Description
The problem
The AWS SDK is capable of retrieving credentials to access the API via many different means, including:
- a provided Access Key ID/Secret Access Key
- credentials provided via the user's ~/.aws/config file
- credentials provided via instance metadata services
For the latter two, it's important to not provide an explicit access key/secret key and allow the SDK to look up available credentials from all sources.
Use of an IAM user with access keys/secret keys is explicitly called out by AWS as the least-preferable option for authentication, with temporary credentials via IAM roles being the preferred solution.
However, this is not possible because the integration configuration requires a specific access key/secret key to be configured, preventing the use of the best-practice options for configuring AWS authentication and enforcing use of IAM users.
My expectation is that I should be able to successfully configure the AWS S3 without passing an access key/secret key to Home Assistant directly, but allow the AWS SDK to find the credentials from the runtime environment itself.
What version of Home Assistant Core has the issue?
2025.5.3
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Container
Integration causing the issue
AWS S3
Link to integration documentation on our website
https://www.home-assistant.io/integrations/aws_s3
Diagnostics information
No response
Example YAML snippet
Anything in the logs that might be useful for us?
Additional information
Setting up temporary credentials isn't the easiest or most obvious thing. While I personally use IAM Roles Anywhere for authenticating to AWS, it should be possible to configure an IAM Role with the documented policy, set the role trust policy to the below statement, and then create an EC2 instance with the role attached as an IAM Instance Profile (hidden under the "Advanced" part of the Launch instance screen):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Once your EC2 instance is up, you should be able to call the AWS SDK via Boto3 without passing any credentials at all - it'll use the role the instance is configured with. This short Python script should work without modification (assuming boto3 is installed):
import boto3
sts = boto3.client('sts')
print(sts.get_caller_identity()['Arn'])AWS has some guidance on using IAM roles with EC2: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html