Finding the active AWS CLI config file matters before changing the default Region, output format, retry behavior, role settings, or IAM Identity Center profile data. Editing the wrong file leaves commands reading stale values and makes profile troubleshooting harder than it needs to be.
The AWS CLI reads shared configuration from a plaintext file named config inside the local .aws directory for the current user context. That file usually stores non-secret settings such as region, output, named profile blocks, role settings, and sso_* entries, while long-term access keys usually live in the separate shared credentials file.
The default config path is ~/.aws/config on Linux and macOS and %USERPROFILE%\.aws\config on Windows, but AWS_CONFIG_FILE can redirect the CLI to another local path. A missing file can be normal in a new environment or when commands rely on environment variables instead of profile files, and a different home directory changes the default location as well.
Steps to find the AWS CLI config file:
- Print the effective config path for the current shell, falling back to the default home-directory location when AWS_CONFIG_FILE is unset.
$ printf '%s\n' "${AWS_CONFIG_FILE:-$HOME/.aws/config}" /home/user/.aws/configOn Windows, the default path is %USERPROFILE%\.aws\config unless AWS_CONFIG_FILE overrides it.
- Check whether the current shell is overriding the default path explicitly.
$ printenv AWS_CONFIG_FILE /opt/project/aws-config
No output means the CLI is still using the default path from the previous step.
- Verify that the resolved file exists before opening it.
$ ls -l "${AWS_CONFIG_FILE:-$HOME/.aws/config}" -rw------- 1 user user 82 Mar 29 09:10 /home/user/.aws/configA No such file or directory result usually means the config file has not been created yet or the override points somewhere else.
- Inspect the file contents to confirm that the path is the shared AWS CLI config file.
$ sed -n '1,40p' "${AWS_CONFIG_FILE:-$HOME/.aws/config}" [default] region = ap-southeast-1 output = json [profile audit] region = us-east-1 output = tableThe shared config file uses [default] and [profile name] headers. Role settings, IAM Identity Center settings, and other profile options live here, while long-term keys usually stay in the shared credentials file.
- Ask the CLI which file supplied the active profile settings by reading the LOCATION column in aws configure list.
$ aws configure list NAME : VALUE : TYPE : LOCATION profile : <not set> : None : None access_key : <not set> : None : None secret_key : <not set> : None : None region : ap-southeast-1 : config-file : ~/.aws/config
The LOCATION column shows the path for values that actually came from the config file. When AWS_CONFIG_FILE points elsewhere, the same column shows that custom absolute path instead of ~/.aws/config, while rows showing None are unset or coming from another source.
- Repeat the location check with --profile when the target settings belong to a named profile.
$ aws configure list --profile audit NAME : VALUE : TYPE : LOCATION profile : audit : manual : --profile access_key : <not set> : None : None secret_key : <not set> : None : None region : us-east-1 : config-file : ~/.aws/config
The profile selector changes which section is read, but the LOCATION column still identifies the shared config file backing that profile.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
