--- title: "Managing AWS Auth" output: rmarkdown::html_vignette vignette: > %\VignetteIndexEntry{Managing AWS Auth} %\VignetteEngine{knitr::rmarkdown} %\VignetteEncoding{UTF-8} --- This vignette gives guidance on how to manage AWS auth within `sixtyfour`. ## paws auth We use the package [paws][] to interact with AWS. `paws` also handles the authentication. `paws` looks for credentials in a few different places, in the following order: 1. "Settings" (aka: function inputs) provided to individual AWS services [paws service settings](https://www.paws-r-sdk.com/developer_guide/credentials/#service-settings) 2. Environment variables [paws supported env vars](https://www.paws-r-sdk.com/developer_guide/credentials/#environment-variables) - You can set the three most important environment variables within R for the current R session like: `Sys.setenv(AWS_ACCESS_KEY_ID = "", AWS_SECRET_ACCESS_KEY = "", AWS_REGION = "us-west-2")`. Or set them in a variety of ways to be available across R sessions. See the [R Startup chapter][r-startup] of _What They Forgot to Teach You About R_ book for more details. 3. AWS [shared credentials file](https://www.paws-r-sdk.com/developer_guide/credentials/#shared-credentials-file) and [AWS config file](https://www.paws-r-sdk.com/developer_guide/credentials/#config-file) - The default location for the AWS shared credentials file is `~/.aws/credentials`. Look there to see if you have this set. - The default location for the AWS config file is `~/.aws/config` 4. An EC2 instance or IAM role `sixtyfour` intializes R6 classes that are the object behind a `paws` service (e.g., for S3), and during the initialization it attempts to gather credentials following the above order. `sixtyfour` does not provide any mechanism directly in the package to modify what credentials are used. However, following the `paws` docs linked above you can modify what credentials are used by adjusting what credentials you have set. Some users may have more than one set of credentials - the next section digs into how to approach making sure `sixtyfour` is using the credentials you want to be using. Note that the first option above - passing credentials directly as function parameters - we do not use in `sixtyfour` so that we're not encouraging secrets being directly put into code where those secrets may show up in public. For many different auth scenarios see the [paws credentials docs](https://www.paws-r-sdk.com/developer_guide/credentials/). ## Setting credentials It probably makes the most sense to manage your AWS credentials using only one of the above methods. However, you may need to use a combination depending on your needs. There are various ways to set credentials. Most often - as the [paws docs spell out](https://www.paws-r-sdk.com/developer_guide/credentials/) - you will tell `paws` what creds to use via environment variables. You can do that in various ways: - You can already have env vars exported globally on your system, and then R will pick those up - Start R with an env var set just for that R session, for example: `AWS_REGION=us-east-1 R`, then when you load `paws` it will use that env var - You can set env vars within an R session, either globally for the session or perhaps with for exmaple `withr::with_envvar`, setting a certain set of AWS creds for just the duration of the call block passed in to `with_envvar`. [paws]: https://www.paws-r-sdk.com/