Question

 I'm passing the required credentials for my library to connect to arbitrary AWS-IoT accounts. Now, when I instantiate my AWS client:

client = boto3.client('iot',
                      aws_access_key_id=ACCESS_KEY,
                      aws_secret_access_key=SECRET_KEY,...)

Credentials passed in this way should override all other credentials(acc boto3 docs).

boto3 docs excerpt:

The order in which Boto3 searches for credentials is:

 1. Passing credentials as parameters in the boto.client() method
 2. Passing credentials as parameters when creating a Session object
 3. Environment variables
 4. Shared credential file (~/.aws/credentials)
 5. AWS config file (~/.aws/config)
 6. Assume Role provider
 7. Boto2 config file (/etc/boto.cfg and ~/.boto)
 8. Instance metadata service on an Amazon EC2 instance that has an IAM role configured.

However, I get the following log message from Boto3 as generated by this call:

 "Found credentials in shared credentials file: ~/.aws/credentials"

I really don't want boto3 picking-up whatever credentials a user may have happened to have configured on their system - I want it to use just the ones I'm passing to boto3.client(). 

Any ideas on how to ensure this?

Thanks!

Answer 1

As long as you're explicitly providing credential parameters, you should be protected from calls executed on the wrong account.

When passing aws_access_key_id & aws_secret_access_key parameters, the boto3.client(..)accepts them despite their inaccuracies and does not load any other credentials from the file and returns a NoCredentialsError exception when an API call is sent.

However, when the parameters above are not passed i.e.boto3.client('iot') AND a default profile exist in the system, we get a "Found credentials in shared credentials file: ~/.aws/credentials".