Configuration file credential provider reads AWS credentials from shared configuration files, supporting profiles, role assumption, and various credential sources configured in INI format.
Creates a credential provider that reads from AWS shared configuration files.
/**
* Creates a credential provider function that reads from shared credentials files
* @param init - Configuration options for the provider
* @returns Runtime-configurable credential provider function
*/
function fromIni(init?: FromIniInit): RuntimeConfigAwsCredentialIdentityProvider;
interface FromIniInit {
/** Configuration profile name. Defaults to AWS_PROFILE environment variable or 'default' */
profile?: string;
/** Path to shared credentials file. Defaults to ~/.aws/credentials */
filepath?: string;
/** Path to shared config file. Defaults to ~/.aws/config */
configFilepath?: string;
/** Function that returns MFA token code for the provided MFA serial */
mfaCodeProvider?: (mfaSerial: string) => Promise<string>;
/** Custom STS client configurations overriding defaults */
clientConfig?: STSClientConfig;
/** Custom STS client middleware plugins */
clientPlugins?: Pluggable<any, any>[];
}The provider reads from these default locations:
~/.aws/credentials (or AWS_SHARED_CREDENTIALS_FILE environment variable)~/.aws/config (or AWS_CONFIG_FILE environment variable)Usage Examples:
import { S3Client } from "@aws-sdk/client-s3";
import { fromIni } from "@aws-sdk/credential-providers";
// Use default profile
const client = new S3Client({
region: "us-west-2",
credentials: fromIni()
});
// Use specific profile
const devClient = new S3Client({
region: "us-west-2",
credentials: fromIni({
profile: "development"
})
});
// Custom file paths
const customClient = new S3Client({
region: "us-west-2",
credentials: fromIni({
filepath: "/custom/path/credentials",
configFilepath: "/custom/path/config"
})
});~/.aws/credentials:
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[development]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY~/.aws/config:
[default]
region = us-east-1
[profile development]
region = us-west-2~/.aws/config:
[profile production]
role_arn = arn:aws:iam::123456789012:role/ProductionRole
source_profile = default
region = us-east-1
[profile cross-account]
role_arn = arn:aws:iam::987654321098:role/CrossAccountRole
source_profile = development
region = us-west-2
session_name = MySessionName[profile ec2-role]
role_arn = arn:aws:iam::123456789012:role/EC2Role
credential_source = Ec2InstanceMetadata
[profile ecs-role]
role_arn = arn:aws:iam::123456789012:role/ECSRole
credential_source = EcsContainer
[profile env-role]
role_arn = arn:aws:iam::123456789012:role/EnvRole
credential_source = Environment[profile web-identity]
role_arn = arn:aws:iam::123456789012:role/WebIdentityRole
web_identity_token_file = /path/to/token
role_session_name = MyWebIdentitySession
[profile kubernetes]
role_arn = arn:aws:iam::123456789012:role/KubernetesRole
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/tokenFor profiles requiring multi-factor authentication:
import { fromIni } from "@aws-sdk/credential-providers";
const clientWithMFA = new S3Client({
region: "us-east-1",
credentials: fromIni({
profile: "mfa-profile",
mfaCodeProvider: async (mfaSerial) => {
// Implement your MFA token retrieval logic
// This could prompt user input, read from a secure store, etc.
return promptForMFAToken(mfaSerial);
}
})
});
async function promptForMFAToken(serialNumber: string): Promise<string> {
console.log(`Please enter MFA token for device: ${serialNumber}`);
// Implementation depends on your environment
// Could use readline, a GUI prompt, or secure storage
return "123456"; // Example token
}Configuration with MFA:
[profile with-mfa]
role_arn = arn:aws:iam::123456789012:role/RequiresMFARole
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/user@example.com[profile sso-profile]
sso_start_url = https://d-1234567890.awsapps.com/start
sso_region = us-east-1
sso_account_id = 123456789012
sso_role_name = DeveloperAccessfromIni({ profile: "name" })new S3Client({ profile: "name" })Common errors and handling:
import { fromIni } from "@aws-sdk/credential-providers";
try {
const credentials = await fromIni({ profile: "nonexistent" })();
} catch (error) {
if (error.message.includes("Profile not found")) {
console.error("The specified profile does not exist in credentials files");
} else if (error.message.includes("MFA")) {
console.error("MFA token required but not provided");
} else {
console.error("Failed to load credentials:", error.message);
}
}When profiles appear in both files:
[profile name] format (except default)The provider respects region configuration: