AWS
Amazon S3
deprecated
cloud computing
software development

AmazonS3Clientcredentials is deprecated

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Introduction

When you see that AmazonS3Client(credentials) or a similar credentials-based constructor is deprecated, AWS is pushing you away from direct client constructors and toward builder-based configuration. The builder APIs are clearer, easier to extend, and fit the SDK’s credential-provider model better. In practice, the replacement is not “find another constructor.” It is “build the client with a credentials provider and region explicitly, or let the default provider chain do the work.”

Deprecated Constructor vs Builder Pattern

Older AWS SDK for Java v1 code often looked like this:

java
AWSCredentials credentials = new BasicAWSCredentials(accessKey, secretKey);
AmazonS3 s3 = new AmazonS3Client(credentials);

The modern v1-style replacement is builder-based.

java
1import com.amazonaws.auth.AWSStaticCredentialsProvider;
2import com.amazonaws.auth.BasicAWSCredentials;
3import com.amazonaws.services.s3.AmazonS3;
4import com.amazonaws.services.s3.AmazonS3ClientBuilder;
5
6BasicAWSCredentials credentials = new BasicAWSCredentials(accessKey, secretKey);
7
8AmazonS3 s3 = AmazonS3ClientBuilder.standard()
9    .withRegion("us-east-1")
10    .withCredentials(new AWSStaticCredentialsProvider(credentials))
11    .build();

That is the direct migration path when you still use SDK v1.

Prefer the Default Credential Chain When Possible

In many applications, the best answer is not to construct BasicAWSCredentials at all. Let the SDK load credentials from the normal chain instead:

  • environment variables
  • shared AWS config and credentials files
  • EC2 instance profiles
  • ECS task roles
  • Lambda execution roles

That removes secrets from application code and usually gives a cleaner deployment story.

java
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
    .withRegion("us-east-1")
    .build();

If the environment is configured correctly, no hard-coded credentials are needed.

If You Are Moving to SDK v2

The builder idea continues in SDK v2, but the client type changes.

java
1import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
2import software.amazon.awssdk.regions.Region;
3import software.amazon.awssdk.services.s3.S3Client;
4
5S3Client s3 = S3Client.builder()
6    .region(Region.US_EAST_1)
7    .credentialsProvider(DefaultCredentialsProvider.create())
8    .build();

If you are already touching old S3 initialization code, it is worth checking whether a full SDK v2 migration is the better long-term move.

Keep Secrets Out of Source Code

Even if the deprecated constructor still appears in legacy examples, treat this migration as a chance to remove embedded access keys from the application. Builder-based clients work much better with environment credentials, instance roles, and other externalized secret-management approaches.

That usually reduces operational risk immediately. Once credentials stop living in the codebase, rotation and deployment become much easier to manage.

Why AWS Deprecated the Old Style

The deprecated constructors encouraged tightly coupled configuration patterns. Builder APIs improve several things:

  • region selection becomes explicit
  • credential providers fit the broader SDK ecosystem
  • optional settings are easier to add later
  • migration toward newer SDK styles is smoother

So the deprecation is not cosmetic. It reflects a broader move toward standardized client construction.

Migration Can Be Incremental

You do not have to move the whole application to a new SDK style in one step. Replacing deprecated client construction with builders is already a meaningful improvement, and it can be done before a larger refactor toward better credential sourcing or SDK v2 adoption.

Common Pitfalls

  • Replacing one deprecated constructor with another direct constructor instead of using the builder.
  • Hard-coding credentials when the default provider chain would work better.
  • Forgetting to set the region explicitly in builder-based code.
  • Mixing SDK v1 and SDK v2 examples during migration.
  • Treating deprecation as a warning to ignore instead of updating the initialization pattern.

Summary

  • 'AmazonS3Client(credentials) is deprecated in favor of builder-based client creation.'
  • In SDK v1, use AmazonS3ClientBuilder with a credentials provider.
  • Prefer the default credential chain when your runtime environment already supplies credentials.
  • In SDK v2, use S3Client.builder() and the newer credentials providers.
  • The goal of the migration is clearer, more secure, and more extensible client configuration.

Course illustration
Course illustration

All Rights Reserved.