Boto can be configured in multiple ways. Regardless of the source or sources that you choose, you must have AWS credentials and a region set in order to make requests.
If you have the AWS CLI, then you can use its interactive configure command to set up your credentials and default region:
aws configure
Follow the prompts and it will generate configuration files in the correct locations for you.
There are two types of configuration data in boto3: credentials and non-credentials. Credentials include items such as aws_access_key_id, aws_secret_access_key, and aws_session_token. Non-credential configuration includes items such as which region to use or which addressing style to use for Amazon S3. The distinction between credentials and non-credentials configuration is important because the lookup process is slightly different. Boto3 will look in several additional locations when searching for credentials that do not apply when searching for non-credential configuration.
The mechanism in which boto3 looks for credentials is to search through a list of possible locations and stop as soon as it finds credentials. The order in which Boto3 searches for credentials is:
Each of those locations is discussed in more detail below.
The first option for providing credentials to boto3 is passing them as parameters when creating clients or when creating a Session. For example:
import boto3
client = boto3.client(
's3',
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN,
)
# Or via the Session
session = boto3.Session(
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN,
)
where ACCESS_KEY, SECRET_KEY and SESSION_TOKEN are variables that contain your access key, secret key, and optional session token. Note that the examples above do not have hard coded credentials. We do not recommend hard coding credentials in your source code. For example:
# Do not hard code credentials
client = boto3.client(
's3',
# Hard coded strings as credentials, not recommended.
aws_access_key_id='AKIAIO5FODNN7EXAMPLE',
aws_secret_access_key='ABCDEF+c2L7yXeGvUyrPgYsDnWRRC1AYEXAMPLE'
)
Valid uses cases for providing credentials to the client() method and Session objects include:
Boto3 will check these environment variables for credentials:
Boto3 can also load credentials from ~/.aws/config. You can change this default location by setting the AWS_CONFIG_FILE environment variable. The config file is an INI format, with the same keys supported by the shared credentials file. The only difference is that profile sections must have the format of [profile profile-name], except for the default profile. For example:
# Example ~/.aws/config file.
[default]
aws_access_key_id=foo
aws_secret_access_key=bar
[profile dev]
aws_access_key_id=foo2
aws_secret_access_key=bar2
[profile prod]
aws_access_key_id=foo3
aws_secret_access_key=bar3
The reason that section names must start with profile in the ~/.aws/config file is because there are other sections in this file that are permitted that aren't profile configurations.
Note
This is a different set of credentials configuration than using IAM roles for EC2 instances, which is discussed in a section below.
Within the ~/.aws/config file, you can also configure a profile to indicate that boto3 should assume a role. When you do this, boto3 will automatically make the corresponding AssumeRole calls to AWS STS on your behalf. It will handle in memory caching as well as refreshing credentials as needed.
You can specify the following configuration values for configuring an IAM role in boto3:
If you do not have MFA authentication required, then you only need to specify a role_arn and a source_profile.
When you specify a profile that has IAM role configuration, boto3 will make an AssumeRole call to retrieve temporary credentials. Subsequent boto3 API calls will use the cached temporary credentials until they expire, in which case boto3 will automatically refresh credentials. boto3 does not write these temporary credentials to disk. This means that temporary credentials from the AssumeRole calls are only cached in memory within a single Session. All clients created from that session will share the same temporary credentials.
If you specify an mfa_serial, then the first time an AssumeRole call is made, you will be prompted to enter the MFA code. Your code will block until you enter your MFA code. You'll need to keep this in mind if you have an mfa_serial configured but would like to use boto3 in some automated script.
Below is an example configuration for the minimal amount of configuration needed to configure an assume role profile:
# In ~/.aws/credentials:
[development]
aws_access_key_id=foo
aws_access_key_id=bar
# In ~/.aws/config
[profile crossaccount]
role_arn=arn:aws:iam:...
source_profile=development
See Using IAM Roles for general information on IAM roles.
Boto3 will attempt to load credentials from the Boto2 config file. It first checks the file pointed to by BOTO_CONFIG if set, otherwise it will check /etc/boto.cfg and ~/.boto. Note that only the [Credentials] section of the boto config file is used. All other configuration data in the boto config file is ignored. Example:
# Example ~/.boto file
[Credentials]
aws_access_key_id = foo
aws_secret_access_key = bar
This credential provider is primarily for backwards compatibility purposes with boto2.
If you are running on Amazon EC2 and no credentials have been found by any of the providers above, boto3 will try to load credentials from the instance metadata service. In order to take advantage of this feature, you must have specified an IAM role to use when you launched your EC2 instance. For more information on how to configure IAM roles on EC2 instances, see the IAM Roles for Amazon EC2 guide.
Note that if you've launched an EC2 instance with an IAM role configured, there's no explicit configuration you need to set in boto3 to use these credentials. Boto3 will automatically use IAM role credentials if it does not find credentials in any of the other places listed above.
If you're running on an EC2 instance, use AWS IAM roles. See the IAM Roles for Amazon EC2 guide for more information on how to set this up.
If you want to interoperate with multiple AWS SDKs (e.g Java, Javascript, Ruby, PHP, .NET, AWS CLI, Go, C++), use the shared credentials file (~/.aws/credentials). By using the shared credentials file, you can use a single file for credentials that will work in all the AWS SDKs.
In addition to credentials, you can also configure non-credential values. In general, boto3 follows the same approach used in credential lookup: try various locations until a value is found. Boto3 uses these sources for configuration:
Boto3 will also search the ~/.aws/config file when looking for configuration values. You can change the location of this file by setting the AWS_CONFIG_FILE environment variable.
This file is an INI formatted file that contains at least one section: [default]. You can create multiple profiles (logical groups of configuration) by creating sections named [profile profile-name]. If your profile name has spaces, you'll need to surround this value in quotes: [profile "my profile name"]. Below are all the config variables supported in the ~/.aws/config file:
Set S3-specific configuration data. Typically, these values do not need to be set. When necessary, Boto automatically switches signature versions and addressing styles.
addressing_style: The S3 addressing style. The following values are supported.
- auto
(Default) Attempts to use virtual, but falls back to path if necessary.
- path
Bucket name is included in the URI path.
- virtual
Bucket name is included in the hostname.
signature_version: The AWS signature version to use when signing requests. The following values are recognized.
- s3v4
(Default) Signature Version 4
- s3
(Deprecated) Signature Version 2
These settings are nested configuration values that require special formatting in the AWS configuration file. If the values are set by the AWS CLI or programmatically by an SDK, the formatting is handled automatically. If they are set by editing the AWS configuration file manually, the required format is shown below. Notice the indentation of each value.
[default]
region = us-east-1
output = json
s3 =
addressing_style = path
signature_version = s3v4