How to delete an AWS CLI profile

Deleting an unused AWS CLI profile reduces the chance that a routine command lands in the wrong account, role, or environment. That matters on admin workstations, CI shells, and shared terminals where an old profile name can still be selected long after its credentials should have been retired.

The AWS CLI stores named-profile data across the shared ~/.aws/config and ~/.aws/credentials files, and aws configure list-profiles builds its inventory from both. A cleanup therefore needs to remove the matching [profile legacy] section from the config file and the [legacy] section from the credentials file when both exist.

Current AWS CLI releases provide discovery commands such as aws configure list-profiles and aws configure list, but not a supported profile-delete subcommand. Role-based profiles can still depend on source_profile, and shell variables such as AWS_PROFILE or AWS_DEFAULT_PROFILE can keep pointing at the deleted name, so the safest workflow is inspect, back up, remove, and verify.

Related: How to configure multiple AWS CLI profiles
Related: How to switch AWS CLI profiles

Steps to delete an AWS CLI profile:

  1. List the configured profile names and confirm the exact profile that should be removed. 
    $ aws configure list-profiles
default
legacy
audit

    aws configure list-profiles shows names discovered from both shared files, so a profile can still appear even if it was removed from only config or only credentials. Deleting default also changes any command that does not pass --profile explicitly.

  2. Print the active shared file paths for the current shell before editing the profile data. 
    $ printf 'config=%s\ncredentials=%s\n' \
  "${AWS_CONFIG_FILE:-$HOME/.aws/config}" \
  "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
config=/home/user/.aws/config
credentials=/home/user/.aws/credentials

    The environment-variable paths above override the normal defaults. On Windows, the default locations are %USERPROFILE%\\.aws\\config and %USERPROFILE%\\.aws\\credentials when those variables are unset.

    Related: How to find the AWS CLI config file
    Related: How to find the AWS CLI credentials file
    Related: How to use environment variables in AWS CLI

  3. Inspect the target profile so the current credential source and region are clear before anything is removed. 
    $ aws configure list --profile legacy
NAME       : VALUE                    : TYPE             : LOCATION
profile    : legacy                   : manual           : --profile
access_key : ****************MPLE     : shared-credentials-file :
secret_key : ****************mple     : shared-credentials-file :
region     : us-west-2                : config-file      : ~/.aws/config

    The TYPE column is the quickest way to confirm whether the profile still reads from the shared credentials file, the shared config file, or another source.

  4. Search the shared config file for other profiles that still depend on the target profile before deleting it. 
    $ grep -nF "source_profile = legacy" "${AWS_CONFIG_FILE:-$HOME/.aws/config}"
24:source_profile = legacy

    Update or remove any dependent role profile before deleting legacy, or later role-assumption commands fail because their source profile no longer exists.

    Related: How to assume an IAM role using AWS CLI

  5. Back up the active AWS CLI files before removing any profile sections. 
    $ [ -f "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}" ] && cp -p "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}" "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}.bak"
$ [ -f "${AWS_CONFIG_FILE:-$HOME/.aws/config}" ] && cp -p "${AWS_CONFIG_FILE:-$HOME/.aws/config}" "${AWS_CONFIG_FILE:-$HOME/.aws/config}.bak"

    A profile backed by IAM Identity Center, role assumption, or credential_process can exist only in the config file, so a missing credentials backup does not mean the profile was already removed.

  6. Open the shared credentials file and delete the entire profile section if it exists there. 
    $ nano "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"

    Remove the full [legacy] block, including any aws_access_key_id, aws_secret_access_key, and aws_session_token lines. Named entries in the credentials file do not use the word profile in the header.

    Related: How to find the AWS CLI credentials file

  7. Open the shared config file and delete the matching named-profile section there as well. 
    $ nano "${AWS_CONFIG_FILE:-$HOME/.aws/config}"

    Remove the full [profile legacy] block, including settings such as region, output, role_arn, source_profile, credential_process, sso_session, or related sso_* values that belong only to that profile.

    Do not delete a shared [sso-session name] block unless no remaining profile still references that session.

    Related: How to find the AWS CLI config file

  8. Clear any shell-level profile selection that still points at the deleted name before testing the result. 
    $ unset AWS_PROFILE AWS_DEFAULT_PROFILE

    If a shell startup file, CI job, or wrapper script exports the deleted profile name, update that reference as part of the same cleanup so the old selection does not return in the next session.

    Related: How to use environment variables in AWS CLI

  9. Verify that the deleted profile no longer appears in the inventory and no longer resolves when selected explicitly. 
    $ aws configure list-profiles
default
audit

$ AWS_PROFILE=legacy aws configure list

aws: [ERROR]: The config profile (legacy) could not be found
NAME       : VALUE                    : TYPE             : LOCATION
profile    : legacy                   : env              : ['AWS_PROFILE', 'AWS_DEFAULT_PROFILE']

    The first command confirms the profile name is gone from the active shared files, and the second confirms the CLI now treats legacy as an invalid selection even when a shell variable tries to force it.