CODEWITHSUNDEEP
phpamazon-web-servicesamazon-s3
Stackimus Prime
Stackimus Prime

Reputation: 169

How to set up AWS S3 credentials for PHP

I'm new to S3 and am having a hard time setting up my credentials via a file. This is a working solution that I currently have using hard-coded credentials (IAM_KEY and IAM_SECRET are variables used to store my key):

// Using hard-coded credentials
    $s3 = new S3Client([
        'version'     => 'latest',
        'region'      => 'us-east-1',
        'credentials' => [
            'key'    => $IAM_KEY,
            'secret' => $IAM_SECRET ,
        ],
    ]);

However, I want to store the key and secret in a file so that it is not visible when I push my files onto GitHub. Here is my attempt that doesn't work:

// using credential file - not working :(
$s3 = S3Client::factory(
     array(
        'profile' => 'my_profile',
        'version' => 'latest',
        'region'  => 'us-east-1'
    ));

My credentials file is as following:

[my_profile]
aws_access_key_id = someKey
aws_secret_access_key = someKey

I've read the docs on AWS (https://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html) but am still stuck. It mentions that I have to store my credentials file in ~/.aws/credentials, however, I cannot find that directory (do I need to first install the command line tool for AWS?). Also, what is the extension of the credentials file?

I've been stuck on this for hours so any help will be appreciated.

Upvotes: 4

Views: 6200

Answers (2)

raevilman
raevilman

Reputation: 3269

  1. For AWS Profile(Creds file)

    Yes you need to install AWS CLI tool and then use the following command to set the profile

    aws configure

    Visit this link for CLI configuration.

  2. For using credentials configured in step 1 in your app, you should use Credential Provider from AWS SDK. Please read this link

  3. My suggestion: read about IAM profiles -> here
    Your app can obtain S3 permissions from IAM roles attached to AWS Resource whether its lambda or EC2

    You should skip passing creds to the client or using Creds Provider.

    Because when you create the S3 client in your code.

    In Local Env: Once CLI is configured. S3 Client will automatically look for creds in multiple places like env vars or ~/.aws dir.

    When Deployed: It will pick the permissions from IAM role attached to AWS resource where it is deployed either lambda or EC2.

Upvotes: 1

Matt Healy
Matt Healy

Reputation: 18531

You can store your AWS credentials in a file which is ignored by way of a .gitignore file.

For example:

aws-credentials.php

<?php

    $IAM_KEY = 'key';
    $IAM_SECRET = 'secret';

?>

index.php

<?php                                                                           

require_once('aws-credentials.php');                                            

echo $IAM_KEY . "\n\n";                                                         
echo $IAM_SECRET . "\n\n";                                                      

?>

.gitignore

aws-credentials.php

Since the file "aws-credentials.php" is referenced in the .gitignore file, it won't be included when you commit your changes to git.

It's been a while since I've used PHP in a production environment but it would also be good practice to store the aws-credentials.php file outside of your web root, just to exclude the remote possibility of the file's contents being exposed in the event the web server is not configured to execute PHP files correctly.

If you're hosting the application on Amazon EC2, it is also good practice to not use IAM credentials at all, but instead use IAM roles.

Upvotes: 0

Related Questions