I am starting a new project in Cloud Technology and need to log in to my AWS account via the terminal and Python scripts. I have my Access Key ID and Secret Access Key ready, but I am unsure of the best way to authenticate without hardcoding these credentials into my source code. Should I use the AWS configure command, or is there a more secure environment variable method used in professional Software Development?
3 answers
The most standard and recommended approach for local development is using the AWS CLI. Run the command aws configure in your terminal. It will prompt you to enter your Access Key ID and Secret Access Key, along with your preferred region and output format. This process creates a secure credentials file located at ~/.aws/credentials (or %USERPROFILE%\.aws\credentials on Windows). Both the CLI and the Boto3 library for Python are designed to automatically look for this file, so you won't need to put sensitive keys in your code, which is a critical security practice in Cloud Technology.
If you are planning to run this code inside a CI/CD pipeline or a Docker container, wouldn't it be better to use environment variables like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY instead of a static config file?
Always ensure you are using an IAM user with "Least Privilege" permissions. Never use your AWS Root account keys for daily programmatic tasks or Software Development.
I agree with Susan. Using IAM roles or users with restricted policies is the only way to stay secure. If those keys are ever leaked, the blast radius is limited to only what that specific user can access.
Richard, you make an excellent point for automation! For my local machine, I stuck with the aws configure method Margaret suggested because it's easier to manage multiple profiles. However, for our Jenkins deployment, I moved to environment variables. It’s much cleaner for Cloud Technology environments where you don't want persistent credential files sitting on a shared build server. This keeps the credentials dynamic and restricted to the execution runtime.