Add a documentation page for AWS credentials

mnapoli · mnapoli · commit b564c6d38a75 · 2025-08-18T15:22:15.000+02:00
diff --git a/docs/environment/_meta.json b/docs/environment/_meta.json
@@ -9,5 +9,6 @@
   "database-public": {
     "display": "hidden"
   },
+  "aws-credentials": "AWS credentials",
   "performances": "Performance"
 }
diff --git a/docs/environment/aws-credentials.mdx b/docs/environment/aws-credentials.mdx
@@ -0,0 +1,169 @@
+import { NextSeo } from 'next-seo';
+import { Callout, Tabs } from 'nextra/components';
+
+<NextSeo description="Access other AWS services from AWS Lambda by using the built-in AWS credentials." />
+
+# AWS credentials on AWS Lambda
+
+When your PHP application runs on AWS Lambda, it automatically has access to AWS credentials. This means you don't need to manage AWS access keys or credentials in your code - Lambda handles this for you.
+
+<Callout type="warning">
+**Common mistake**: Don't put AWS access keys in your Lambda functions or environment variables. Lambda provides credentials automatically.
+</Callout>
+
+## How it works
+
+Lambda functions **automatically get AWS access keys** in their environment variables. These credentials are temporary and managed by AWS, so you don't have to worry about rotating them or keeping them secure.
+
+```php
+echo $_SERVER['AWS_ACCESS_KEY_ID']; // AKIAIOSFODNN7EXAMPLE
+echo $_SERVER['AWS_SECRET_ACCESS_KEY']; // wJalrXUtnFEM
+echo $_SERVER['AWS_SESSION_TOKEN']; // AQoEXAMPLEH4aoAH0gNCAPy...
+```
+
+The PHP AWS SDK automatically detects and uses them. Here's an example with S3:
+
+```php
+$s3 = new \Aws\S3\S3Client([
+    'version' => 'latest',
+    'region' => $_SERVER['AWS_REGION'],
+    // No credentials needed, the SDK uses the environment variables automatically
+]);
+
+// Use S3 normally
+$result = $s3->putObject([
+    'Bucket' => 'my-bucket',
+    'Key' => 'file.txt',
+    'Body' => 'Hello from Lambda!'
+]);
+
+// Note that this also works with https://async-aws.com
+```
+
+These credentials have access controlled by an IAM role defined in `serverless.yml`.
+
+<Callout type="info">
+    By default, Lambda functions **don't have any access** (principle of least privilege). To access other AWS services (like S3 or SQS), you need to add permissions to that IAM role in `serverless.yml` (read below).
+</Callout>
+
+## Adding permissions
+
+To grant your Lambda function access to AWS services, add IAM statements to your `serverless.yml`:
+
+```yaml
+service: my-app
+
+provider:
+    name: aws
+    iam:
+        role:
+            statements:
+                # IAM statements here...
+
+functions:
+    # ...
+```
+
+### Example: S3
+
+To read and write files to an S3 bucket:
+
+```yaml
+provider:
+    name: aws
+    iam:
+        role:
+            statements:
+                # Allow Lambda to read and write to S3
+                -   Effect: Allow
+                    Action:
+                        - s3:GetObject
+                        - s3:PutObject
+                        - s3:DeleteObject
+                    Resource: arn:aws:s3:::my-bucket/*
+                # Allow listing bucket contents
+                -   Effect: Allow
+                    Action: s3:ListBucket
+                    Resource: arn:aws:s3:::my-bucket
+```
+
+<Callout>
+    If you use the [Lift `storage` construct](./storage.mdx#s3-storage) to create S3 buckets, it [automatically adds the necessary permissions](https://github.com/getlift/lift/blob/master/docs/storage.md#permissions) to your functions. No need to set up permissions manually!
+</Callout>
+
+### Example: SQS
+
+To send and receive messages from SQS queues:
+
+```yaml
+provider:
+    name: aws
+    iam:
+        role:
+            statements:
+                # Allow Lambda to access an SQS queue
+                -   Effect: Allow
+                    Action:
+                        - sqs:SendMessage
+                        - sqs:ReceiveMessage
+                        - sqs:DeleteMessage
+                        - sqs:GetQueueAttributes
+                    Resource: arn:aws:sqs:${aws:region}:${aws:accountId}:my-queue
+```
+
+<Callout>
+    If you use the [Lift `queue` construct](../use-cases/sqs.mdx#creating-sqs-queues) to create SQS queues, it [automatically adds the necessary permissions](https://github.com/getlift/lift/blob/master/docs/queue.md#permissions) to your functions. No need to set up permissions manually!
+</Callout>
+
+## Common services and permissions
+
+Here are the IAM actions you'll typically need for common AWS services:
+
+### DynamoDB
+```yaml
+- Effect: Allow
+  Action:
+    - dynamodb:GetItem
+    - dynamodb:PutItem
+    - dynamodb:UpdateItem
+    - dynamodb:DeleteItem
+    - dynamodb:Query
+    - dynamodb:Scan
+  Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/my-table
+```
+
+### Secrets Manager
+```yaml
+- Effect: Allow
+  Action:
+    - secretsmanager:GetSecretValue
+  Resource: arn:aws:secretsmanager:${aws:region}:${aws:accountId}:secret:my-secret-*
+```
+
+### SNS (notifications)
+```yaml
+- Effect: Allow
+  Action:
+    - sns:Publish
+  Resource: arn:aws:sns:${aws:region}:${aws:accountId}:my-topic
+```
+
+## Troubleshooting
+
+### Access Denied errors
+
+If you get "Access Denied" errors when trying to use AWS services:
+
+1. Check that you've added the correct IAM permissions in `serverless.yml`
+2. Verify the resource ARN is correct (bucket name, queue name, etc.)
+3. Make sure you've redeployed after adding permissions
+4. [Check the logs](./logs.mdx) for the exact error message
+
+### Testing locally
+
+When testing locally remember that you will need to provide AWS credentials since you're not running on Lambda. You can set them up via long-lived AWS access keys or IAM roles with SSO.
+
+## Learn more
+
+- [`serverless.yml` IAM guide](https://github.com/oss-serverless/serverless/blob/main/docs/guides/iam.md)
+- [Documentation of the AWS SDK for PHP](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/)
diff --git a/docs/environment/database-public.md b/docs/environment/database-public.md
@@ -12,10 +12,6 @@ introduction: Configure RDS to expose a RDS database publicly so that you can ac
 
 A secure alternative is to set up an SSH tunnel instead, for example **[using 7777](https://port7777.com/?utm_source=bref)**.
 
-## Limitations
-
-Aurora Serverless databases cannot be made publicly accessible.
-
 ## How to
 
 Open the RDS instance in the [RDS console](https://console.aws.amazon.com/rds/home#databases:):
diff --git a/docs/environment/storage.mdx b/docs/environment/storage.mdx
@@ -42,7 +42,7 @@ constructs:
         type: storage
 ```
 
-Read more <a href="https://github.com/getlift/lift/blob/master/docs/storage.md">in the Lift documentation</a>.
+Read more [in the Lift documentation](https://github.com/getlift/lift/blob/master/docs/storage.md).
 
 ## Application cache
 

Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,6 @@`
`9`	`9`	`"database-public": {`
`10`	`10`	`"display": "hidden"`
`11`	`11`	`},`
	`12`	`+ "aws-credentials": "AWS credentials",`
`12`	`13`	`"performances": "Performance"`
`13`	`14`	`}`