Skip to content

Credentials

This section explains our recommendations around credentials to provide the best experience with the AWS Copilot CLI.

Application credentials

Copilot uses the AWS credentials from the default credential provider chain to store and look up your application's metadata: which services and environments belong to it.

Tip

We recommend using a named profile to store your application's credentials.

The most convenient way is having the [default] profile point to your application's credentials:

# ~/.aws/credentials
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# ~/.aws/config
[default]
region=us-west-2
Alternatively, you can set the AWS_PROFILE environment variable to point to a different named profile. For example, we can have a [my-app] profile that can be used for your Copilot application instead of the [default] profile.

Note

You cannot use the AWS account root user credentials for your application. Please first create an IAM user instead as described here.

# ~/.aws/config
[my-app]
credential_process = /opt/bin/awscreds-custom --username helen
region=us-west-2

# Then you can run your Copilot commands leveraging the alternative profile:
$ export AWS_PROFILE=my-app
$ copilot deploy

Caution

We do not recommend using the environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN directly to look up your application's metadata because if they're overridden or expired, Copilot will not be able to look up your services or environments.

To learn more about all the supported config file settings: Configuration and credential file settings.

Environment credentials

Copilot environments can be created in AWS accounts and regions separate from your application's. While initializing an environment, Copilot will prompt you to enter temporary credentials or a named profile to create your environment:

$ copilot env init

Name: prod-iad

  Which credentials would you like to use to create prod-iad?
  > Enter temporary credentials
  > [profile default]
  > [profile test]
  > [profile prod-iad]
  > [profile prod-pdx]
Unlike the Application credentials, the AWS credentials for an environment are only needed for creation or deletion. Therefore, it's safe to use the values from temporary environment variables. Copilot prompts or takes the credentials as flags because the default chain is reserved for your application credentials.