Version: 0.8

AWS Configuration

AWS-backed plugins such as S3, SQS, SNS, Glue, Lambda, DynamoDB share common credentials configuration. The same config is used by the S3 backend in File Sources.

Credentials

Credentials are configured under credentials:

credentials:
  use_default: true
  region: "us-east-1"

Field	Description
`use_default`	Use the default AWS credential chain (env vars, shared config, instance profile). Recommended.
`id`	AWS access key ID.
`secret`	AWS secret access key.
`token`	AWS session token.
`profile`	Profile name from the shared credentials file.
`role`	IAM role ARN to assume.
`role_external_id`	External ID for cross-account role assumption.
`region`	AWS region.
`endpoint`	Custom endpoint URL (useful for LocalStack or other S3-compatible services).

Default credential chain

The recommended option. Marmot will pick up credentials from environment variables, ~/.aws/credentials, ~/.aws/config, container credentials or EC2/EKS instance profiles in the usual order.

credentials:
  use_default: true
  region: "us-east-1"

Static credentials

Provide an access key pair directly. Use a session token for temporary credentials.

credentials:
  id: "AKIA..."
  secret: "..."
  region: "us-east-1"

Named profile

Use a named profile from ~/.aws/credentials or ~/.aws/config.

credentials:
  profile: "my-profile"
  region: "us-east-1"

Assume role

Assume an IAM role after loading the base credentials. role_external_id is supported for cross-account assumption.

credentials:
  use_default: true
  role: "arn:aws:iam::123456789012:role/MarmotReader"
  role_external_id: "optional-external-id"
  region: "us-east-1"

Custom endpoint

Point at a non-AWS endpoint such as LocalStack.

credentials:
  use_default: true
  region: "us-east-1"
  endpoint: "http://localhost:4566"

Credentials​

Default credential chain​

Static credentials​

Named profile​

Assume role​

Custom endpoint​