They look at code on stackoverflow and the web that initializes the SDK resources that have you explicitly put the access key and secret key in code.
For instance, the correct way to initialize the s3 client in Python is
s3 = boto3.client('s3')
The SDK will automatically get the credentials that are configured locally within your environment or the IAM role attached to your Lambda, EC2 instance, Docker (ECS, EKS) container runner etc.
Your access keys never need to be part of your repository.
yep this is the one. feels like a lot of people just copy-paste from stackoverflow without realizing they're hardcoding keys. have you seen this cause issues in prod or mostly in hobby stuff?
For instance, the correct way to initialize the s3 client in Python is
The SDK will automatically get the credentials that are configured locally within your environment or the IAM role attached to your Lambda, EC2 instance, Docker (ECS, EKS) container runner etc.Your access keys never need to be part of your repository.