Configuration Settings and Precedence

The AWS CLI uses a set of credential providers to look for AWS credentials. Each credential provider looks for credentials in a different place, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI looks for credentials and configuration settings by invoking the providers in the following order, stopping when it finds a set of credentials to use:

1. Command line options — You can specify --region, --output, and --profile as parameters on the command line.
2. Environment variables — You can store values in the environment variables: ‘AWS_ACCESS_KEY_ID’, ‘AWS_SECRET_ACCESS_KEY’, and ‘AWS_SESSION_TOKEN’. If they are present, they are used.
3. CLI credentials file — This is one of the files that is updated when you run the command aws configure. The file is located at ~/.aws/credentials on Linux or macOS. This file can contain the credential details for the ‘default’ profile and any named profiles.
4. CLI configuration file — This is another file that is updated when you run the command aws configure. The file is located at ~/.aws/config on Linux or macOS. This file contains the configuration settings for the ‘default’ profile and any named profiles.
5. Container credentials — You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task’s containers.
6. Instance profile credentials — You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service.