PHP Serverless Project
Credentials When Instantiating An AWS Client Object In The PHP SDK

Credentials When Instantiating An AWS Client Object In The PHP SDK

by Bob Bloom
When you are using an AWS service, you use the AWS SDK-PHP for local development, and in Lambda functions. 

For example, if you want to send an email via SES, you instantiate an SES client object. You do this in both local dev and in your Lambda function. 

The critical difference between instantiating the client object in local vs Lambda is how credentials are specified. 

In local development, AWS credentials come from the access and secret keys.

A Lambda function is running inside AWS. So a Lambda function checks IAM directly to see if it is allowed to access other AWS services. No need for the access and secret keys. 


Local Development


In local development, you can specify the access and secret keys directly in the code. Such as:



$SesClient = new \Aws\Ses\SesClient([
    'region'  => $region,
    'version' => $version,
    'credentials' => [
        'key'    => 'AKIAIOSFODNN7EXAMPLE',
        'secret' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
    ],
]);




Alternatively, you can create a "credentials" file in the ".aws" folder:



[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY




The ".aws" folder is in your user folder, such as "/Users/username/.aws".

You can also create the "credentials" file with this Serverless Framework command:

serverless config credentials --provider aws --key AKIAIOSFODNN7EXAMPLE --secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY


When you have an ".aws/credentials" file, instantiate the client object like this:



$SesClient = new \Aws\Ses\SesClient([
    'profile' => 'default',
    'region'  => $region,
    'version' => $version
]);




where "default" is the label of your keys in your "credentials" file. Or, you could do this:



$SesClient = new \Aws\Ses\SesClient([
    'credentials' => \Aws\Credentials\CredentialProvider::defaultProvider(),
    'region'  => $region,
    'version' => $version
]);





Lambda



A Lambda function that uses another AWS service needs explicit permission to access that other AWS service. 

In the Serverless Framework's "serverless.yml", this permission is set up in the "iamRoleStatements" sub-section within the "provider" section:



provider:
    name: aws
    region: ca-central-1
    runtime: provided.al2
    lambdaHashingVersion: 20201221
    deploymentBucket:
    name: serverlessframework  # This will be the "root" S3 bucket
    iamRoleStatements:
    - Effect: Allow
       Action:
          - "ses:SendEmail"
          - "ses:SendRawEmail"
       Resource: "*"




Then instantiate your client object like this:



$SesClient = new \Aws\Ses\SesClient([
    'region'  => $region,
    'version' => $version
]);






See the Serverless Framework's article about credentials for more info, including how to specify credentials locally with environment variables: https://www.serverless.com/framework/docs/providers/aws/guide/credentials.


Update: Safe And Simple AWS Credential Management For Your Symfony/PHP Application

October 14, 2021
(back to all articles)
The Bob Bloom show comes to you thanks to my wonderful, and intrepid, sponsors.
They took a chance on me, to benefit our worldwide PHP Community!
Luke Galea is a veteran technology leader who began coding professionally during the dot-com boom. While Ruby, Elixir, and Erlang are his tools of choice, PHP has remained a constant thread throughout his two-decade career spanning healthcare, dating, nutrition coaching, education, and workforce management. His journey includes scaling high volume consumer facing sites HotOrNot and Ashley Madison where PHP powered the core infrastructure. Even when working with other technologies, Luke has consistently leveraged PHP for marketing technology, community forums, and developer resources. A committed community builder, he founded Toronto's Erlang user group and actively supports the Toronto Elixir and GTA PHP communities. Currently focused on leadership coaching and technology advisory, Luke loves solving hard problems with smart people. Call him if you want to riff on something awesome.
Luke Galea
Restream.io subscription sponsor
Luke Galea is a veteran technology leader who began coding professionally during the dot-com boom. While Ruby, Elixir, and Erlang are his tools of choice, PHP has remained a constant thread throughout his two-decade career spanning healthcare, dating, nutrition coaching, education, and workforce management. His journey includes scaling high volume consumer facing sites HotOrNot and Ashley Madison where PHP powered the core infrastructure. Even when working with other technologies, Luke has consistently leveraged PHP for marketing technology, community forums, and developer resources. A committed community builder, he founded Toronto's Erlang user group and actively supports the Toronto Elixir and GTA PHP communities. Currently focused on leadership coaching and technology advisory, Luke loves solving hard problems with smart people. Call him if you want to riff on something awesome.
(Luke Galea's website)
Tolga Ercan is an accomplished technology executive with over two decades of experience leading high-performing engineering organizations across SaaS, fintech, and consumer technology sectors. He currently serves as Director of Engineering at Vetster, a veterinary telehealth platform redefining access to pet care through innovative digital solutions. Tolga has built a career scaling engineering teams, driving cloud migration strategies, and delivering resilient, scalable systems. His leadership experience includes senior roles at Instagram, Edmunds, and early-stage startups, where he has consistently championed technical excellence, operational efficiency, and cultural growth. He has also leveraged technologies such as Laravel to build and scale modern, customer-facing applications in startup environments, applying best practices in software architecture and agile development. As a supporter of the open source community, Tolga believes in the importance of open innovation and actively backs initiatives that advance software transparency, interoperability, and access. He is committed to fostering the future of technology through mentorship, organizational leadership, and community engagement.
Tolga Ercan
Basecamp subscription sponsor
Tolga Ercan is an accomplished technology executive with over two decades of experience leading high-performing engineering organizations across SaaS, fintech, and consumer technology sectors. He currently serves as Director of Engineering at Vetster, a veterinary telehealth platform redefining access to pet care through innovative digital solutions. Tolga has built a career scaling engineering teams, driving cloud migration strategies, and delivering resilient, scalable systems. His leadership experience includes senior roles at Instagram, Edmunds, and early-stage startups, where he has consistently championed technical excellence, operational efficiency, and cultural growth. He has also leveraged technologies such as Laravel to build and scale modern, customer-facing applications in startup environments, applying best practices in software architecture and agile development. As a supporter of the open source community, Tolga believes in the importance of open innovation and actively backs initiatives that advance software transparency, interoperability, and access. He is committed to fostering the future of technology through mentorship, organizational leadership, and community engagement.
(Tolga Ercan's website)