How to use environment variables in AWS CLI

Environment variables make it possible to change how AWS CLI authenticates and which Region it targets without rewriting the shared profile files under ~/.aws. That is useful for short-lived automation, temporary credential handoffs, and account-sensitive shells where changing the stored default profile would leave persistent state behind.

The AWS CLI resolves settings from multiple sources, and the order matters. Current AWS documentation puts command-line options first, environment variables second, and shared credentials or config files after that, so values such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_PROFILE, AWS_REGION, AWS_DEFAULT_REGION, AWS_CONFIG_FILE, and AWS_SHARED_CREDENTIALS_FILE can redirect the active runtime behavior without editing stored profiles.

These exports apply to the current shell and every child process launched from it, so copied credentials can leak into shell history, process environments, or later commands if they are left behind. Temporary credentials from STS also require AWS_SESSION_TOKEN, and the examples below use POSIX shell syntax on Linux and macOS even though the same AWS variables can be set from PowerShell or Command Prompt with shell-native syntax.

Related: How to configure AWS CLI on Linux and macOS
Related: How to configure multiple AWS CLI profiles
Related: How to switch AWS CLI profiles

Steps to use environment variables in AWS CLI:

  1. Check the current credential and Region sources before adding new environment overrides. 
    $ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : <not set>                : None             : None
access_key : ****************0001     : shared-credentials-file : 
secret_key : ****************0001     : shared-credentials-file : 
region     : us-east-1                : config-file      : ~/.aws/config

    The TYPE and LOCATION columns show whether the active shell is using stored profile files, exported variables, or explicit command-line options.

  2. Export an access key, secret key, and Region for the current shell session when the command flow should use environment-backed credentials. 
    $ export AWS_ACCESS_KEY_ID=AKIAEXAMPLEENV00001
$ export AWS_SECRET_ACCESS_KEY=envSecretExample000000000000000000000001
$ export AWS_REGION=us-west-2

    Environment exports are inherited by child processes, so avoid leaving live credentials in long-running terminals, shared shells, or copied shell history.

  3. Verify that the AWS CLI is reading the exported values from the environment instead of the shared profile files. 
    $ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : <not set>                : None             : None
access_key : ****************0001     : env              : 
secret_key : ****************0001     : env              : 
region     : us-west-2                : env              : ['AWS_REGION', 'AWS_DEFAULT_REGION']

    When the region row shows env, the current shell is overriding any saved region value from ~/.aws/config.

  4. Export AWS_SESSION_TOKEN when the access key pair came from STS or another temporary-credential flow. 
    $ export AWS_SESSION_TOKEN='IQoJb3JpZ2luX2VjEHkaCXVzLXdlc3QtMiJGMEQCH3F6dXhBZXhhbXBsZVNlc3Npb25Ub2tlbgIhAJk0ZXhhbXBsZVNlc3Npb25Ub2tlblN0cmluZw=='

    Temporary credentials remain incomplete until the session token is set alongside AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
    Related: How to assume an IAM role using AWS CLI

  5. Clear shell-level credential and Region exports before selecting a named profile from the shared files. 
    $ unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
$ unset AWS_REGION AWS_DEFAULT_REGION
$ export AWS_PROFILE=audit
$ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : audit                    : env              : ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']
access_key : ****************0001     : shared-credentials-file : 
secret_key : ****************0001     : shared-credentials-file : 
region     : ap-southeast-1           : config-file      : ~/.aws/config

    AWS_PROFILE changes the default profile for the current shell, but exported raw credential variables still take precedence until they are unset. Use --profile instead when only one command should change.
    Related: How to check the current caller identity in AWS CLI

  6. Create isolated config and credentials files when automation should not touch the default ~/.aws directory. 
    $ mkdir -p /tmp/aws-env-demo
$ cat > /tmp/aws-env-demo/config <<'EOF'
[profile audit]
region = ap-southeast-1
output = yaml
EOF
$ cat > /tmp/aws-env-demo/credentials <<'EOF'
[audit]
aws_access_key_id = AKIAEXAMPLEAUDIT001
aws_secret_access_key = auditSecretExample000000000000000000001
EOF
$ chmod 600 /tmp/aws-env-demo/config /tmp/aws-env-demo/credentials

    Task-local files help keep throwaway automation, customer-specific access, and testing sessions separated from the normal shared AWS CLI files.

  7. Point the AWS CLI at the alternate files with environment variables and confirm the resolved sources. 
    $ export AWS_CONFIG_FILE=/tmp/aws-env-demo/config
$ export AWS_SHARED_CREDENTIALS_FILE=/tmp/aws-env-demo/credentials
$ export AWS_PROFILE=audit
$ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : audit                    : env              : ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']
access_key : ****************0001     : shared-credentials-file : 
secret_key : ****************0001     : shared-credentials-file : 
region     : ap-southeast-1           : config-file      : /tmp/aws-env-demo/config

    AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE change where the CLI reads profile data, while AWS_PROFILE still decides which profile section to use.
    Related: How to find the AWS CLI config file
    Related: How to find the AWS CLI credentials file

  8. Override the profile Region for one command with AWS_REGION when the request must go elsewhere without editing the stored profile. 
    $ AWS_DEFAULT_REGION=us-west-2 AWS_REGION=eu-central-1 aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : audit                    : env              : ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']
access_key : ****************0001     : shared-credentials-file : 
secret_key : ****************0001     : shared-credentials-file : 
region     : eu-central-1             : env              : ['AWS_REGION', 'AWS_DEFAULT_REGION']

    AWS_REGION overrides both AWS_DEFAULT_REGION and the profile's stored region value, while an explicit --region flag still overrides the environment.
    Related: How to set the default region in AWS CLI

  9. Remove the temporary environment overrides and task-local files after the work is complete. 
    $ unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
$ unset AWS_PROFILE AWS_REGION AWS_DEFAULT_REGION
$ unset AWS_CONFIG_FILE AWS_SHARED_CREDENTIALS_FILE
$ rm -rf /tmp/aws-env-demo
$ env | grep '^AWS_' || true

    Cleaning up prevents later shells, scripts, or pasted command blocks from reusing stale credentials, the wrong profile, or the wrong Region unexpectedly.