Credentials When Instantiating An AWS Client Object In The PHP SDK

Credentials When Instantiating An AWS Client Object In The PHP SDK

When you are using an AWS service, you use the AWS SDK-PHP for local development, and in Lambda functions. 

For example, if you want to send an email via SES, you instantiate an SES client object. You do this in both local dev and in your Lambda function. 

The critical difference between instantiating the client object in local vs Lambda is how credentials are specified. 

In local development, AWS credentials come from the access and secret keys.

A Lambda function is running inside AWS. So a Lambda function checks IAM directly to see if it is allowed to access other AWS services. No need for the access and secret keys. 

Local Development

In local development, you can specify the access and secret keys directly in the code. Such as:

$SesClient = new \Aws\Ses\SesClient([
    'region'  => $region,
    'version' => $version,
    'credentials' => [
        'key'    => 'AKIAIOSFODNN7EXAMPLE',
        'secret' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'

Alternatively, you can create a "credentials" file in the ".aws" folder:


The ".aws" folder is in your user folder, such as "/Users/username/.aws".

You can also create the "credentials" file with this Serverless Framework command:

serverless config credentials --provider aws --key AKIAIOSFODNN7EXAMPLE --secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

When you have an ".aws/credentials" file, instantiate the client object like this:

$SesClient = new \Aws\Ses\SesClient([
    'profile' => 'default',
    'region'  => $region,
    'version' => $version

where "default" is the label of your keys in your "credentials" file. Or, you could do this:

$SesClient = new \Aws\Ses\SesClient([
    'credentials' => \Aws\Credentials\CredentialProvider::defaultProvider(),
    'region'  => $region,
    'version' => $version


A Lambda function that uses another AWS service needs explicit permission to access that other AWS service. 

In the Serverless Framework's "serverless.yml", this permission is set up in the "iamRoleStatements" sub-section within the "provider" section:

    name: aws
    region: ca-central-1
    runtime: provided.al2
    lambdaHashingVersion: 20201221
    name: serverlessframework  # This will be the "root" S3 bucket
    - Effect: Allow
          - "ses:SendEmail"
          - "ses:SendRawEmail"
       Resource: "*"

Then instantiate your client object like this:

$SesClient = new \Aws\Ses\SesClient([
    'region'  => $region,
    'version' => $version

See the Serverless Framework's article about credentials for more info, including how to specify credentials locally with environment variables: