Configuration and credential file settings in the AWS CLI
You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI.
The files are divided intoprofiles. By default, the AWS CLI uses the settings found in the profile nameddefault. To use alternate settings, you can create and reference additional profiles.
You can override an individual setting by either setting one of the supported environment variables, or by using a command line parameter. For more information on configuration setting precedence, seeConfiguring settings for the AWS CLI.
For information on setting up your credentials, seeAuthentication and access credentials for the AWS CLI.
Topics
Format of the configuration and credential files
Theconfig andcredentials files are organized into sections. Sections includeprofiles,sso-sessions, andservices. A section is a named collection of settings, and continues until another section definition line is encountered. Multiple profiles and sections can be stored in theconfig andcredentials files.
These files are plaintext files that use the following format:
Section names are enclosed in brackets [ ] such as
[default],[profile, anduser1][sso-session].All entries in a section take the general form of
setting_name=value.Lines can be commented out by starting the line with a hash character (
#).
The config and credentials files contain the following section types:
Section type:profile
Depending on the file, profile section names use the following format:
Config file:
[default][profileuser1]Credentials file:
[default][user1]Donot use the word
profilewhen creating an entry in thecredentialsfile.
Each profile can specify different credentials and can also specify different AWS Regions and output formats. When naming the profile in aconfig file, include the prefix word "profile", but do not include it in thecredentials file.
The following examples show acredentials andconfig file with two profiles, region, and output specified. The first[default] is used when you run a AWS CLI command with no profile specified. The second is used when you run a AWS CLI command with the--profile user1 parameter.
- IAM Identity Center (SSO)
This example is for AWS IAM Identity Center. For more information, seeConfiguring IAM Identity Center authentication with the AWS CLI.
Credentials file
The
credentialsfile is not used for this authentication method.Config file
[default]sso_session =my-ssosso_account_id =111122223333sso_role_name =readOnlyregion =us-west-2output =text[profile user1]sso_session =my-ssosso_account_id =444455556666sso_role_name =readOnlyregion =us-east-1output =json[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startsso_registration_scopes =sso:account:access- IAM Identity Center (Legacy SSO)
This example is for the legacy method of AWS IAM Identity Center. For more information, seeConfiguring IAM Identity Center authentication with the AWS CLI.
Credentials file
The
credentialsfile is not used for this authentication method.Config file
[default]sso_start_url =https://my-sso-portal.awsapps.com/startsso_region =us-east-1sso_account_id =111122223333sso_role_name =readOnlyregion =us-west-2output =text[profile user1]sso_start_url =https://my-sso-portal.awsapps.com/startsso_region =us-east-1sso_account_id =444455556666sso_role_name =readOnlyregion =us-east-1output =json- Short-term credentials
This example is for the short-term credentials from AWS Identity and Access Management. For more information, seeAuthenticating with short-term credentials for the AWS CLI.
Credentials file
[default]aws_access_key_id=ASIAIOSFODNN7EXAMPLEaws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYaws_session_token =IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE[user1]aws_access_key_id=ASIAI44QH8DHBEXAMPLEaws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEYaws_session_token =fcZib3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLEConfig file
[default]region=us-west-2output=json[profile user1]region=us-east-1output=text- IAM role
This example is for assuming an IAM role. Profiles that use IAM roles pull credentials from another profile, and then apply IAM role permissions. In the following examples,
defaultis the source profile for credentials anduser1borrows the same credentials then assumes a new role. For more information, seeUsing an IAM role in the AWS CLI.Credentials file
The
credentialsfile depends on what authentication your source profile uses. For the following example, the source profile uses short-term credentials.[default]aws_access_key_id=ASIAIOSFODNN7EXAMPLEaws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYaws_session_token =IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLEConfig file
[default]region=us-west-2output=json[profile user1]role_arn=arn:aws:iam::777788889999:role/user1rolesource_profile=defaultrole_session_name=session_user1region=us-east-1output=text- Amazon EC2 instance metadata credentials
This example is for the credentials obtained from the hosting Amazon EC2 instance metadata. For more information, seeUsing Amazon EC2 instance metadata as credentials in the AWS CLI.
Credentials file
The
credentialsfile is not used for this authentication method.Config file
[default]role_arn=arn:aws:iam::123456789012:role/defaultrolecredential_source=Ec2InstanceMetadataregion=us-west-2output=json[profile user1]role_arn=arn:aws:iam::777788889999:role/user1rolecredential_source=Ec2InstanceMetadataregion=us-east-1output=text- Long-term credentials
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such asAWS IAM Identity Center.
This example is for the long-term credentials from AWS Identity and Access Management. For more information, seeAuthenticating using IAM user credentials for the AWS CLI.
Credentials file
[default]aws_access_key_id=AKIAIOSFODNN7EXAMPLEaws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY[user1]aws_access_key_id=AKIAI44QH8DHBEXAMPLEaws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEYConfig file
[default]region=us-west-2output=json[profile user1]region=us-east-1output=text
For more information and additional authorization and credential methods see, seeAuthenticating using IAM user credentials for the AWS CLI.
Section type:sso-session
Thesso-session section of theconfig file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. The following settings are used:
(Required)
sso_start_url(Required)
sso_region
You define ansso-session section and associate it to a profile.sso_region andsso_start_url must be set within thesso-session section. Typically,sso_account_id andsso_role_name must be set in theprofile section so that the SDK can request SSO credentials.
