Credentials When Instantiating An AWS Client Object In The PHP SDK

Credentials When Instantiating An AWS Client Object In The PHP SDK

When you are using an AWS service, you use the AWS SDK-PHP for local development, and in Lambda functions. 

For example, if you want to send an email via SES, you instantiate an SES client object. You do this in both local dev and in your Lambda function. 

The critical difference between instantiating the client object in local vs Lambda is how credentials are specified. 

In local development, AWS credentials come from the access and secret keys.

A Lambda function is running inside AWS. So a Lambda function checks IAM directly to see if it is allowed to access other AWS services. No need for the access and secret keys. 


Local Development


In local development, you can specify the access and secret keys directly in the code. Such as:



$SesClient = new \Aws\Ses\SesClient([
    'region'  => $region,
    'version' => $version,
    'credentials' => [
        'key'    => 'AKIAIOSFODNN7EXAMPLE',
        'secret' => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
    ],
]);




Alternatively, you can create a "credentials" file in the ".aws" folder:



[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY




The ".aws" folder is in your user folder, such as "/Users/username/.aws".

You can also create the "credentials" file with this Serverless Framework command:

serverless config credentials --provider aws --key AKIAIOSFODNN7EXAMPLE --secret wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY


When you have an ".aws/credentials" file, instantiate the client object like this:



$SesClient = new \Aws\Ses\SesClient([
    'profile' => 'default',
    'region'  => $region,
    'version' => $version
]);




where "default" is the label of your keys in your "credentials" file. Or, you could do this:



$SesClient = new \Aws\Ses\SesClient([
    'credentials' => \Aws\Credentials\CredentialProvider::defaultProvider(),
    'region'  => $region,
    'version' => $version
]);





Lambda



A Lambda function that uses another AWS service needs explicit permission to access that other AWS service. 

In the Serverless Framework's "serverless.yml", this permission is set up in the "iamRoleStatements" sub-section within the "provider" section:



provider:
    name: aws
    region: ca-central-1
    runtime: provided.al2
    lambdaHashingVersion: 20201221
    deploymentBucket:
    name: serverlessframework  # This will be the "root" S3 bucket
    iamRoleStatements:
    - Effect: Allow
       Action:
          - "ses:SendEmail"
          - "ses:SendRawEmail"
       Resource: "*"




Then instantiate your client object like this:



$SesClient = new \Aws\Ses\SesClient([
    'region'  => $region,
    'version' => $version
]);






See the Serverless Framework's article about credentials for more info, including how to specify credentials locally with environment variables: https://www.serverless.com/framework/docs/providers/aws/guide/credentials.