how to use hardcoded credentials?

[shi-yan]

all examples about how to create config show loading config from environment (~/.aws/xxx)

    let region_provider = RegionProviderChain::default_provider().or_else("us-west-2");
    let config = aws_config::from_env().region(region_provider).load().await;
    let client = Client::new(&config);

I don't want to load from environment, I want to hardcode the credentials

in python, for example, I can hardcode everything:

aws_config = Config(
    region_name = 'us-west-2',
    signature_version = 'v4',
    retries = {
        'max_attempts': 10,
        'mode': 'standard'
    }
)

    sagemaker_client = boto3.client('sagemaker',
        config=aws_config,
        aws_access_key_id='xxx',
        aws_secret_access_key='xxx')

[jdisanti]

In general you should prefer to use the credential providers that come with the SDK to get credentials securely, since it isn't secure to hardcode credentials into your application.

That said, if you need to do this, you can take a dependency on aws-types with the feature hardcoded-credentials enabled. This will allow you to use the Credentials::from_keys method.

From there, it would look like:

let creds = Credentials::from_keys("akid", "secret_key", None);
let conf = Config::builder()
    .credentials_provider(creds)
    .region(Region::new("us-east-1"))
    .build();
let client = Client::from_conf(conf);

[austinbutler]

Are the security risks elaborated on somewhere?

In this case what is considered "hardcoded"? Having the keys literally embedded in the code (very clearly a bad pattern!), loading keys via env vars or reading from files, both?

Also is using Credentials::new() with keys read from a file any more or less secure than from_keys? For example, assuming something like this works (haven't tried yet):

aws_config::from_env().credentials_provider(aws_sdk_s3::Credentials::new(
            settings_from_file.aws_access_key_id,
            settings_from_file.aws_secret_access_key,
            None,
            None,
           "test",
        )

[rcoh]

Hardcoded in this case refers to credentials that are literally present in the code.

Loading keys from env vars or from files is generally considered OK (although there are some issues with environment variables being leaked in some environments, and file permissions must be set correctly to limit access.)

Note that an environment variable credential provider as well as a profile file provider is provided as part of the standard chain.

Credentials::new is the API used by credentials providers, it's equivalent to from_keys, except more fields must be set manually.

If you have your own file format for credentials you need to support, I might consider implementing your own credentials provider so you can have nice logging, error handling, etc.

You may also want to wrap your provider in the LazyCaching provider so that accesses are cached.

In general, the most secure option is to use temporary, session based credentials with an expiry (eg. from STS, IMDS, etc.) rather than a permanent credential.

[DavidSouther]

While we encourage using the security audited credentials loading features provided by the SDK directly, we are aware there are some cases that require other mechanisms to retrieve AWS credentials. In those cases, you may also be interested in creating your own struct that has impl ProvideCredentials. For a complete example, see awsdocs/aws-doc-sdk-examples#5581

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.

[lcmgh]

For reference:

In AWS SDK v1 the hard coded credential provider can be created via Credentials::from_keys by adding dependency
aws-credential-types = { version = "1.1.5", features = ["hardcoded-credentials"] }