The following example configures the SDK to request SSO credentials and supports automated token refresh:
[profiledev]sso_session =my-ssosso_account_id =111122223333sso_role_name =SampleRole[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startThis also allowssso-session configurations to be reused across multiple profiles:
[profiledev]sso_session =my-ssosso_account_id =111122223333sso_role_name =SampleRole[profileprod]sso_session =my-ssosso_account_id =111122223333sso_role_name =SampleRole2[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startHowever,sso_account_id andsso_role_name aren't required for all scenarios of SSO token configuration. If your application only uses AWS services that support bearer authentication, then traditional AWS credentials are not needed. Bearer authentication is an HTTP authentication scheme that uses security tokens called bearer tokens. In this scenario,sso_account_id andsso_role_name aren't required. See the individual guide for your AWS service to determine if it supports bearer token authorization.
Additionally, registration scopes can be configured as part of asso-session. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application will be limited to the scopes granted. These scopes define the permissions requested to be authorized for the registered OIDC client and access tokens retrieved by the client. The following example setssso_registration_scopes to provide access for listing accounts/roles:
[sso-sessionmy-sso]sso_region =us-east-1sso_start_url =https://my-sso-portal.awsapps.com/startsso_registration_scopes =sso:account:accessThe authentication token is cached to disk under the~/.aws/sso/cache directory with a filename based on the session name.
For more information on this configuration type, seeConfiguring IAM Identity Center authentication with the AWS CLI.
Section type:services
Theservices section is a group of settings that configures custom endpoints for AWS service requests. A profile then is linked to aservices section.
[profiledev]services =my-servicesTheservices section is separated into subsections by<SERVICE> = lines, where<SERVICE> is the AWS service identifier key. The AWS service identifier is based on the API model’sserviceId by replacing all spaces with underscores and lowercasing all letters. For a list of all service identifier keys to use in theservices section, seeUsing endpoints in the AWS CLI. The service identifier key is followed by nested settings with each on its own line and indented by two spaces.
The following example configures the endpoint to use for requests made to the Amazon DynamoDB service in themy-services section that is used in thedev profile. Any immediately following lines that are indented are included in that subsection and apply to that service.
[profiledev]services =my-services[servicesmy-services]dynamodb = endpoint_url =http://localhost:8000For more information on service-specific endpoints, seeUsing endpoints in the AWS CLI.
If your profile has role-based credentials configured through asource_profile parameter for IAM assume role functionality, the SDK only uses service configurations for the specified profile. It does not use profiles that are role chained to it. For example, using the following sharedconfig file:
[profileA]credential_source =Ec2InstanceMetadataendpoint_url =https://profile-a-endpoint.aws/[profileB]source_profile =Arole_arn =arn:aws:iam::123456789012:role/roleBservices =profileB[servicesprofileB]ec2 = endpoint_url =https://profile-b-ec2-endpoint.aws If you use profileB and make a call in your code to Amazon EC2, the endpoint resolves ashttps://profile-b-ec2-endpoint.aws. If your code makes a request to any other service, the endpoint resolution will not follow any custom logic. The endpoint does not resolve to the global endpoint defined in profileA. For a global endpoint to take effect for profileB, you would need to setendpoint_url directly within profileB.
Where are configuration settings stored?
The AWS CLI stores sensitive credential information that you specify withaws configure in a local file namedcredentials, in a folder named.awsaws configure are stored in a local file namedconfig, also stored in the.aws
You can keep all of your profile settings in a single file as the AWS CLI can read credentials from theconfig file. If there are credentials in both files for a profile sharing the same name, the keys in the credentials file take precedence. We suggest keeping credentials in thecredentials files. These files are also used by the various language software development kits (SDKs). If you use one of the SDKs in addition to the AWS CLI, confirm if the credentials should be stored in their own file.
Where you find your home directory location varies based on the operating system, but is referred to using the environment variables%UserProfile% in Windows and$HOME or~ (tilde) in Unix-based systems. You can specify a non-default location for the files by setting theAWS_CONFIG_FILE andAWS_SHARED_CREDENTIALS_FILE environment variables to another local path. SeeConfiguring environment variables for the AWS CLI for details.
When you use a shared profile that specifies an AWS Identity and Access Management (IAM) role, the AWS CLI calls the AWS STSAssumeRole operation to retrieve temporary credentials. These credentials are then stored (in~/.aws/cli/cache
Using named profiles
If no profile is explicitly defined, thedefault profile is used.
To use a named profile, add the--profile option to your command. The following example lists all of your Amazon EC2 instances using the credentials and settings defined in theprofile-nameuser1 profile.
$aws ec2 describe-instances --profile user1To use a named profile for multiple commands, you can avoid specifying the profile in every command by setting theAWS_PROFILE environment variable as the default profile. You can override this setting by using the--profile parameter.
- Linux or macOS
$export AWS_PROFILE=user1- Windows
C:\>setx AWS_PROFILE user1Using
setto set an environment variable changes the value used until the end of the current command prompt session, or until you set the variable to a different value.Using
setxto set an environment variable changes the value in all command shells that you create after running the command. It doesnot affect any command shell that is already running at the time you run the command. Close and restart the command shell to see the effects of the change.Setting the environment variable changes the default profile until the end of your shell session, or until you set the variable to a different value. You can make environment variables persistent across future sessions by putting them in your shell's startup script. For more information, seeConfiguring environment variables for the AWS CLI.
Set and view configuration settings using commands
There are several ways to view and set your configuration settings using commands.
aws configureRun this command to quickly set and view your credentials, Region, and output format. The following example shows sample values.
$aws configureAWS Access Key ID [None]:AKIAIOSFODNN7EXAMPLEwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYus-west-2jsonaws configure setYou can set any credentials or configuration settings using
aws configure set. Specify the profile that you want to view or modify with the--profilesetting.For example, the following command sets the
regionin the profile namedinteg.$aws configure set regionus-west-2--profileintegTo remove a setting, manually delete the setting in your
configandcredentialsfiles in a text editor.aws configure getYou can retrieve any credentials or configuration settings you've set using
aws configure get. Specify the profile that you want to view or modify with the--profilesetting.For example, the following command retrieves the
regionsetting in the profile namedinteg.$aws configure getregion--profileintegus-west-2If the output is empty, the setting is not explicitly set and uses the default value.
aws configure importImport
CSVcredentials generated from the IAM web console. This is not for credentials generated from IAM Identity Center; customers who use IAM Identity Center should use aws configure sso. A CSV file is imported with the profile name matching the username. The CSV file must contain the following headers.User Name
Access key ID
Secret access key
During initial key pair creation, once you close theDownload .csv file dialog box, you cannot access your secret access key after you close the dialog box. If you need a
.csvfile, you'll need to create one yourself with the required headers and your stored key pair information. If you do not have access to your key pair information, you need to create a new key pair.$aws configure import --csvfile://credentials.csvaws configure listTo list configuration data, use the
aws configure listcommand. This command lists the profile, access key, secret key, and region configuration information used for the specified profile. For each configuration item, it shows the value, where the configuration value was retrieved, and the configuration variable name.For example, if you provide the AWS Region in an environment variable, this command shows you the name of the region you've configured, that this value came from an environment variable, and the name of the environment variable.
For temporary credential methods such as roles and IAM Identity Center, this command displays the temporarily cached access key and secret access key is displayed.
$aws configure listNAME : VALUE : TYPE : LOCATIONprofile : <not set> : None : Noneaccess_key : ****************ABCD : shared-credentials-file : secret_key : ****************ABCD : shared-credentials-file : region : us-west-2 : env : AWS_DEFAULT_REGIONaws configure list-profilesTo list all your profile names, use the
aws configure list-profilescommand.$aws configure list-profilesdefaulttestaws configure ssoRun this command to quickly set and view your AWS IAM Identity Center credentials, Region, and output format. The following example shows sample values.
$aws configure ssoSSO session name (Recommended):my-ssoSSO start URL [None]:https://my-sso-portal.awsapps.com/startSSO region [None]:us-east-1SSO registration scopes [None]:sso:account:accessaws configure sso-sessionRun this command to quickly set and view your AWS IAM Identity Center credentials, Region, and output format in the sso-session section of the
credentialsandconfigfiles. The following example shows sample values.$aws configure sso-sessionSSO session name:my-ssoSSO start URL [None]:https://my-sso-portal.awsapps.com/startSSO region [None]:us-east-1SSO registration scopes [None]:sso:account:accessaws configure export-credentialsRun this command to export currently set credentials in the specified format. By default, the command exports the default credentials in the
processformat, which is a JSON format supported by the AWS SDKs and Tools credential format.$aws configure export-credentials{ "Version": 1, "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}To export a specific profile and format, use the
--profileand--formatoptions. The format options are as follows:(default)
process‐ The JSON format supported by the AWS SDKs and Toolscredential_processconfiguration.env‐ Environment variables in exported shell format.env-no-export‐ Non-exported environment variables in shell format.powershell‐ Environment variables in PowerShell format.windows-cmd‐ Environment variables in Windows Command Line format.
The following example exports the
user1profile to an exported shell format.$aws configure export-credentials--profile user1 --format envexport AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEexport AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Setting new configuration and credentials command examples
The following examples show configuring a default profile with credentials, region, and output specified for different authentication methods.
- IAM Identity Center (SSO)
This example is for AWS IAM Identity Center using the
aws configure ssowizard. For more information, seeConfiguring IAM Identity Center authentication with the AWS CLI.$aws configure ssoSSO session name (Recommended):my-ssoSSO start URL [None]:https://my-sso-portal.awsapps.com/startSSO region [None]:us-east-1Attempting to automatically open the SSO authorization page in your default browser.There are 2 AWS accounts available to you.> DeveloperAccount, developer-account-admin@example.com (111122223333) ProductionAccount, production-account-admin@example.com (444455556666)Using the account ID111122223333There are 2 roles available to you.> ReadOnly FullAccessUsing the role name "ReadOnly"CLI default client Region [None]:us-west-2CLI default output format [None]:jsonCLI profile name [123456789011_ReadOnly]:user1- IAM Identity Center (Legacy SSO)
This example is for the legacy method of AWS IAM Identity Center using the
aws configure ssowizard. To use the legacy SSO, leave the session name blank. For more information, seeConfiguring IAM Identity Center authentication with the AWS CLI.$aws configure ssoSSO session name (Recommended):SSO start URL [None]:https://my-sso-portal.awsapps.com/startSSO region [None]:us-east-1SSO authorization page has automatically been opened in your default browser.Follow the instructions in the browser to complete this authorization request.There are 2 AWS accounts available to you.> DeveloperAccount, developer-account-admin@example.com (111122223333) ProductionAccount, production-account-admin@example.com (444455556666)Using the account ID111122223333There are 2 roles available to you.> ReadOnly FullAccessUsing the role name "ReadOnly"CLI default client Region [None]:us-west-2CLI default output format [None]:jsonCLI profile name [123456789011_ReadOnly]:user1- Short-term credentials
This example is for the short-term credentials from AWS Identity and Access Management. The aws configure wizard is used to set initial values and then the
aws configure setcommand assigns the last value needed. For more information, seeAuthenticating with short-term credentials for the AWS CLI.$aws configureAWS Access Key ID [None]:AKIAIOSFODNN7EXAMPLEwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYus-west-2json$aws configure set aws_session_tokenfcZib3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE- IAM role
This example is for assuming an IAM role. Profiles that use IAM roles pull credentials from another profile, and then apply IAM role permissions. In the following examples,
defaultis the source profile for credentials anduser1borrows the same credentials then assumes a new role. There is no wizard for this process, therefore each value is set using theaws configure setcommand. For more information, seeUsing an IAM role in the AWS CLI.$aws configure set role_arnarn:aws:iam::123456789012:role/defaultrole$aws configure set source_profiledefault$aws configure set role_session_namesession_user1$aws configure set regionus-west-2$aws configure set outputjson- Amazon EC2 instance metadata credentials
This example is for the credentials obtained from the hosting Amazon EC2 instance metadata. There is no wizard for this process, therefore each value is set using the
aws configure setcommand. For more information, seeUsing Amazon EC2 instance metadata as credentials in the AWS CLI.$aws configure set role_arnarn:aws:iam::123456789012:role/defaultrole$aws configure set credential_sourceEc2InstanceMetadata$aws configure set regionus-west-2$aws configure set outputjson- Long-term credentials
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such asAWS IAM Identity Center.
This example is for the long-term credentials from AWS Identity and Access Management. For more information, seeAuthenticating using IAM user credentials for the AWS CLI.
$aws configureAWS Access Key ID [None]:AKIAIOSFODNN7EXAMPLEwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYus-west-2json
Supportedconfig file settings
The following settings are supported in theconfig file. The values listed in the specified (or default) profile are used unless they are overridden by the presence of an environment variable with the same name, or a command line option with the same name. For more information on what order settings take precendence, seeConfiguring settings for the AWS CLI
Global settings
account_id_endpoint_modeSpecifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. For more information on account-based endpoints, seeAccount-based endpoints.
This setting can be set to the following:
(default)
preferred– The endpoint should include account ID if available.disabled– A resolved endpoint doesn't include account ID.required– The endpoint must include account ID. If the account ID isn't available, the SDK throws an error.
Can be overridden by the
AWS_ACCOUNT_ID_ENDPOINT_MODEenvironment variable. To use account-based endpoints, the ID must be set in theAWS_ACCOUNT_IDenvironment variable oraws_account_idsetting.account_id_endpoint_mode =preferredEndpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, seeEndpoint configuration and settings precedence.
aws_access_key_idSpecifies the AWS access key used as part of the credentials to authenticate the command request. Although this can be stored in the
configfile, we recommend that you store this in thecredentialsfile.Can be overridden by the
AWS_ACCESS_KEY_IDenvironment variable. You can't specify the access key ID as a command line option.aws_access_key_id =AKIAIOSFODNN7EXAMPLEaws_account_idSpecifies the AWS account-based endpoint ID to use for calls to supported AWS services. For more information on account-based endpoints, seeAccount-based endpoints.
Can be overridden by the
AWS_ACCOUNT_IDenvironment variable. TheAWS_ACCOUNT_ID_ENDPOINT_MODEenvironment variable oraccount_id_endpoint_modesetting must be set topreferredorrequiredto use this setting.aws_account_id =123456789EXAMPLEEndpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, seeEndpoint configuration and settings precedence.
aws_secret_access_keySpecifies the AWS secret key used as part of the credentials to authenticate the command request. Although this can be stored in the
configfile, we recommend that you store this in thecredentialsfile.Can be overridden by the
AWS_SECRET_ACCESS_KEYenvironment variable. You can't specify the secret access key as a command line option.aws_secret_access_key =wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYaws_session_tokenSpecifies an AWS session token. A session token is required only if you manually specify temporary security credentials. Although this can be stored in the
configfile, we recommend that you store this in thecredentialsfile.Can be overridden by the
AWS_SESSION_TOKENenvironment variable. You can't specify the session token as a command line option.aws_session_token =AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4Olgkca_bundleSpecifies a CA certificate bundle (a file with the
.pemextension) that is used to verify SSL certificates.Can be overridden by the
AWS_CA_BUNDLEenvironment variable or the--ca-bundlecommand line option.ca_bundle =dev/apps/ca-certs/cabundle-2019mar05.pemcli_auto_promptEnables the auto-prompt for the AWS CLI version 2. There are two settings that can be used:
onuses the full auto-prompt mode each time you attempt to run anawscommand. This includes pressingENTER after both a complete command or incomplete command.cli_auto_prompt = onon-partialuses partial auto-prompt mode. If a command is incomplete or cannot be run due to client-side validation errors, auto-prompt is used. This mode is particular useful if you have pre-existing scripts, runbooks, or you only want to be auto-prompted for commands you are unfamiliar with rather than prompted on every command.cli_auto_prompt = on-partial
You can override this setting by using the
aws_cli_auto_promptenvironment variable or the--cli-auto-promptand--no-cli-auto-promptcommand line parameters.For information on the AWS CLI version 2 auto-prompt feature, seeEnabling and using command prompts in the AWS CLI.
cli_binary_formatSpecifies how the AWS CLI version 2 interprets binary input parameters. It can be one of the following values:
base64 – This is the default value. An input parameter that is typed as a binary large object (BLOB) accepts a base64-encoded string. To pass true binary content, put the content in a file and provide the file's path and name with the
fileb://prefix as the parameter's value. To pass base64-encoded text contained in a file, provide the file's path and name with thefile://prefix as the parameter's value.raw-in-base64-out – Default for the AWS CLI version 1. If the setting's value is
raw-in-base64-out, files referenced using thefile://prefix is read as text and then the AWS CLI attempts to encode it to binary.
This entry does not have an equivalent environment variable. You can specify the value on a single command by using the
--cli-binary-format raw-in-base64-outparameter.cli_binary_format = raw-in-base64-outIf you reference a binary value in a file using the
fileb://prefix notation, the AWS CLIalways expects the file to contain raw binary content and does not attempt to convert the value.If you reference a binary value in a file using the
file://prefix notation, the AWS CLI handles the file according to the currentcli_binary_formatsetting. If that setting's value isbase64(the default when not explicitly set), the AWS CLI expects the file to contain base64-encoded text. If that setting's value israw-in-base64-out, the AWS CLI expects the file to contain raw binary content.cli_historyDisabled by default. This setting enables command history for the AWS CLI. After enabling this setting, the AWS CLI records the history of
awscommands.cli_history = enabledYou can list your history using the
aws history listcommand, and use the resultingcommand_idsin theaws history showcommand for details. For more information seeaws historyin theAWS CLI reference guide.cli_pagerSpecifies the pager program used for output. By default, AWS CLI version 2 returns all output through your operating system’s default pager program.
Can be overridden by the AWS_PAGER environment variable.
cli_pager=lesscli_timestamp_formatSpecifies the output format of timestamp values. You can specify either of the following values:
iso8601 – The default value for the AWS CLI version 2. If specified, the AWS CLI reformats all timestamps in the output according toISO 8601. ISO 8601 formatted timestamps look like the following examples. The following example demonstrates how the time is formatted by separating the date and time with a
Tand including aZafter the time.YYYY-MM-DDThh:mm:ssZThe following examples shows a timestamp using the previous formatting.
2024-05-08T15:16:43Zwire – The default value for the AWS CLI version 1. If specified, the AWS CLI displays all timestamp values exactly as received in the HTTP query response.
This setting does not have an equivalent environment variable or command line option. This setting does not alter timestamp inputs, only output formatting.
cli_timestamp_format = iso8601credential_processSpecifies an external command that the AWS CLI runs to generate or retrieve authentication credentials to use for this command. The command must return the credentials in a specific format. For more information about how to use this setting, seeSourcing credentials with an external process in the AWS CLI.
This entry does not have an equivalent environment variable or command line option.
credential_process =/opt/bin/awscreds-retriever --username susancredential_sourceUsed within Amazon EC2 instances or containers to specify where the AWS CLI can find credentials to use to assume the role you specified with the
role_arnparameter. You cannot specify bothsource_profileandcredential_sourcein the same profile.This parameter can have one of three values:
Environment – Specifies that the AWS CLI is to retrieve source credentials from environment variables.
Ec2InstanceMetadata – Specifies that the AWS CLI is to use the IAM role attached to theEC2 instance profile to get source credentials.
EcsContainer – Specifies that the AWS CLI is to use the IAM role attached to the ECS container as source credentials.
credential_source = Ec2InstanceMetadataduration_secondsSpecifies the maximum duration of the role session, in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role (which can be a maximum of 43200). This is an optional parameter and by default, the value is set to 3600 seconds.
endpoint_urlSpecifies the endpoint that is used for all service requests. If this setting is used in theservices section of the
configfile, then the endpoint is used only for the specified service. For more information, seeSet global endpoint for all AWS services.The following example uses the global endpoint
http://localhost:1234and a service-specific endpoint ofhttp://localhost:4567for Amazon S3.[profile dev]endpoint_url = http://localhost:1234services = s3-specific[services s3-specific]s3 = endpoint_url = http://localhost:4567Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, seeEndpoint configuration and settings precedence.
ignore_configure_endpoint_urlsIf enabled, the AWS CLI ignores all custom endpoint configurations specified in the
configfile. Valid values aretrueandfalse.ignore_configure_endpoint_urls = trueEndpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, seeEndpoint configuration and settings precedence.
external_idSpecifies a unique identifier that is used by third parties to assume a role in their customers' accounts. This maps to the
ExternalIdparameter in theAssumeRoleoperation. This parameter is needed only if the trust policy for the role specifies a value forExternalId. For more information, seeHow to use an external ID when granting access to your AWS resources to a third party in theIAM User Guide.max_attemptsSpecifies a value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the
max_attemptsvalue that you provide.You can override this value by using the
AWS_MAX_ATTEMPTSenvironment variable.max_attempts =3mfa_serialThe identification number of an MFA device to use when assuming a role. This is mandatory only if the trust policy of the role being assumed includes a condition that requires MFA authentication. The value can be either a serial number for a hardware device (such as
GAHT12345678) or an Amazon Resource Name (ARN) for a virtual MFA device (such asarn:aws:iam::123456789012:mfa/).useroutputSpecifies the default output format for commands requested using this profile. You can specify any of the following values:
yaml-stream – The output is streamed and formatted as aYAML string. Streaming allows for faster handling of large data types.
text – The output is formatted as multiple lines of tab-separated string values. This can be useful to pass the output to a text processor, like
grep,sed, orawk.table – The output is formatted as a table using the characters +|- to form the cell borders. It typically presents the information in a "human-friendly" format that is much easier to read than the others, but not as programmatically useful.
