CredentialProvider
in package
Credential providers are functions that accept no arguments and return a promise that is fulfilled with an {@see \Aws\Credentials\CredentialsInterface} or rejected with an {@see \Aws\Exception\CredentialsException}.
use Aws\Credentials\CredentialProvider;
$provider = CredentialProvider::defaultProvider();
// Returns a CredentialsInterface or throws.
$creds = $provider()->wait();
Credential providers can be composed to create credentials using conditional logic that can create different credentials in different environments. You can compose multiple providers into a single provider using CredentialProvider::chain. This function accepts providers as variadic arguments and returns a new function that will invoke each provider until a successful set of credentials is returned.
// First try an INI file at this location.
$a = CredentialProvider::ini(null, '/path/to/file.ini');
// Then try an INI file at this location.
$b = CredentialProvider::ini(null, '/path/to/other-file.ini');
// Then try loading from environment variables.
$c = CredentialProvider::env();
// Combine the three providers together.
$composed = CredentialProvider::chain($a, $b, $c);
// Returns a promise that is fulfilled with credentials or throws.
$promise = $composed();
// Wait on the credentials to resolve.
$creds = $promise->wait();
Table of Contents
- ENV_ARN = 'AWS_ROLE_ARN'
- ENV_KEY = 'AWS_ACCESS_KEY_ID'
- ENV_PROFILE = 'AWS_PROFILE'
- ENV_ROLE_SESSION_NAME = 'AWS_ROLE_SESSION_NAME'
- ENV_SECRET = 'AWS_SECRET_ACCESS_KEY'
- ENV_SESSION = 'AWS_SESSION_TOKEN'
- ENV_SHARED_CREDENTIALS_FILE = 'AWS_SHARED_CREDENTIALS_FILE'
- ENV_TOKEN_FILE = 'AWS_WEB_IDENTITY_TOKEN_FILE'
- assumeRole() : callable
- Credential provider that creates credentials using assume role
- assumeRoleWithWebIdentityCredentialProvider() : callable
- Credential provider that creates credentials by assuming role from a Web Identity Token
- cache() : callable
- Wraps a credential provider and saves provided credentials in an instance of Aws\CacheInterface. Forwards calls when no credentials found in cache and updates cache with the results.
- chain() : callable
- Creates an aggregate credentials provider that invokes the provided variadic providers one after the other until a provider returns credentials.
- defaultProvider() : callable
- Create a default credential provider that first checks for environment variables, then checks for assumed role via web identity, then checks for cached SSO credentials from the CLI, then check for credential_process in the "default" profile in ~/.aws/credentials, then checks for the "default" profile in ~/.aws/credentials, then for credential_process in the "default profile" profile in ~/.aws/config, then checks for "profile default" profile in ~/.aws/config (which is the default profile of AWS CLI), then tries to make a GET Request to fetch credentials if ECS environment variable is presented, finally checks for EC2 instance profile credentials.
- ecsCredentials() : EcsCredentialProvider
- Credential provider that creates credentials using ecs credentials by a GET request, whose uri is specified by environment variable
- env() : callable
- Provider that creates credentials from environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
- fromCredentials() : callable
- Create a credential provider function from a set of static credentials.
- getCredentialsFromSource() : mixed
- ini() : callable
- Credentials provider that creates credentials using an ini file stored in the current user's home directory. A source can be provided in this file for assuming a role using the credential_source config option.
- instanceProfile() : InstanceProfileProvider
- Credential provider that creates credentials using instance profile credentials.
- memoize() : callable
- Wraps a credential provider and caches previously provided credentials.
- process() : callable
- Credentials provider that creates credentials using a process configured in ini file stored in the current user's home directory.
- sso() : callable
- Credential provider that retrieves cached SSO credentials from the CLI
- getFileName() : string
- getHomeDir() : null|string
- Gets the environment's HOME directory if available.
- loadDefaultProfiles() : mixed
- Gets profiles from ~/.aws/credentials and ~/.aws/config ini files
- loadProfiles() : mixed
- Gets profiles from specified $filename, or default ini files.
- loadRoleProfile() : callable
- Assumes role for profile that includes role_arn
- reject() : mixed
Constants
ENV_ARN
public
mixed
ENV_ARN
= 'AWS_ROLE_ARN'
ENV_KEY
public
mixed
ENV_KEY
= 'AWS_ACCESS_KEY_ID'
ENV_PROFILE
public
mixed
ENV_PROFILE
= 'AWS_PROFILE'
ENV_ROLE_SESSION_NAME
public
mixed
ENV_ROLE_SESSION_NAME
= 'AWS_ROLE_SESSION_NAME'
ENV_SECRET
public
mixed
ENV_SECRET
= 'AWS_SECRET_ACCESS_KEY'
ENV_SESSION
public
mixed
ENV_SESSION
= 'AWS_SESSION_TOKEN'
ENV_SHARED_CREDENTIALS_FILE
public
mixed
ENV_SHARED_CREDENTIALS_FILE
= 'AWS_SHARED_CREDENTIALS_FILE'
ENV_TOKEN_FILE
public
mixed
ENV_TOKEN_FILE
= 'AWS_WEB_IDENTITY_TOKEN_FILE'
Methods
assumeRole()
Credential provider that creates credentials using assume role
public
static assumeRole([array<string|int, mixed> $config = [] ]) : callable
Parameters
- $config : array<string|int, mixed> = []
-
Array of configuration data
Tags
Return values
callable —assumeRoleWithWebIdentityCredentialProvider()
Credential provider that creates credentials by assuming role from a Web Identity Token
public
static assumeRoleWithWebIdentityCredentialProvider([array<string|int, mixed> $config = [] ]) : callable
Parameters
- $config : array<string|int, mixed> = []
-
Array of configuration data
Tags
Return values
callable —cache()
Wraps a credential provider and saves provided credentials in an instance of Aws\CacheInterface. Forwards calls when no credentials found in cache and updates cache with the results.
