AWS Command Line Interface
User Guide

Configuration and Credential Files

The AWS CLI stores the credentials that you specify with aws configure in a local file named credentials, in a folder named .aws in your home directory. The other configuration options that you specify with aws configure are stored in a local file named config, also stored in the .aws folder in your home directory.

Where you find your home directory location varies based on the operating system, but is referred to using the environment variables %UserProfile% in Windows and $HOME or ~ (tilde) in Unix-based systems.

For example, the following commands list the contents of the .aws folder.

Linux, macOS, or Unix

$ ls ~/.aws

Windows

C:\> dir "%UserProfile%\.aws"

The AWS CLI uses two files to keep the sensitive credential information (in ~/.aws/credentials) separated from the less sensitive configuration options (in ~/.aws/config).

You can specify a nondefault location for the config file by setting the AWS_CONFIG_FILE environment variable to another local path. See Environment Variables for details.

Storing Credentials in the Config File

The AWS CLI can also read credentials from the config file. You can keep all of your profile settings in a single file. If there are ever credentials in both locations for a profile (say you used aws configure to update the profile's keys), the keys in the credentials file take precedence.

If you use one of the SDKs in addition to the AWS CLI, you might notice additional warnings if credentials aren't stored in their own file.

The files generated by the CLI for the profile configured in the previous section look like this.

~/.aws/credentials

[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

~/.aws/config

[default] region=us-west-2 output=json

Note

The preceding examples show the files with a single, default profile. For examples of the files with multiple named profiles, see Named Profiles.

The following settings are supported:

aws_access_key_id – The AWS access key.

aws_secret_access_key – The AWS secret key.

aws_session_token – The AWS session token. A session token is required only if you are using temporary security credentials.

region – The default AWS Region to send requests to from this profile.

output – The default output format for this profile.