AWS Command Line Interface
User Guide

Configuration and Credential Files

The CLI stores the credentials that you specify with aws configure in a local file named credentials in a folder named .aws in your home directory. The other configuration options that you specify with aws configure are stored in a local file named config, also stored in the .aws folder in your home directory.

Where you find your home directory location varies based on the operating system, but is referred to using the environment variables %UserProfile% in Windows and $HOME or ~ (tilde) in Unix-based systems.

For example, the following commands list the contents of the .aws folder:

Linux, macOS, or Unix

$ ls ~/.aws


C:\> dir "%UserProfile%\.aws"

The AWS CLI uses two files to keep the sensitive credential information (in ~/.aws/credentials) separated from the less sensitive configuration options (in ~/.aws/config).

You can specify a non-default location for the config file by setting the AWS_CONFIG_FILE environment variable to another local path. See Environment Variables for details.

Storing Credentials in Config

The AWS CLI can also read credentials from the config file. If you want to keep all of your profile settings in a single file, you can. If there are ever credentials in both locations for a profile (say you used aws configure to update the profile's keys), the keys in the credentials file will take precedence.

If you use one of the SDKs in addition to the AWS CLI, you may notice additional warnings if credentials are not stored in their own file.

The files generated by the CLI for the profile configured in the previous section look like this:


[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY


[default] region=us-west-2 output=json


The preceding examples show the files with a single, default profile. For examples of the files with multiple named profiles, see Named Profiles.

The following settings are supported:

aws_access_key_id – The AWS access key.

aws_secret_access_key – The AWS secret key.

aws_session_token – The AWS session token. A session token is only required if you are using temporary security credentials.

region – The default AWS region to send requests to from this profile.

output – The default output format for this profile.