Can be overridden by the
AWS_DEFAULT_OUTPUTenvironment variable or the--outputcommand line option.output =tableparameter_validationSpecifies whether the AWS CLI client attempts to validate parameters before sending them to the AWS service endpoint.
true – This is the default value. If specified, the AWS CLI performs local validation of command line parameters.
false – If specified, the AWS CLI does not validate command line parameters before sending them to the AWS service endpoint.
This entry does not have an equivalent environment variable or command line option.
parameter_validation = falseregionSpecifies the AWS Region to send requests to for commands requested using this profile.
You can specify any of the Region codes available for the chosen service as listed inAWS Regions and Endpoints in theAmazon Web Services General Reference.
aws_globalenables you to specify the global endpoint for services that support a global endpoint in addition to Regional endpoints, such as AWS Security Token Service (AWS STS) and Amazon Simple Storage Service (Amazon S3).
You can override this value by using the
AWS_REGIONenvironment variable,AWS_DEFAULT_REGIONenvironment variable, or the--regioncommand line option.region =us-west-2request_checksum_calculationSpecifies when a checksum is calculated for request payloads, and has the following options:
when_supported–(Default) The request payload checksum is calculated when an operation either specifies a checksum algorithm in its service model or requires request checksums.when_required– The request payload checksum is calculated when an operation requires request checksums or when a user provides arequestAlgorithmMemberthat is modeled by the AWS service.
request_checksum_calculation =when_supportedThe environment variableAWS_REQUEST_CHECKSUM_CALCULATION overrides this setting.
response_checksum_validationSpecifies when checksum validation is performed for response payloads, and has the following options:
when_supported–(Default) The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports.when_required– The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports, and you set the modeledrequestValidationModeMembertoENABLEDin the operation input.
response_checksum_validation =when_supportedThe environment variableAWS_RESPONSE_CHECKSUM_VALIDATION overrides this setting.
retry_modeSpecifies which retry mode AWS CLI uses. There are three retry modes available:
standard(default),legacy(default), andadaptive. For more information on retries, seeAWS CLI retries in the AWS CLI.You can override this value by using the
AWS_RETRY_MODEenvironment variable.retry_mode =standardrole_arnSpecifies the Amazon Resource Name (ARN) of an IAM role that you want to use to run the AWS CLI commands. You must also specify one of the following parameters to identify the credentials that have permission to assume this role:
source_profile
credential_source
role_arn = arn:aws:iam::123456789012:role/role-nameThe environment variableAWS_ROLE_ARN overrides this setting.
For more information on using web identities, seeAssume role with web identity.
role_session_nameSpecifies the name to attach to the role session. This value is provided to the
RoleSessionNameparameter when the AWS CLI calls theAssumeRoleoperation, and becomes part of the assumed role user ARN:arn:aws:sts::. This is an optional parameter. If you do not provide this value, a session name is generated automatically. This name appears in AWS CloudTrail logs for entries associated with this session.123456789012:assumed-role/role_name/role_session_namerole_session_name =maria_garcia_roleThe environment variableAWS_ROLE_SESSION_NAME overrides this setting.
For more information on using web identities, seeAssume role with web identity.
servicesSpecifies the service configuration to use for your profile.
[profiledev-s3-specific-and-global]endpoint_url =http://localhost:1234services =s3-specific[servicess3-specific]s3 = endpoint_url =http://localhost:4567For more information on the
servicessection, seeSection type: services.The environment variableAWS_ROLE_SESSION_NAME overrides this setting.
For more information on using web identities, seeAssume role with web identity.
sdk_ua_app_idA single AWS account can be used by multiple customer applications to make calls to AWS services. Application ID identifies which source application made a set of calls using an AWS service. AWS SDKs and services don't use or interpret this value other than to surface it back in customer communications. For example, this value can be included in operational emails to uniquely identify which of your applications is associated with the notification.
The Application ID is a string with maximum length of 50 characters. Letters, numbers and the following special characters are allowed:
! $ % & * + - . , ^ _ ` | ~By default, no value is assigned.sdk_ua_app_id =prod1This setting can be overwritten by using theAWS_SDK_UA_APP_ID environment variable. You can't set this value as a command line parameter.
sigv4a_signing_region_setSpecifies the regions to use when signing with SigV4a using a comma-delimited list. If this variable is not set, the AWS CLI uses the default used by the AWS service. If the AWS service has no default, the request signature becomes valid in all regions using a value of
*.sigv4a_signing_region_set =us-west-2, us-east-1For more information on SigV4a, seeAWS Signature Version 4 for API requests in theIAM User Guide
This setting can be overwritten by using theAWS_SIGV4A_SIGNING_REGION_SET environment variable. You can't set this value as a command line parameter.
source_profileSpecifies a named profile with long-term credentials that the AWS CLI can use to assume a role that you specified with the
role_arnparameter. You cannot specify bothsource_profileandcredential_sourcein the same profile.source_profile =production-profilesso_account_idSpecifies the AWS account ID that contains the IAM role with the permission that you want to grant to the associated IAM Identity Center user.
