2.1.3 Programmatic Access to AWS
Programmatic Access to AWS
Credential Types
| Type | Mô tả | Use Case |
|---|
| Long-term (Access Key + Secret Key) | Permanent credentials | CLI, SDK (dev only) |
| Temporary (STS) | Access Key + Secret Key + Session Token | Production, cross-account |
| IAM Role | Auto-rotated credentials | EC2, Lambda, ECS |
Credential Resolution Order (SDK)
| Priority | Source |
|---|
| 1 | Code (hardcoded) — KHÔNG BAO GIỜ |
| 2 | Environment Variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) |
| 3 | Shared Credentials File (~/.aws/credentials) |
| 4 | AWS Config File (~/.aws/config) |
| 5 | Container Credentials (ECS Task Role) |
| 6 | Instance Profile (EC2) / Execution Role (Lambda) |
Best Practices
- KHÔNG hardcode credentials trong code
- Dùng IAM Roles cho EC2, Lambda, ECS (auto-rotated)
- Dùng environment variables cho local development
- Dùng
~/.aws/credentials profiles cho multiple accounts
AWS CLI Profiles
# ~/.aws/credentials
[default]
aws_access_key_id = AKIA...
aws_secret_access_key = wJal...
[production]
aws_access_key_id = AKIA...
aws_secret_access_key = kWcr...
# Use specific profile
aws s3 ls --profile production
# Or set environment variable
export AWS_PROFILE=production
SDK Configuration
import boto3
# Default credentials (from chain)
client = boto3.client('s3')
# Explicit profile
session = boto3.Session(profile_name='production')
client = session.client('s3')
# Explicit region
client = boto3.client('s3', region_name='us-east-1')
Exam Tip: Credential chain order là câu hỏi phổ biến. Luôn dùng IAM Roles (Instance Profile / Task Role / Execution Role) thay vì access keys trong production.