Python 2.7, 3.4, and 3.5 is being deprecated for the AWS CLI version 1. For more information see the AWS CLI version 1 section of About the AWS CLI versions.
Environment variables to configure the AWS CLI
Environment variables provide another way to specify configuration options and credentials, and can be useful for scripting or temporarily setting a named profile as the default.
You can't specify AWS Single Sign-On (AWS SSO) authentication by using environment
variables.
Instead, you must use a named profile in the shared configuration file
.aws/config
. For more information, see Configuring the AWS CLI to use AWS Single Sign-On .
Precedence of options
-
If you specify an option by using one of the environment variables described in this topic, it overrides any value loaded from a profile in the configuration file.
-
If you specify an option by using a parameter on the CLI command line, it overrides any value from either the corresponding environment variable or a profile in the configuration file.
For more information about precedence and how the AWS CLI determines which credentials to use, see Configuration settings and precedence.
How to set environment variables
The following examples show how you can configure environment variables for the default user.
AWS CLI supported environment variables
The AWS CLI supports the following environment variables.
AWS_ACCESS_KEY_ID
-
Specifies an AWS access key associated with an IAM user or role.
If defined, this environment variable overrides the value for the profile setting
aws_access_key_id
. You can't specify the access key ID by using a command line option. AWS_CA_BUNDLE
-
Specifies the path to a certificate bundle to use for HTTPS certificate validation.
If defined, this environment variable overrides the value for the profile setting
ca_bundle
. You can override this environment variable by using the--ca-bundle
command line parameter. AWS_CLI_AUTO_PROMPT
-
This feature is available only with AWS CLI version 2. The following feature is available only if you use AWS CLI version 2. It isn't available if you run AWS CLI version 1. For information on how to install version 2, see Installing, updating, and uninstalling the AWS CLI version 2.
Enables the auto-prompt for the AWS CLI version 2. There are two settings that can be used:
-
on
uses the full auto-prompt mode each time you attempt to run anaws
command. This includes pressing ENTER after both a complete command or incomplete command.aws_cli_auto_prompt=on
-
on-partial
uses partial auto-prompt mode. If a command is incomplete or cannot be run due to client-side validation errors, auto-prompt is used. This mode is particular useful if you have pre-existing scripts, runbooks, or you only want to be auto-prompted for commands you are unfamiliar with rather than prompted on every command.aws_cli_auto_prompt=on-partial
If defined, this environment variable overrides the value for the
cli_auto_prompt
profile setting. You can override this environment variable by using the--cli-auto-prompt
and--no-cli-auto-prompt
command line parameters.For information on the AWS CLI version 2 auto-prompt feature, see Having the AWS CLI prompt you for commands.
-
AWS_CLI_FILE_ENCODING
-
AWS CLI version 2 only. Specifies the encoding used for text files. By default encoding matches your locale. To set encoding different from the locale, use the
aws_cli_file_encoding
environment variable. For example, if you use Windows with default encodingCP1252
, settingaws_cli_file_encoding=UTF-8
sets the CLI to open text files usingUTF-8
. AWS_CONFIG_FILE
-
Specifies the location of the file that the AWS CLI uses to store configuration profiles. The default path is
~/.aws/config
.You can't specify this value in a named profile setting or by using a command line parameter.
- AWS_DEFAULT_OUTPUT
-
Specifies the output format to use.
If defined, this environment variable overrides the value for the profile setting
output
. You can override this environment variable by using the--output
command line parameter. - AWS_DEFAULT_REGION
-
Specifies the AWS Region to send the request to.
If defined, this environment variable overrides the value for the profile setting
region
. You can override this environment variable by using the--region
command line parameter. AWS_EC2_METADATA_DISABLED
-
Disables the use of the Amazon EC2 instance metadata service (IMDS).
If set to false, user credentials or configuration (like the region) are not requested from IMDS.
- AWS_MAX_ATTEMPTS
-
Specifies a value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the value that you provide. For more information on retries, see AWS CLI retries.
If defined, this environment variable overrides the value for the profiles setting
max_attempts
. - AWS_PAGER
-
Specifies the pager program used for output. By default, AWS CLI version 2 returns all output through your operating system’s default pager program.
To disable all use of an external paging program, set the variable to an empty string.
If defined, this environment variable overrides the value for the profile setting
cli_pager
. - AWS_PROFILE
-
Specifies the name of the CLI profile with the credentials and options to use. This can be the name of a profile stored in a
credentials
orconfig
file, or the valuedefault
to use the default profile.If defined, this environment variable overrides the behavior of using the profile named
[default]
in the configuration file. You can override this environment variable by using the--profile
command line parameter. - AWS_RETRY_MODE
-
Specifies which retry mode AWS CLI uses. There are three retry modes available: legacy (default), standard, and adaptive. For more information on retries, see AWS CLI retries.
If defined, this environment variable overrides the value for the profiles setting
retry_mode
. - AWS_ROLE_SESSION_NAME
-
Specifies a name to associate with the role session. This value appears in CloudTrail logs for commands performed by the user of this profile.
If defined, this environment variable overrides the value for the profile setting
role_session_name
. You can't specify a role session name as a command line parameter. AWS_SECRET_ACCESS_KEY
-
Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
If defined, this environment variable overrides the value for the profile setting
aws_secret_access_key
. You can't specify the secret access key ID as a command line option. AWS_SESSION_TOKEN
-
Specifies the session token value that is required if you are using temporary security credentials that you retrieved directly from AWS STS operations. For more information, see the Output section of the assume-role command in the AWS CLI Command Reference.
If defined, this environment variable overrides the value for the profile setting
aws_session_token
. You can't specify the session token as a command line option. AWS_SHARED_CREDENTIALS_FILE
-
Specifies the location of the file that the AWS CLI uses to store access keys. The default path is
~/.aws/credentials
.You can't specify this value in a named profile setting or by using a command line parameter.
- AWS_STS_REGIONAL_ENDPOINTS
-
Specifies how the AWS CLI determines the AWS service endpoint that the AWS CLI client uses to talk to the AWS Security Token Service (AWS STS).
-
The default value for AWS CLI version 1 is
legacy
. -
The default value for AWS CLI version 2 is
regional
.
You can specify one of two values:
-
legacy
– Uses the global STS endpoint,sts.amazonaws.com
, for the following AWS Regions:ap-northeast-1
,ap-south-1
,ap-southeast-1
,ap-southeast-2
,aws-global
,ca-central-1
,eu-central-1
,eu-north-1
,eu-west-1
,eu-west-2
,eu-west-3
,sa-east-1
,us-east-1
,us-east-2
,us-west-1
, andus-west-2
. All other Regions automatically use their respective regional endpoint. -
regional
– The AWS CLI always uses the AWS STS endpoint for the currently configured Region. For example, if the client is configured to useus-west-2
, all calls to AWS STS are made to the regional endpointsts.us-west-2.amazonaws.com
instead of the globalsts.amazonaws.com
endpoint. To send a request to the global endpoint while this setting is enabled, you can set the Region toaws-global
.
-