1--- 2layout: "docs" 3page_title: "Vault Agent Auto-Auth AWS Method" 4sidebar_title: "AWS" 5sidebar_current: "docs-agent-autoauth-methods-aws" 6description: |- 7 AWS Method for Vault Agent Auto-Auth 8--- 9 10# Vault Agent Auto-Auth AWS Method 11 12The `aws` method performs authentication against the [AWS Auth 13method](https://www.vaultproject.io/docs/auth/aws.html). Both `ec2` and `iam` 14authentication types are supported. If `ec2` is used, the agent will store the 15reauthentication value in memory and use it for reauthenticating, but will not 16persist it to disk. 17 18Due to the complexity of the Trust On First Use (TOFU) model used in the `ec2` 19method, we recommend the `iam` method when possible. 20 21## Credentials 22 23Vault will use the AWS SDK's normal credential chain behavior, which means it 24will use the first valid credentials it finds in the following order: 25 261. A static credential configuration 272. Environment variables 283. A file containing credentials 294. From any identity services available in its physical environment like container environment variables or role-based instance metadata 30 31Wherever possible, we recommend using identity services (method 4) for credentials. 32These rotate regularly and require no effort on your part to provision, making 33identity services the most secure of the four methods. If using identity services _and_ a custom 34`credential_poll_interval`, be sure the frequency is set low enough to pick up new credentials 35from the physical environment as they become available. 36 37To use identity services, choose the `iam` type and leave the `access_key`, `secret_key`, and `session_token` 38parameters unset in your configuration. 39 40## Configuration 41 42- `type` `(string: required)` - The type of authentication; must be `ec2` or `iam`. 43 44- `role` `(string: required)` - The role to authenticate against on Vault. 45 46- `credential_poll_interval` `(integer: optional)` - In seconds, how frequently the Vault agent should check for new credentials if using the iam type. 47 48- `access_key` `(string: optional)` - When using static credentials, the access key to use. 49 50- `secret_key` `(string: optional)` - When using static credentials, the secret key to use. 51 52- `session_token` `(string: optional)` - The session token to use for authentication, if needed. 53 54- `header_value` `(string: optional)` - If configured in Vault, the value to use for 55 [`iam_server_id_header_value`](https://www.vaultproject.io/api/auth/aws/index.html#iam_server_id_header_value). 56