Credentials When Instantiating An AWS Client Object In The PHP SDK
by Bob Bloom
When you are using an AWS service, you use the AWS SDK-PHP for local development, and in Lambda functions.
For example, if you want to send an email via SES, you instantiate an SES client object. You do this in both local dev and in your Lambda function.
The critical difference between instantiating the client object in local vs Lambda is how credentials are specified.
In local development, AWS credentials come from the access and secret keys.
A Lambda function is running inside AWS. So a Lambda function checks IAM directly to see if it is allowed to access other AWS services. No need for the access and secret keys.
In local development, you can specify the access and secret keys directly in the code. Such as:
Alternatively, you can create a "credentials" file in the ".aws" folder:
The ".aws" folder is in your user folder, such as "/Users/username/.aws".
You can also create the "credentials" file with this Serverless Framework command:
serverless config credentials --provider aws --key AKIAIOSFODNN7EXAMPLE --secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
When you have an ".aws/credentials" file, instantiate the client object like this:
where "default" is the label of your keys in your "credentials" file. Or, you could do this:
A Lambda function that uses another AWS service needs explicit permission to access that other AWS service.
For example, if you want to send an email via SES, you instantiate an SES client object. You do this in both local dev and in your Lambda function.
The critical difference between instantiating the client object in local vs Lambda is how credentials are specified.
In local development, AWS credentials come from the access and secret keys.
A Lambda function is running inside AWS. So a Lambda function checks IAM directly to see if it is allowed to access other AWS services. No need for the access and secret keys.
Local Development
In local development, you can specify the access and secret keys directly in the code. Such as:
$SesClient = new \Aws\Ses\SesClient([
'region' => $region,
'version' => $version,
'credentials' => [
'key' => 'AKIAIOSFODNN7EXAMPLE',
'secret' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
],
]);
Alternatively, you can create a "credentials" file in the ".aws" folder:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
The ".aws" folder is in your user folder, such as "/Users/username/.aws".
You can also create the "credentials" file with this Serverless Framework command:
serverless config credentials --provider aws --key AKIAIOSFODNN7EXAMPLE --secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
When you have an ".aws/credentials" file, instantiate the client object like this:
$SesClient = new \Aws\Ses\SesClient([
'profile' => 'default',
'region' => $region,
'version' => $version
]);
where "default" is the label of your keys in your "credentials" file. Or, you could do this:
$SesClient = new \Aws\Ses\SesClient([
'credentials' => \Aws\Credentials\CredentialProvider::defaultProvider(),
'region' => $region,
'version' => $version
]);
Lambda
A Lambda function that uses another AWS service needs explicit permission to access that other AWS service.
In the Serverless Framework's "serverless.yml", this permission is set up in the "iamRoleStatements" sub-section within the "provider" section:
Then instantiate your client object like this:
See the Serverless Framework's article about credentials for more info, including how to specify credentials locally with environment variables: https://www.serverless.com/framework/docs/providers/aws/guide/credentials.
provider:
name: aws
region: ca-central-1
runtime: provided.al2
lambdaHashingVersion: 20201221
deploymentBucket:
name: serverlessframework # This will be the "root" S3 bucket
iamRoleStatements:
- Effect: Allow
Action:
- "ses:SendEmail"
- "ses:SendRawEmail"
Resource: "*"
Then instantiate your client object like this:
$SesClient = new \Aws\Ses\SesClient([
'region' => $region,
'version' => $version
]);
See the Serverless Framework's article about credentials for more info, including how to specify credentials locally with environment variables: https://www.serverless.com/framework/docs/providers/aws/guide/credentials.
Update: Safe And Simple AWS Credential Management For Your Symfony/PHP Application
October 14, 2021