Using credential_process in AWS CLI lets a profile call another program for credentials each time the profile runs instead of saving another long-lived access key pair in the shared AWS files. That fits vault-backed helpers, workforce sign-in bridges, IAM Roles Anywhere helpers, and other setups where another tool should mint or fetch credentials on demand.
The setting lives in the shared config file under a named profile. When that profile runs, the AWS CLI executes the configured command, reads JSON from STDOUT, and uses the returned AccessKeyId, SecretAccessKey, optional SessionToken, and optional Expiration values for credential resolution. The JSON must keep Version set to 1.
AWS recommends supported sign-in flows such as IAM Identity Center, role assumption, or aws login when they fit the workload, because an external helper is only as safe as the command, its cache, and the config entry that invokes it. The credential_process string cannot use $HOME, %USERPROFILE%, or ~, and the AWS CLI does not cache external-process credentials, so any expensive sign-in flow needs caching inside the helper itself.
Steps to configure credential_process in AWS CLI:
- Run the credential helper by itself and confirm that it prints valid JSON to STDOUT.
$ /opt/bin/aws-creds-helper --profile developer { "Version": 1, "AccessKeyId": "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey": "coreSecretExample0000000000000000000000001", "SessionToken": "AQoDYXdzEJr...<remainder of security token>", "Expiration": "2030-01-01T00:00:00Z" }The helper output must keep Version at 1, and Expiration tells the CLI when temporary credentials should be refreshed.
Do not write secrets to STDERR because AWS CLI and AWS SDKs can capture and log that stream.
- Save the helper command into the target profile in the shared config file.
$ aws configure set credential_process "/opt/bin/aws-creds-helper --profile developer" --profile developer
This writes credential_process under [profile developer] in the shared config file, not in the shared credentials file.
Use a full path unless the helper name is already reliably available in PATH, quote the whole path when it contains spaces, and quote only the individual argument values that contain spaces.
- Read the saved value back from the profile before testing credential resolution.
$ aws configure get credential_process --profile developer /opt/bin/aws-creds-helper --profile developer
- Inspect the shared config file and confirm the entry was written under the expected profile section.
$ cat ~/.aws/config [profile developer] credential_process = /opt/bin/aws-creds-helper --profile developer
The default file is ~/.aws/config on Linux and macOS and %UserProfile%\\.aws\\config on Windows. Use AWS_CONFIG_FILE only when a script or task should read a different config file.
Related: How to find the AWS CLI config file location - Check the resolved credential source for the profile.
$ aws configure list --profile developer NAME : VALUE : TYPE : LOCATION profile : developer : manual : --profile access_key : ****************MPLE : custom-process : secret_key : ****************0001 : custom-process : region : <not set> : None : None
The custom-process type confirms that the profile is pulling credentials through the configured helper instead of from a shared access-key entry.
- Export the resolved credentials in process format to confirm that the saved profile can run the helper successfully.
$ aws configure export-credentials --profile developer --format process { "Version": 1, "AccessKeyId": "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey": "coreSecretExample0000000000000000000000001", "SessionToken": "AQoDYXdzEJr...<remainder of security token>", "Expiration": "2030-01-01T00:00:00+00:00" }aws configure export-credentials uses the normal credential resolution chain and returns the same JSON schema expected by credential_process.
A downstream profile or SDK-compatible tool can reuse another working AWS CLI sign-in by setting credential_process = aws configure export-credentials --profile signin --format process when process-formatted credentials are required.
Related: How to configure multiple AWS CLI profiles
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
