Boto documentation for container provider credentials

[ZhangHan]

botocore documents its credential resolution chain like this:

Boto3 will look in several locations when searching for credentials. The mechanism in which Boto3 looks for credentials is to search through a list of possible locations and stop as soon as it finds credentials. The order in which Boto3 searches for credentials is:

• Passing credentials as parameters in the boto.client() method
• Passing credentials as parameters when creating a Session object
• Environment variables
• Shared credential file (~/.aws/credentials)
• AWS config file (~/.aws/config)
• Assume Role provider
• Boto2 config file (/etc/boto.cfg and ~/.boto)
• Instance metadata service on an Amazon EC2 instance that has an IAM role configured.

Where does container provider credentials fall into the credential chain? Java SDK has listed it in the public doc: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html and I see in the code: https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L80

It would be great to update in boto as well.

[kdaily]

Hi @ZhangHan,

Looks like that's just missing from our documentation! I can get it added in across the Python/CLI ecosystem. I just ran a CLI command (uses the same provider chain) without any valid options for credentials set, and you can see the whole chain and where the container provider is checked there. It's also used inside of the assume role provider.

2021-07-28 09:37:41,406 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: custom-process
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: config-file
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: ec2-credentials-file
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: boto-config
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: container-role
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role

[ZhangHan]

Great! Thanks for updating

[tim-finnigan]

Here is the credential order currently documented: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials

And here is the CLI order of precedence: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence