PHP:

$client = DynamoDbClient::factory(array( 'key' => 'xxx', 'secret' => 'xxx', 'region' => 'eu-west-1' ));

I created a credentials file in ~/.aws/credentials .
I put this in /home/ubuntu/.aws/credentials

 [default] aws_access_key_id=xxx aws_secret_access_key=xxx

Trying to do the following does not work and gives an InstanceProfileCredentialsException :

 $client = DynamoDbClient::factory(array( 'profile' => 'default', 'region' => 'eu-west-1' ));

The www-data user and the ubuntu user.
In which folder should I put the credential file?

+7
amazon-web-services amazon-ec2
source share
6 answers

I have a non EC2 server that accesses SQS and needs credentials. I can’t use envvars because there are different people with different rights who work on this server, and envvars is global. For the same reason, I don’t think I can use the AWS credential file stored under the user's home house (although I also could not figure out how to make this work for user www data.)

What I did was a small AWS_Creds.php file

 <?php define ("AWS_KEY", "MY KEY HERE"); define ("AWS_SECRET", "MY SECRET"); ?>

The file is stored outside of webroot and is included in include ('ABSOLUTEPATH/AWS_Creds.php') , and I include a wired link to the factory client.

Elegant? Not. Are you done? Yes.

EDIT

I forgot to mention: gitignore AWS_Creds.php so that it does not get into our repo.

+2
source share

One solution for setting credentials is:

sudo nano /etc/apache2/envvars

add environment variables:

 export AWS_ACCESS_KEY_ID="xxx" export AWS_SECRET_ACCESS_KEY="xxx"

sudo service apache2 restart

After that, the following actions are performed:

 $client = DynamoDbClient::factory(array( 'region' => 'eu-west-1' ));
+8
source share

If you are calling the API from an EC2 instance, you must use IAM roles .

Using IAM roles is the preferred method for providing credentials for applications running on Amazon EC2. IAM roles eliminate the need to worry about managing credentials from your application. They allow an instance to β€œtake” a role by obtaining temporary credentials from the EC2 instance metadata server. These temporary credentials, often called instance profile credentials, allow access to the actions and resources that the role policy allows.

+5
source share

basically you can use like this:

 $client = DynamoDbClient::factory(array( 'key' => 'aws_key', 'secret' => 'aws_secret', 'region' => 'us-east-1' ));

but in the documentation:

Starting with the AWS SDK for PHP version 2.6.2, you can use the AWS credential file to specify your credentials. This is a special, .ini formatted file stored in your home directory and is a good way to manage credentials for your development environment. The file should be placed in ~ / .aws / credentials, where ~ represents your HOME directory.

and use:

  $dynamoDbClient = DynamoDbClient::factory(array( 'profile' => 'project1', 'region' => 'us-west-2', ));

Additional information: http://docs.aws.amazon.com/aws-sdk-php/guide/latest/credentials.html

+2
source share

After viewing the credential.php source code in aws / aws-sdk-php / src, php cannot directly access the default root folder. You can write $ _SERVER ['HOME'] = [your new home path] in your php and put the credentials file in newHomePath / .aws / credentials.

+1
source share

This is too late, but the solution I found for shared servers on which you cannot actually use environment vars is to determine the user location of the ini file, for example:

 require (__DIR__.'/AWSSDK/aws-autoloader.php'); use Aws\Credentials\CredentialProvider; use Aws\S3\S3Client; $profile = 'default'; $path = '/path/to/credentials'; $provider = CredentialProvider::ini($profile, $path); $provider = CredentialProvider::memoize($provider); $client = new \Aws\S3\S3Client([ 'version' => 'latest', 'region' => 'us-west-2', 'credentials' => $provider ]);

Note that you can even define different profiles using this method. Documentation HERE

+1
source share

More articles:


All Articles