AWS Documentation » AWS Command Line Interface » User Guide » Configuring the AWS CLI

Configuring the AWS CLI

This section explains how to configure the settings that the AWS CLI uses to interact with AWS, including your security credentials, the default output format, and the default region.

Note

AWS requires that all incoming requests are cryptographically signed. The AWS CLI does this for you. The 'signature' includes a date/time stamp. Therefore, you must ensure that your computer's date and time are set correctly. If you don't, and the date/time in the signature is too far off of the date/time recognized by the AWS service, then AWS rejects the request.

Sections

• Quick Configuration
• Configuration Settings and Precedence
• Configuration and Credential Files
• Named Profiles
• Environment Variables
• Command Line Options
• Instance Metadata
• Using an HTTP Proxy
• Assuming an IAM Role
• Command Completion

Quick Configuration

For general use, the aws configure command is the fastest way to set up your AWS CLI installation.

$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json

When you type this command, the AWS CLI prompts you for four pieces of information and stores them in a profile (a collection of settings) named default. This profile is then used any time you run an AWS CLI command that doesn't explicitly specify a profile to use.

Access Key/Credentials

The AWS Access Key ID and AWS Secret Access Key are your AWS credentials. They are associated with an IAM user or role that determines what permissions you have. For a tutorial on how to create a user with the IAM service, see Creating Your First IAM Admin User and Group in the IAM User Guide.

To get the access key ID and secret access key for an IAM user

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them from the AWS Management Console. We recommend that you use IAM access keys instead of AWS account root user access keys. IAM lets you securely control access to AWS services and resources in your AWS account.

The only time that you can view or download the secret access keys is when you create the keys. You cannot recover them later. However, you can create new access keys at any time. You must also have permissions to perform the required IAM actions. For more information, see Permissions Required to Access IAM Resources in the IAM User Guide.

1. Open the IAM console.

2. In the navigation pane of the console, choose Users.

3. Choose your IAM user name (not the check box).

4. Choose the Security credentials tab and then choose Create access key.

5. To see the new access key, choose Show. Your credentials will look something like this:

   • Access key ID: AKIAIOSFODNN7EXAMPLE

   • Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

6. To download the key pair, choose Download .csv file. Store the keys in a secure location.

   Keep the keys confidential in order to protect your AWS account, and never email them. Do not share them outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your secret key.

Related topics

• What Is IAM? in the IAM User Guide

• AWS Security Credentials in AWS General Reference

Region

The Default region name identifies the region whose servers you want to send your requests to by default. This is typically the region closest to you, but it can be any region. For example, you can type us-west-2 to use US West (Oregon). This is the region that all later requests are sent to, unless you specify otherwise in an individual command.

Note

You must specify an AWS region when using the AWS CLI, either explicitly or by setting a default region. For a list of the available regions, see Regions and Endpoints. The region designators used by the AWS CLI are the same names that you see in AWS Management Console URLs and service endpoints.

Output Format

The Default output format specifies how the results are formatted. The value can be any of the values in the following list. If you don't specify an output format, json is used as the default.

• json: The output is formatted as a JSON string.

• text: The output is formatted as multiple lines of tab-separated string values which can be useful if you want to pass the output to a text processor, like grep, sed, or awk.

• table: The output is formatted as a table using the characters +|- to form the cell borders. It typically presents the information in a "human-friendly" format that is much easier to read than the others, but not as programmatically useful.

Quick Configuration and Multiple Profiles

If you use the command as shown above, the result is a single profile with the name of default. You can also create additional configurations by specifying the name of a profile using the --profile option.

$ aws configure --profile user2
AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: text

Then, when you run a command, you can either omit the --profile option and use the settings stored in the default profile:

$ aws s3 ls

Or you can specify a --profile profilename and use the settings stored under that name:

$ aws s3 ls --profile myuser

To update any of your settings, simply run aws configure again (with or without the --profile parameter depending on which profile you want to update) and enter new values as appropriate. The next sections contain more information about the files that aws configure creates, additional settings, and named profiles.

Configuration Settings and Precedence

The AWS CLI uses a set of credential providers to look for AWS credentials. Each credential provider looks in a different place, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI looks for credentials and configuration settings by invoking the providers in the following order, stopping when it finds a set of credentials to use:

1. Command line options – You can specify --region, --output, and --profile as parameters on the command line.

2. Environment variables – You can store values in the environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. If they are present, then they are used.

3. The CLI credentials file – This is one of the files that is updated when you run the command aws configure. The file is located at ~/.aws/credentials on Linux, macOS, or Unix, or at C:\Users\USERNAME\.aws\credentials on Windows. This file can contains the credential details for the default profile and any named profiles.

4. The CLI configuration file – This is another one of the files that is updated when you run the command aws configure. The file is located at ~/.aws/config on Linux, macOS, or Unix, or at C:\Users\USERNAME\.aws\config on Windows. This file contains the configuration settings for the default profile and any named profiles.

5. Container credentials – You can associate an IAM role with each of your Amazon Elastic Container Service task definitions. Temporary credentials for that role are then available to that task's containers. For more information see IAM Roles for Tasks in the Amazon Elastic Container Service Developer Guide.

6. Instance profile credentials – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances and Using Instance Profiles in the IAM User Guide.