AWS SDKs let your applications talk to AWS services programmatically. The most popular is boto3 for Python. With boto3, your application can upload to S3, query DynamoDB, send SNS notifications, and manage EC2 — all from code.
import boto3
# Create a client (low-level API)
s3 = boto3.client('s3')
response = s3.list_buckets()
for bucket in response['Buckets']:
print(bucket['Name'])
# Create a resource (high-level OOP API)
s3_resource = boto3.resource('s3')
bucket = s3_resource.Bucket('my-bucket')
bucket.upload_file('local-file.txt', 'remote-key.txt')
# DynamoDB example
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('users')
table.put_item(Item={'user_id': '123', 'name': 'Alice', 'age': 30})
response = table.get_item(Key={'user_id': '123'})
print(response['Item'])| Environment | Recommended Auth Method | Why |
|---|---|---|
| EC2 Instance | IAM Role attached to instance | Auto-rotating temporary credentials |
| Lambda Function | IAM Role attached to function | Same — auto-rotating, no key management |
| Local Development | AWS CLI configured profile | Use your developer credentials |
| CI/CD Pipeline | OIDC (GitHub Actions) or IAM Role | No long-term keys in pipeline config |
| NEVER | Hard-coded access keys in code | Keys get committed to Git and leaked |
import boto3
from botocore.exceptions import ClientError, NoCredentialsError
s3 = boto3.client('s3')
try:
s3.download_file('my-bucket', 'file.txt', '/tmp/file.txt')
except ClientError as e:
error_code = e.response['Error']['Code']
if error_code == '404':
print('File not found in S3')
elif error_code == '403':
print('Access denied - check IAM permissions')
except NoCredentialsError:
print('AWS credentials not configured')