Open ZhangHan opened 3 years ago
Hi @ZhangHan,
Looks like that's just missing from our documentation! I can get it added in across the Python/CLI ecosystem. I just ran a CLI command (uses the same provider chain) without any valid options for credentials set, and you can see the whole chain and where the container provider is checked there. It's also used inside of the assume role provider.
2021-07-28 09:37:41,406 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: custom-process
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: config-file
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: ec2-credentials-file
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: boto-config
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: container-role
2021-07-28 09:37:41,407 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role
Great! Thanks for updating
Here is the credential order currently documented: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials
And here is the CLI order of precedence: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence
botocore documents its credential resolution chain like this:
Boto3 will look in several locations when searching for credentials. The mechanism in which Boto3 looks for credentials is to search through a list of possible locations and stop as soon as it finds credentials. The order in which Boto3 searches for credentials is:
Where does container provider credentials fall into the credential chain? Java SDK has listed it in the public doc: https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials.html and I see in the code: https://github.com/boto/botocore/blob/develop/botocore/credentials.py#L80
It would be great to update in boto as well.