my $aws_creds = new Amazon::Credentials({order => [qw/env file container role/]});


Class to find AWS credentials from either the environment, configuration files, instance meta-data or container role.

You can specify the order using the order option in the constructor to determine the order in which the class will look for credentials. The default order is environent, file, container, instance meta-data. See "new".



 new( options );

 my $aws_creds = new Amazon::Credential( { profile => 'sandbox', debug => 1 });

options is a hash of keys that represent options. Any of the options can also be retrieved using their corresponding 'get_{option} method.

Options are listed below.


AWS access key.


AWS secret access key.

Note: If you pass the access keys in the constructor then the constructor will not look in other places for credentials.


Set to true for verbose troubleshooting information.


Pass in your own logger that has a debug() method. Otherwise the default logger will output debug messages to STDERR.


Pass in your own user agent, otherwise LWP will be used. Probably only useful to override this for testing purposes.>


The profile name in the configuration file (~/.aws/config or ~/.aws/credentials).

 my $aws_creds = new Amazon::Credentials({ profile => 'sandbox' });

The class will also look for the environment variable AWS_PROFILE, so you can invoke your script like this:

 $ AWS_PROFILE=sandbox

An array reference containing tokens that specifies the order in which the class will search for credentials.

default: role, env, file


  my $creds = new Amazon::Credentials( { order => [ qw/file env role/] });
env - Environment

If there exists an environment variable $AWS_PROFILE, then an attempt will be made to retrieve credentials from the credentials file using that profile, otherwise the class will for these environment variables to provide credentials.


Note that when you set the environment variable AWS_PROFILE, the order essentially is overridden and we'll look in your credential files (~/.aws/config, ~/.aws/credentials) for your credentials.

file - Configuration Files

The class will attempt to find the credentials in either of these two files. You can also specify a profile to use for looking up the credentials by passing it into the constructor or setting it the environment variable AWS_PROFILE. If no profile is provided, the default credentials or the first profile found is used.

 my $aws_creds = new Amazon::Credentials({ order => [qw/environment role file/] });
container - Task Role

If the process is running in a container, the container may have a task role. We'll look credentials using the container metadata service.$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
role - Instance Role

The class will use the URL to look for an instance role and credentials.

Credentials returned by accessing the meta-data include a token that should be passed to Amazon APIs along with the access key and secret. That token has an expiration and should be refreshed before it expires.

 if ( $aws_creds->is_token_expired() ) {

Default region. The class will attempt to find the region in either the configuration files or the instance unless you specify the region in the constructor.


Returns the region of the currently running instance. The constructor will set the region to this value unless you set your own region value. Use get_region to retrieve the value after instantiation or you can call this method again and it will make a second call to retrieve the instance metadata.

You can also invoke this as a class method:

 $ AWS_REGION=$(perl -MAmazon::Credentials -e 'print Amazon::Credentials::get_default_region;')

get_ec2_credentials (deprecated)


 find_credentials( option => value, ...);

You normally don't want to use this method. It's automatically invoked by the constructor if you don't pass in any credentials. Accepts a hash or hash reference consisting of keys (order or profile) in the same manner as the constructor.


 is_token_expired( window-interval )

Returns true if the token is about to expire (or is expired). window-interval is the time in minutes before the actual expiration time that the method should consider the token expired. The default is 5 minutes. Amazon states that new credentials will be available at least 5 minutes before a token expires.



Returns a hash, possibly containing access keys and a token.


The AWS access key.


The AWS secret key.


Security token used with access keys.


Token expiration date.


IAM role if available.


Will be 'IAM' if role and credentials found.


 refresh_token() (deprecated)

Retrieves a fresh set of IAM credentials.

 if ( $creds->is_token_expired ) {


Rob Lauer - <>


(c) Copyright 2019 Robert C. Lauer. All rights reserved. This module is free software. It may be used, redistributed and/or modified under the same terms as Perl itself.