This setting does not have an environment variable or command line option.
sso_account_id = 123456789012sso_regionSpecifies the AWS Region that contains the AWS access portal host. This is separate from, and can be a different Region than the default CLI
regionparameter.This setting does not have an environment variable or command line option.
sso_region = us_west-2sso_registration_scopesA comma-delimited list of scopes to be authorized for the
sso-session. Scopes authorize access to IAM Identity Center bearer token authorized endpoints. A valid scope is a string, such assso:account:access. This setting isn't applicable to the legacy non-refreshable configuration.sso_registration_scopes = sso:account:accesssso_role_nameSpecifies the friendly name of the IAM role that defines the user's permissions when using this profile.
This setting does not have an environment variable or command line option.
sso_role_name = ReadAccesssso_start_urlSpecifies the URL that points to the organization's AWS access portal. The AWS CLI uses this URL to establish a session with the IAM Identity Center service to authenticate its users. To find your AWS access portal URL, use one of the following:
Open your invitation email, the AWS access portal URL is listed.
Open the AWS IAM Identity Center console athttps://console.aws.amazon.com/singlesignon/. The AWS access portal URL is listed in your settings.
This setting does not have an environment variable or command line option.
sso_start_url =https://my-sso-portal.awsapps.com/startuse_dualstack_endpointEnables the use of dual-stack endpoints to send AWS requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, seeUsing Amazon S3 dual-stack endpoints in theAmazon Simple Storage Service User Guide. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. Valid settings are
trueandfalse. This is disabled by default. For more information, seeSet to use dual-stack endpoints for all AWS services.This is mutually exclusive with the
use_accelerate_endpointsetting.Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, seeEndpoint configuration and settings precedence.
use_fips_endpointSome AWS services offer endpoints that supportFederal Information Processing Standard (FIPS) 140-2 in some AWS Regions. When the AWS service supports FIPS, this setting specifies what FIPS endpoint the AWS CLI should use . Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. These endpoints might be required by enterprises that interact with the United States government. For more information see,Set to use FIPs endpoints for all AWS services.
If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the
--endpoint-urloption or useservice-specific endpoints.Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, seeEndpoint configuration and settings precedence.
web_identity_token_fileSpecifies the path to a file that contains an OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. The AWS CLI loads the contents of this file and passes it as the
WebIdentityTokenargument to theAssumeRoleWithWebIdentityoperation.The environment variable
AWS_WEB_IDENTITY_TOKEN_FILEoverrides this setting.For more information on using web identities, seeAssume role with web identity.
tcp_keepaliveSpecifies whether the AWS CLI client uses TCP keep-alive packets.
This entry does not have an equivalent environment variable or command line option.
tcp_keepalive = false
S3 Custom command settings
Amazon S3 supports several settings that configure how the AWS CLI performs Amazon S3 operations. Some apply to all S3 commands in both thes3api ands3 namespaces. Others are specifically for the S3 "custom" commands that abstract common operations and do more than a one-to-one mapping to an API operation. Theaws s3 transfer commandscp,sync,mv, andrm have additional settings you can use to control S3 transfers.
All of these options can be configured by specifying thes3 nested setting in yourconfig file. Each setting is then indented on its own line.
These settings are entirely optional. You should be able to successfully use theaws s3 transfer commands without configuring any of these settings. These settings are provided to enable you to tune for performance or to account for the specific environment where you are running theseaws s3 commands.
These settings are all set under a top-levels3 key in theconfig file, as shown in the following example for thedevelopment profile.
[profile development]s3 = max_concurrent_requests = 20 max_queue_size = 10000 multipart_threshold = 64MB multipart_chunksize = 16MB max_bandwidth = 50MB/s use_accelerate_endpoint = true addressing_style = pathThe following settings apply to any S3 command in thes3 ors3api namespaces.
addressing_styleSpecifies which addressing style to use. This controls whether the bucket name is in the hostname or is part of the URL. Valid values are:
path,virtual, andauto. The default value isauto.There are two styles of constructing an Amazon S3 endpoint. The first is called
virtualand includes the bucket name as part of the hostname. For example:https://. Alternatively, with thebucketname.s3.amazonaws.compathstyle, you treat the bucket name as if it is a path in the URI; for example,https://s3.amazonaws.com/. The default value in the CLI is to usebucketnameauto, which attempts to use thevirtualstyle where it can, but will fall back topathstyle when required. For example, if your bucket name is not DNS compatible, the bucket name cannot be part of the hostname and must be in the path. Withauto, the CLI will detect this condition and automatically switch topathstyle for you. If you set the addressing style topath, you must then ensure that the AWS Region you configured in the AWS CLI matches the Region of your bucket.payload_signing_enabledSpecifies whether to SHA256 sign sigv4 payloads. By default, this is disabled for streaming uploads (
UploadPartandPutObject) when using HTTPS. By default, this is set tofalsefor streaming uploads (UploadPartandPutObject), but only if aContentMD5is present (it is generated by default) and the endpoint uses HTTPS.If set to true, S3 requests receive additional content validation in the form of a SHA256 checksum which is calculated for you and included in the request signature. If set to false, the checksum isn't calculated. Disabling this can be useful to reduce the performance overhead created by the checksum calculation.
