Can't pass my credentials to AWS PHP SDK

H

3

6

I installed AWS PHP SDK and am trying to use SES. My problem is that it's (apparently) trying to read ~/.aws/credentials no matter what I do. I currently have this code:

$S3_AK = getenv('S3_AK');
$S3_PK = getenv('S3_PK');
$profile = 'default';
$path = '/home/franco/public/site/default.ini';
$provider = CredentialProvider::ini($profile, $path);
$provider = CredentialProvider::memoize($provider);
$client = SesClient::factory(array(
      'profile' => 'default',
      'region' => 'us-east-1',
      'version' => "2010-12-01",
      'credentials' => [
        'key'    => $S3_AK,
        'secret' => $S3_PK,
      ]
  ));

And am still getting "Cannot read credentials from ~/.aws/credentials" error (after quite a while).

I tried 'credentials' => $provider of course, that was the idea, but as it wasn't working I reverted to hardcoded credentials. I've dumped $S3_AK and $S3_PK and they're fine, I'm actually using them correctly for S3, but there I have Zend's wrapper. I've tried ~/.aws/credentials (no ".ini") to the same result. Both files having 777 permissions.

Curious information: I had to set memory limit to -1 so it would be able to var_dump the exception. The html to the exception is around 200mb.

I'd prefer to use the environment variables, all though the credentials file is fine. I just don't understand why it appears to be trying to read the file even though I've hardcoded the credentials.

EDIT: So a friend showed me this, I removed the profile and also modified the try/catch and noticed the client seems to be created properly, and the error comes from trying to actually send an email.

Haemin answered 20/5, 2016 at 3:14 Comment(4)

shouldn't variable be AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY ? – Atop 20/5, 2016 at 7:36

In case my answer doesn't work, check the permissions of not only the file, but the parent directories of the file; the user that the server is running on may not be able to read it since it can't open one of the parent directories. You can test this with something like sudo -u www-data stat /home/franco/public/site/default.ini, where www-data is the server user. – Chandelle 20/5, 2016 at 9:13

Frédéric, one is the key id, the other is the access key, I'm getting them from environment variables. Still, the problem is it's trying to read that file enven though I'm explicitly telling it the credentials. – Haemin 20/5, 2016 at 12:31

Frédéric, sorry I think I undersood you incorrectly. github.com/aws/aws-sdk-php/blob/master/src/AwsClient.php#L62 says the variables are secret and key. – Haemin 20/5, 2016 at 12:45

H

-2

OK, I managed to fix it. I couldn't read the credentials file but it wasn't exactly my idea. What was happening was that the actual client was being created successfully, but the try/catch also had the sendEmail included. This was what was failing. About creating the client with explicit credentials: If you specify region, it will try and read a credentials file.

About the SendEmail, this is the syntax that worked for me, I'd found another one also in the AWS docs site, and that one failed. It must've been for an older SDK.

Haemin answered 20/5, 2016 at 13:37 Comment(0)

V

27

The trick is just remove 'profile' => 'default' from the factory params, if this is defined we can't use a custom credentials file or environment variables. Is not documented but just works.

I'm using Sns and Sdk v3.

<?php
use Aws\Credentials\CredentialProvider;

$profile = 'sns-reminders';
$path = '../private/credentials';

$provider = CredentialProvider::ini($profile, $path);
$provider = CredentialProvider::memoize($provider);

$sdk = new Aws\Sdk(['credentials' => $provider]);

$sns = $sdk->createSns([
//        'profile' => $profile,
        'region'  => 'us-east-1',
        'version' => 'latest',
]);

Viguerie answered 23/12, 2017 at 4:56 Comment(4)

This worked for me for hard-coded credentials way, Did not check with other ways yet – Overlooker 12/10, 2018 at 8:56

Superb. Not documented at all, and forces us to use both. Strange. Kudos! – Undesirable 21/11, 2018 at 14:16

AWS documentation is crap, long text about nothing, not focusing on practical approach. Thanks for sharing ! – Parthenos 18/1, 2019 at 12:21

I spent 4+ hours troubleshooting, tried a custom credentials provider, env vars, and hardcoded. None of them worked, until I followed this instruction. Thank you! – Parliamentary 20/3, 2019 at 4:41

C

1

This solution will probably only work if you're using version 3 of the SDK. I use something similar to this:

$provider = CredentialsProvider::memoize(CredentialsProvider::ini($profile, $path));
$client = new SesClient([
    'version' => 'latest',
    'region'  => 'us-east-1',
    'credentials' => $provider]);

I use this for S3Client, DynamoDbClient, and a few other clients, so I am assuming that the SesClient constructor supports the same arguments.

Chandelle answered 20/5, 2016 at 9:9 Comment(1)

As I said, "I tried 'credentials' => $provider of course", and it still tried to read the file. – Haemin 20/5, 2016 at 12:29

H

-2

OK, I managed to fix it. I couldn't read the credentials file but it wasn't exactly my idea. What was happening was that the actual client was being created successfully, but the try/catch also had the sendEmail included. This was what was failing. About creating the client with explicit credentials: If you specify region, it will try and read a credentials file.

About the SendEmail, this is the syntax that worked for me, I'd found another one also in the AWS docs site, and that one failed. It must've been for an older SDK.

Haemin answered 20/5, 2016 at 13:37 Comment(0)

Recommended topics

Hot tags