public
static cache(callable $provider, CacheInterface $cache[, string|null $cacheKey = null ]) : callable
Parameters
- $provider : callable
-
Credentials provider function to wrap
- $cache : CacheInterface
-
Cache to store credentials
- $cacheKey : string|null = null
-
(optional) Cache key to use
Return values
callable —chain()
Creates an aggregate credentials provider that invokes the provided variadic providers one after the other until a provider returns credentials.
public
static chain() : callable
Return values
callable —defaultProvider()
Create a default credential provider that first checks for environment variables, then checks for assumed role via web identity, then checks for cached SSO credentials from the CLI, then check for credential_process in the "default" profile in ~/.aws/credentials, then checks for the "default" profile in ~/.aws/credentials, then for credential_process in the "default profile" profile in ~/.aws/config, then checks for "profile default" profile in ~/.aws/config (which is the default profile of AWS CLI), then tries to make a GET Request to fetch credentials if ECS environment variable is presented, finally checks for EC2 instance profile credentials.
public
static defaultProvider([array<string|int, mixed> $config = [] ]) : callable
This provider is automatically wrapped in a memoize function that caches previously provided credentials.
Parameters
- $config : array<string|int, mixed> = []
-
Optional array of ecs/instance profile credentials provider options.
Return values
callable —ecsCredentials()
Credential provider that creates credentials using ecs credentials by a GET request, whose uri is specified by environment variable
public
static ecsCredentials([array<string|int, mixed> $config = [] ]) : EcsCredentialProvider
Parameters
- $config : array<string|int, mixed> = []
-
Array of configuration data.
Tags
Return values
EcsCredentialProvider —env()
Provider that creates credentials from environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
public
static env() : callable
Return values
callable —fromCredentials()
Create a credential provider function from a set of static credentials.
public
static fromCredentials(CredentialsInterface $creds) : callable
Parameters
- $creds : CredentialsInterface
Return values
callable —getCredentialsFromSource()
public
static getCredentialsFromSource([mixed $profileName = '' ][, mixed $filename = '' ][, mixed $config = [] ]) : mixed
Parameters
- $profileName : mixed = ''
- $filename : mixed = ''
- $config : mixed = []
Return values
mixed —ini()
Credentials provider that creates credentials using an ini file stored in the current user's home directory. A source can be provided in this file for assuming a role using the credential_source config option.
public
static ini([string|null $profile = null ][, string|null $filename = null ][, array<string|int, mixed>|null $config = [] ]) : callable
Parameters
- $profile : string|null = null
-
Profile to use. If not specified will use the "default" profile in "~/.aws/credentials".
- $filename : string|null = null
-
If provided, uses a custom filename rather than looking in the home directory.
- $config : array<string|int, mixed>|null = []
-
If provided, may contain the following: preferStaticCredentials: If true, prefer static credentials to role_arn if both are present disableAssumeRole: If true, disable support for roles that assume an IAM role. If true and role profile is selected, an error is raised. stsClient: StsClient used to assume role specified in profile
Return values
callable —instanceProfile()
Credential provider that creates credentials using instance profile credentials.
public
static instanceProfile([array<string|int, mixed> $config = [] ]) : InstanceProfileProvider
Parameters
- $config : array<string|int, mixed> = []
-
Array of configuration data.
Tags
Return values
InstanceProfileProvider —memoize()
Wraps a credential provider and caches previously provided credentials.
public
static memoize(callable $provider) : callable
Ensures that cached credentials are refreshed when they expire.
Parameters
- $provider : callable
-
Credentials provider function to wrap.
Return values
callable —process()
Credentials provider that creates credentials using a process configured in ini file stored in the current user's home directory.
public
static process([string|null $profile = null ][, string|null $filename = null ]) : callable
Parameters
- $profile : string|null = null
-
Profile to use. If not specified will use the "default" profile in "~/.aws/credentials".
- $filename : string|null = null
-
If provided, uses a custom filename rather than looking in the home directory.
Return values
callable —sso()
Credential provider that retrieves cached SSO credentials from the CLI
public
static sso(mixed $ssoProfileName[, mixed $filename = null ][, mixed $config = [] ]) : callable
Parameters
- $ssoProfileName : mixed
- $filename : mixed = null
- $config : mixed = []
Return values
callable —getFileName()
private
static getFileName( $filename) : string
Parameters
Return values
string —getHomeDir()
Gets the environment's HOME directory if available.
private
static getHomeDir() : null|string
Return values
null|string —loadDefaultProfiles()
Gets profiles from ~/.aws/credentials and ~/.aws/config ini files
private
static loadDefaultProfiles() : mixed
Return values
mixed —loadProfiles()
Gets profiles from specified $filename, or default ini files.
private
static loadProfiles(mixed $filename) : mixed
Parameters
- $filename : mixed
Return values
mixed —loadRoleProfile()
Assumes role for profile that includes role_arn
private
static loadRoleProfile(mixed $profiles, mixed $profileName, mixed $filename, mixed $stsClient[, mixed $config = [] ]) : callable
Parameters
- $profiles : mixed
- $profileName : mixed
- $filename : mixed
- $stsClient : mixed
- $config : mixed = []
Return values
callable —reject()
private
static reject(mixed $msg) : mixed
Parameters
- $msg : mixed