feat: warn when long-term IAM credentials (AKIA) are detected

[sotanengel]

Summary

When boto3 detects that a session is using long-term IAM user credentials (access key IDs prefixed with AKIA), it now emits a CredentialSecurityWarning via Python's warnings module.

Long-term credentials do not expire automatically and carry a higher risk than temporary credentials obtained through IAM roles, IAM Identity Center (SSO), or AWS STS AssumeRole.

Behaviour

• Warning is emitted at most once per Session instance.
• Skipped when the caller explicitly passes aws_access_key_id to client() or resource(), as the override is assumed intentional.
• Silenced by setting AWS_SUPPRESS_CREDENTIAL_WARNINGS=1.
• Temporary credentials (ASIA prefix from STS) are not warned about.

Usage example

import boto3

# Emits CredentialSecurityWarning if ~/.aws/credentials contains an AKIA key
client = boto3.client('s3')

# Silence the warning globally
import os, warnings
os.environ['AWS_SUPPRESS_CREDENTIAL_WARNINGS'] = '1'

# Or filter programmatically
warnings.filterwarnings('ignore', category=boto3.exceptions.CredentialSecurityWarning)

Warning message

boto3 detected long-term AWS credentials (access key ID starting with 'AKIA').
Long-term credentials do not expire automatically and may pose a security risk
if compromised. Consider switching to a safer alternative:
  - IAM roles (recommended for EC2 / Lambda / ECS / EKS)
  - IAM Identity Center (SSO) for local development: `aws sso login`
  - AWS STS AssumeRole for cross-account access
To suppress this warning, set the environment variable AWS_SUPPRESS_CREDENTIAL_WARNINGS=1.

Changes

File	Change
boto3/exceptions.py	Add CredentialSecurityWarning class
boto3/session.py	Add _warn_if_long_term_credentials(), call from client()
tests/unit/test_session.py	6 new test cases

Tests

All 36 tests pass (python -m pytest tests/unit/test_session.py).

New test cases:

• ✅ warns for AKIA credentials
• ✅ no warning for temporary ASIA credentials
• ✅ no warning when explicit aws_access_key_id is passed
• ✅ warning issued only once per session
• ✅ no warning when AWS_SUPPRESS_CREDENTIAL_WARNINGS=1
• ✅ no warning when credentials are None

[sotanengel]

Hi @alexgromero 👋 Thank you so much for your continued work on boto3!

I'd love to get your thoughts on this PR when you have a moment. 🙏

Summary of the change:
This PR adds a CredentialSecurityWarning that boto3 emits (via Python's standard warnings module) whenever it detects that a session is using long-term IAM user credentials — i.e., access key IDs prefixed with AKIA.

Long-term credentials don't expire automatically, which makes them a higher-risk option compared to temporary credentials from IAM roles, IAM Identity Center (SSO), or AWS STS AssumeRole. A gentle, opt-out-able warning at the point of client() creation seems like a low-friction way to nudge users toward safer practices.

Design decisions I'd appreciate feedback on:

• The warning is suppressed via the AWS_SUPPRESS_CREDENTIAL_WARNINGS=1 env var — happy to bikeshed on the name if there's a preferred convention.
• The warning fires at most once per Session instance to avoid spamming logs.
• Explicitly passing aws_access_key_id to client() suppresses the warning, on the assumption that the caller is intentionally overriding credentials.

All 36 existing unit tests pass, 6 new test cases are included, and ruff lint/format checks are clean.

No rush at all — I really appreciate any feedback you can share! 😊