How to configure AWS CLI on Linux and macOS

Configuring AWS CLI on Linux or macOS stores the credentials and defaults needed to run AWS commands without repeating the same account and region details on every invocation. A working local profile is the starting point for routine tasks such as listing S3 buckets, inspecting identities with STS, or running automation from a shell session.

The aws configure wizard writes the access key pair to ~/.aws/credentials and stores settings such as the default region and output format in ~/.aws/config. When no profile name is supplied, the wizard updates the default profile, which is the profile the CLI uses automatically unless a command or environment variable selects another one.

Current AWS guidance favors short-lived credentials where possible. The steps below focus on the classic access key workflow for aws configure; if the account uses console-based temporary credentials or IAM Identity Center, use aws login or aws configure sso instead of storing long-term keys locally.

Step-by-step video guide:

Steps to configure AWS CLI on Linux and macOS:

Open a terminal application.
Confirm that AWS CLI is installed and available in the current shell.
```
$ aws --version
aws-cli/2.34.18 Python/3.13.12 Darwin/25.3.0 source/arm64
```
Install the CLI first if the command is missing.

Related: How to install AWS CLI on Ubuntu
Related: How to install AWS CLI on CentOS or Red Hat
Related: How to install AWS CLI version 1 using pip
Gather the AWS Access Key ID, AWS Secret Access Key, preferred region, and preferred output format for the account that will run CLI commands.

Do not configure routine CLI access with root account keys. Use a least-privilege IAM user or another approved credential source instead.

Related: How to create a programmatic access user in AWS IAM

Start the interactive configuration wizard for the default profile.

$ aws configure

Tip: You can deliver temporary credentials to the AWS CLI using your AWS Console session by running the command 'aws login'.

AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]:
Default output format [None]:

Use aws configure --profile profile-name when a separate named profile is needed instead of overwriting default.

Enter the AWS Access Key ID when prompted.

AWS Access Key ID [None]: AKIAEXAMPLECORE00001

Enter the AWS Secret Access Key when prompted.

AWS Secret Access Key [None]: coreSecretExample0000000000000000000000001

Enter the default region for the commands that will use this profile.
```
Default region name [None]: us-west-2
```
Press Enter to leave the region unset when commands will always pass --region explicitly or use environment variables.
Enter the preferred default output format, or press Enter to leave it unset.
```
Default output format [None]: json
```
Common formats are json, yaml, text, and table.

Review the generated credentials file to confirm that the access key pair was written for the default profile.

$ cat ~/.aws/credentials
[default]
aws_access_key_id = AKIAEXAMPLECORE00001
aws_secret_access_key = coreSecretExample0000000000000000000000001

Review the generated config file to confirm that the region and output defaults were stored separately from the secret material.
```
$ cat ~/.aws/config
[default]
region = us-west-2
output = json
```
Named profiles appear as [profile profile-name] in ~/.aws/config even though the credentials file still uses the bare profile name.

Show the resolved configuration to verify that the CLI is reading the masked keys from ~/.aws/credentials and the region from ~/.aws/config.

$ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : <not set>                : None             : None
access_key : ****************MPLE     : shared-credentials-file :
secret_key : ****************EKEY     : shared-credentials-file :
region     : us-west-2                : config-file      : ~/.aws/config

This command is the quickest way to confirm which profile, file, environment variable, or login cache the CLI is actually using.

Verify that the configured identity can make signed requests to AWS.
```
$ aws sts get-caller-identity
{
    "UserId": "AIDASAMPLEUSERID",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/PlatformOperator"
}
```
A successful response confirms that the key pair works and shows the active account and user or role ARN.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.