This section explains our recommendations around credentials to provide the best experience with the AWS Copilot CLI.
We recommend using a named profile to store your application's credentials.
The most convenient way is having the
[default] profile point to your application's credentials:
# ~/.aws/credentials [default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY # ~/.aws/config [default] region=us-west-2
AWS_PROFILEenvironment variable to point to a different named profile. For example, we can have a
[my-app]profile that can be used for your Copilot application instead of the
You cannot use the AWS account root user credentials for your application. Please first create an IAM user instead as described here.
# ~/.aws/config [profile my-app] credential_process = /opt/bin/awscreds-custom --username helen region=us-west-2 # Then you can run your Copilot commands leveraging the alternative profile: $ export AWS_PROFILE=my-app $ copilot deploy
We do not recommend using the environment variables:
AWS_SESSION_TOKEN directly to look up your application's metadata because if they're overridden or expired, Copilot will not be able to look up your services or environments.
To learn more about all the supported
config file settings: Configuration and credential file settings.
Copilot environments can be created in AWS accounts and regions separate from your application's. While initializing an environment, Copilot will prompt you to enter temporary credentials or a named profile to create your environment:
$ copilot env init Name: prod-iad Which credentials would you like to use to create prod-iad? > Enter temporary credentials > [profile default] > [profile test] > [profile prod-iad] > [profile prod-pdx]