use_accelerate_endpointUse the Amazon S3 Accelerate endpoint for all
s3ands3apicommands. The default value is false. This is mutually exclusive with theuse_dualstack_endpointsetting.If set to true, the AWS CLI directs all Amazon S3 requests to the
S3 Accelerateendpoint ats3-accelerate.amazonaws.com. To use this endpoint, you must enable your bucket to useS3 Accelerate. All requests are sent using the virtual style of bucket addressing:my-bucket.s3-accelerate.amazonaws.comListBuckets,CreateBucket, andDeleteBucketrequests aren't sent to the S3 Accelerate endpoint as that endpoint doesn't support those operations. This behavior can also be set if the--endpoint-urlparameter is set tohttps://s3-accelerate.amazonaws.comorhttp://s3-accelerate.amazonaws.comfor anys3ors3apicommand.use_dualstack_endpointEnables the use of dual-stack endpoints to send
s3ands3apirequests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, seeUsing Amazon S3 dual-stack endpoints in theAmazon Simple Storage Service User Guide. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. Valid settings aretrueandfalse. This is disabled by default. For more information, seeSet to use dual-stack endpoints for all AWS services.This is mutually exclusive with the
use_accelerate_endpointsetting.
The following settings apply only to commands in thes3 namespace command set.
max_bandwidthSpecifies the maximum bandwidth that can be consumed for uploading and downloading data to and from Amazon S3. The default is no limit.
This limits the maximum bandwidth that the S3 commands can use to transfer data to and from Amazon S3. This value applies to only uploads and downloads; it doesn't apply to copies or deletes. The value is expressed as bytes per second. The value can be specified as:
An integer. For example,
1048576sets the maximum bandwidth usage to 1 megabyte per second.An integer followed by a rate suffix. You can specify rate suffixes using:
KB/s,MB/s, orGB/s. For example,300KB/s,10MB/s.
In general, we recommend that you first try to lower bandwidth consumption by lowering
max_concurrent_requests. If that doesn't adequately limit bandwidth consumption to the desired rate, you can use themax_bandwidthsetting to further limit bandwidth consumption. This is becausemax_concurrent_requestscontrols how many threads are currently running. If you instead first lowermax_bandwidthbut leave a highmax_concurrent_requestssetting, it can result in threads having to wait unnecessarily. This can lead to excess resource consumption and connection timeouts.max_concurrent_requestsSpecifies the maximum number of concurrent requests. The default value is 10.
The
aws s3transfer commands are multithreaded. At any given time, multiple Amazon S3 requests can be running. For example, when you use the commandaws s3 cp localdir s3://bucket/ --recursiveto upload files to an S3 bucket, the AWS CLI can upload the fileslocaldir/file1,localdir/file2, andlocaldir/file3in parallel. The settingmax_concurrent_requestsspecifies the maximum number of transfer operations that can run at the same time.You might need to change this value for a few reasons:
Decreasing this value – On some environments, the default of 10 concurrent requests can overwhelm a system. This can cause connection timeouts or slow the responsiveness of the system. Lowering this value makes the S3 transfer commands less resource intensive. The tradeoff is that S3 transfers can take longer to complete. Lowering this value might be necessary if you use a tool to limit bandwidth.
Increasing this value – In some scenarios, you might want the Amazon S3 transfers to complete as quickly as possible, using as much network bandwidth as necessary. In this scenario, the default number of concurrent requests might not be sufficient to use all of the available network bandwidth. Increasing this value can improve the time it takes to complete an Amazon S3 transfer.
max_queue_sizeSpecifies the maximum number of tasks in the task queue. The default value is 1000.
The AWS CLI internally uses a model where it queues up Amazon S3 tasks that are then executed by consumers whose numbers are limited by
max_concurrent_requests. A task generally maps to a single Amazon S3 operation. For example, a task could be aPutObjectTask, or aGetObjectTask, or anUploadPartTask. The rate at which tasks are added to the queue can be much faster than the rate at which consumers finish the tasks. To avoid unbounded growth, the task queue size is capped to a specific size. This setting changes the value of that maximum number.You generally don't need to change this setting. This setting also corresponds to the number of tasks that the AWS CLI is aware of that need to be run. This means that by default the AWS CLI can only see 1000 tasks ahead. Increasing this value means that the AWS CLI can more quickly know the total number of tasks needed, assuming that the queuing rate is quicker than the rate of task completion. The tradeoff is that a larger max_queue_size requires more memory.
multipart_chunksizeSpecifies the chunk size that the AWS CLI uses for multipart transfers of individual files. The default value is 8 MB, with a minimum of 5 MB.
When a file transfer exceeds the
multipart_threshold, the AWS CLI divides the file into chunks of this size. This value can be specified using the same syntax asmultipart_threshold, either as the number of bytes as an integer, or by using a size and a suffix.multipart_thresholdSpecifies the size threshold the AWS CLI uses for multipart transfers of individual files. The default value is 8 MB.
When uploading, downloading, or copying a file, the Amazon S3 commands switch to multipart operations if the file exceeds this size. You can specify this value in one of two ways:
The file size in bytes. For example,
1048576.The file size with a size suffix. You can use
KB,MB,GB, orTB. For example:10MB,1GB.S3 can impose constraints on valid values that can be used for multipart operations. For more information, see theS3 Multipart Upload documentation in theAmazon Simple Storage Service User Guide.
