π§βπ» 5. MATLAB AWS Clientο
π§ 5.1 How Service Clients Use Credentials & Regionο
Service clients derive from aws.core.BaseClient and support optional constructor nameβvalue pairs.
5.1.1 Supported Constructor Parametersο
'credentialsprovider': a MATLAB Credential Provider fromaws.auth.CredentialProvider.
Caution
Do not pass raw Java SDK objects.
cp = aws.auth.CredentialProvider.getProfileCredentialProvider("analytics");
s3 = aws.s3.Client('credentialsprovider', cp, 'region', "us-west-2");
% Or:
[cp, region] = aws.auth.CredentialProvider.getDefaultCredentialProvider();
s3 = aws.s3.Client('credentialsprovider', cp, 'region', region);
'region': Region string (e.g.,"us-east-1") or asoftware.amazon.awssdk.regions.Regionobject.'isCrt': Logical flag to enable the AWS CRT HTTP client (true|false).
Note
Passing a string is preferred in MATLAB; the base client will convert via Region.of().
5.1.2 Fallback Behaviorο
If you do not supply parameters:
credentialsproviderβ resolved viaaws.auth.CredentialProvider.getDefaultCredentialProvider()regionβ resolved viaaws.auth.CredentialProvider.getDefaultCredentialProvider()(region part)
This means you can get started with no parameters when your environment is configured properly.
5.1.3 HTTP Client (CRT & Proxy)ο
BaseClient applies an HTTP client to the service builder:
If
'isCrt' == trueβ usessoftware.amazon.awssdk.http.crt.AwsCrtHttpClient.Otherwise β optionally configures an Apache HTTP client for proxy support via
configProxyHttpClient(obj)(if required and available).
This allows service-wide proxy configuration when CRT is not in use.
5.1.4 Lifecycle & Loggingο
On successful build, the client logs βClient initializedβ and stores the handle.
The client implements cleanup via
onCleanupand calls.close()on the Java client indelete.Logging prefix is service-specific (e.g.,
AMAZON:S3).
π 5.2 S3 Client: Examplesο
5.2.1 Rely on Defaultsο
s3 = aws.s3.Client();
[getResp, stream] = s3.getObject(bucket="my-bucket", key="hello.txt");
5.2.2 Provide Only Regionο
s3 = aws.s3.Client('region', "us-east-1");
5.2.3 Use Named Profileο
cp = aws.auth.CredentialProvider.getProfileCredentialProvider("analytics");
s3 = aws.s3.Client('credentialsprovider', cp, 'region', "us-west-2");
5.2.4 Use Session Credentials from JSONο
creds = loadConfigurationSettings('credentials.json');
cp = aws.auth.CredentialProvider.getSessionCredentialProvider( ...
creds.aws_access_key_id, creds.aws_secret_access_key, creds.aws_session_token);
s3 = aws.s3.Client('credentialsprovider', cp, 'region', "eu-central-1");
5.2.5 Web Identity / IRSAο
% Requires env vars: AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE
cp = aws.auth.CredentialProvider.getWebIdentityCredentialProvider();
s3 = aws.s3.Client('credentialsprovider', cp, 'region', "us-west-2");
5.2.6 EC2/ECS Roleο
cp = aws.auth.CredentialProvider.getInstanceProfileCredentialProvider();
s3 = aws.s3.Client('credentialsprovider', cp, 'region', "us-east-1");
5.2.7 JSON Credentials File Schemaο
Use this when calling getJsonFileCredentialProvider(jsonFile) or when manually loading credentials.
{
"aws_access_key_id": "AKIA...",
"aws_secret_access_key": "SECRET...",
"aws_session_token": "SESSION_TOKEN",
"region": "us-west-2"
}
Note
If
aws_session_tokenis present and non-empty β builds a session provider.Otherwise β builds a static provider.
Returns
regionif present; empty string otherwise.
𧩠5.3 Troubleshootingο
For common setup and runtime issues, see the dedicated guide:
Troubleshooting.md
β οΈ 5.4 Security Best Practicesο
β Prefer role-based access (IMDS on EC2/ECS, IRSA on EKS) over long-lived keys.
β For local development, use named profiles or
credential_process.β Avoid embedding secrets in code or config checked into source control.
π Rotate temporary credentials regularly.
π§Ό Never commit credential files to source control.
π Apply least-privilege IAM policies.