How to find the AWS CLI credentials file

Finding the active AWS CLI credentials file matters before rotating access keys, removing stale profiles, or checking why one shell authenticates differently from another.

The AWS CLI reads long-term access keys from a shared plaintext credentials file and keeps most non-secret defaults, such as region and output format, in the separate config file. By default the shared credentials file is ~/.aws/credentials on Linux and macOS and %USERPROFILE%\.aws\credentials on Windows, but the CLI can be pointed at another file instead.

The effective path changes when AWS_SHARED_CREDENTIALS_FILE is set, and some sessions never read the shared credentials file at all because they use environment variables, IAM Identity Center, role assumption, or instance or task metadata instead. The steps below confirm both the file location and whether the current shell is actually sourcing credentials from that file.

Related: How to find the AWS CLI config file
Related: How to use environment variables in AWS CLI

Steps to find the AWS CLI credentials file:

  1. Print the effective shared credentials path for the current shell. 
    $ printf '%s\n' "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
/home/user/.aws/credentials

    On Windows, the default shared credentials path is %USERPROFILE%\.aws\credentials when AWS_SHARED_CREDENTIALS_FILE is not set.

  2. Check whether an environment override is redirecting the CLI to a non-default file. 
    $ printenv AWS_SHARED_CREDENTIALS_FILE
/opt/project/aws-credentials

    No output usually means the default path from the previous step is in effect.

    Related: How to use environment variables in AWS CLI

  3. Verify that the resolved file exists and that its permissions are still restricted. 
    $ ls -l "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
-rw-------  1 user  user  232 Mar 29 09:10 /home/user/.aws/credentials

    A No such file or directory result means the shared credentials file has not been created at that path, or the current session is using another credential source instead.

  4. Inspect the file to confirm the stored profile sections. 
    $ sed -n '1,20p' "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
[default]
aws_access_key_id = AKIAEXAMPLECORE00001
aws_secret_access_key = coreSecretExample0000000000000000000000001

[docs]
aws_access_key_id = AKIAEXAMPLECORE00001
aws_secret_access_key = coreSecretExample0000000000000000000000001

    The shared credentials file contains plaintext secrets, so keep file permissions tight and avoid pasting real values into terminals, tickets, or chat logs.

  5. List the profile names that the AWS CLI can currently discover from the shared files. 
    $ aws configure list-profiles
default
docs

    If an expected profile is missing, re-check the resolved file path and confirm the section header in credentials matches the intended profile name exactly.

  6. Check which source the current shell is using for credentials before assuming the shared file is active. 
    $ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : <not set>                : None             : None
access_key : ****************MPLE     : shared-credentials-file : 
secret_key : ****************EKEY     : shared-credentials-file : 
region     : <not set>                : None             : None

    If the TYPE column for access_key and secret_key is shared-credentials-file, the session is reading credentials from the file located in the earlier steps.

    Current AWS CLI output may leave the LOCATION column blank for credentials coming from the shared file, so the TYPE column is the more reliable indicator here.

    Related: How to find the AWS CLI config file
    Related: How to use environment variables in AWS CLI