Credentials

This section explains our recommendations around credentials to provide the best experience with the AWS Copilot CLI.

Application credentials

Copilot uses the AWS credentials from the default credential provider chain to store and look up your application's metadata: which services and environments belong to it. We recommend using a named profile to store your application's credentials.

The most convenient way is having the [default] profile point to your application's credentials:

# ~/.aws/credentials
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# ~/.aws/config
[default]
region=us-west-2

Alternatively, you can set the AWS_PROFILE environment variable to point to a different named profile. For example, we can have a [my-app] profile that can be used for your Copilot application instead of the "default" profile.

# ~/.aws/config
[my-app]
credential_process = /opt/bin/awscreds-custom --username helen
region=us-west-2

# Then you can run your Copilot commands leveraging the alternative profile:
$ export AWS_PROFILE=my-app
$ copilot deploy

We do not recommend using environment variables directly to look up your application's metadata because if they're overridden or expired then Copilot will not be able to look up your services or environments.

Environment credentials

Copilot environments can be created in separate AWS accounts and regions than your application. While initializing an environment, Copilot will prompt you if you'd like to use temporary credentials or a named profile to create your environment:

$ copilot env init

Name: prod-iad

  Which credentials would you like to use to create prod-iad?
  > Use temporary credentials
  > [profile default]
  > [profile test]
  > [profile prod-iad]
  > [profile prod-pdx]

Unlike the Application credentials section, the AWS credentials for an environment are only needed for creation or deletion. Therefore, it's safe to use temporary credentials.