Configuration Settings and Precedence
The AWS CLI uses a set of credential providers to look for AWS credentials.
Each credential provider looks for credentials in a different place, such as
the system or user environment variables, local AWS configuration files, or
explicitly declared on the command line as a parameter. The AWS CLI looks for
credentials and configuration settings by invoking the providers in the
following order, stopping when it finds a set of credentials to use:
- Command line options — You can specify --region,
--output, and --profile as
parameters on the command line.
- Environment variables — You can store values in the environment variables:
‘AWS_ACCESS_KEY_ID’, ‘AWS_SECRET_ACCESS_KEY’, and ‘AWS_SESSION_TOKEN’. If
they are present, they are used.
- CLI credentials file — This is one of the files that is updated when you
run the command
aws configure. The file is located at ~/.aws/credentials
on Linux or macOS. This file can contain the credential details for the
‘default’ profile and any named profiles.
- CLI configuration file — This is another file that is updated when you run
aws configure. The file is located at ~/.aws/config on Linux
or macOS. This file contains the configuration settings for the ‘default’
profile and any named profiles.
- Container credentials — You can associate an IAM role with each of your
Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary
credentials for that role are then available to that task’s containers.
- Instance profile credentials — You can associate an IAM role with each of
your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary
credentials for that role are then available to code running in the
instance. The credentials are delivered through the Amazon EC2 metadata