How to find the AWS CLI credentials file

Finding the active AWS CLI credentials file matters before rotating access keys, removing stale profiles, or checking why one shell authenticates differently from another.

The AWS CLI reads long-term access keys from a shared plaintext credentials file and keeps most non-secret defaults, such as region and output format, in the separate config file. By default the shared credentials file is ~/.aws/credentials on Linux and macOS and %USERPROFILE%\.aws\credentials on Windows, but the CLI can be pointed at another file instead.

The effective path changes when AWS_SHARED_CREDENTIALS_FILE is set, and some sessions never read the shared credentials file at all because they use environment variables, IAM Identity Center, role assumption, or instance or task metadata instead. The steps below confirm both the file location and whether the current shell is actually sourcing credentials from that file.

Steps to find the AWS CLI credentials file:

Print the effective shared credentials path for the current shell.
```
$ printf '%s\n' "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
/home/user/.aws/credentials
```
On Windows, the default shared credentials path is %USERPROFILE%\.aws\credentials when AWS_SHARED_CREDENTIALS_FILE is not set.
Check whether an environment override is redirecting the CLI to a non-default file.
```
$ printenv AWS_SHARED_CREDENTIALS_FILE
/opt/project/aws-credentials
```
No output usually means the default path from the previous step is in effect.

Related: How to use environment variables in AWS CLI
Verify that the resolved file exists and that its permissions are still restricted.
```
$ ls -l "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
-rw-------  1 user  user  232 Mar 29 09:10 /home/user/.aws/credentials
```
A No such file or directory result means the shared credentials file has not been created at that path, or the current session is using another credential source instead.

Inspect the file to confirm the stored profile sections.

$ sed -n '1,20p' "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
[default]
aws_access_key_id = AKIAEXAMPLECORE00001
aws_secret_access_key = coreSecretExample0000000000000000000000001

[docs]
aws_access_key_id = AKIAEXAMPLECORE00001
aws_secret_access_key = coreSecretExample0000000000000000000000001

The shared credentials file contains plaintext secrets, so keep file permissions tight and avoid pasting real values into terminals, tickets, or chat logs.

List the profile names that the AWS CLI can currently discover from the shared files.
```
$ aws configure list-profiles
default
docs
```
If an expected profile is missing, re-check the resolved file path and confirm the section header in credentials matches the intended profile name exactly.
Check which source the current shell is using for credentials before assuming the shared file is active.
```
$ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : <not set>                : None             : None
access_key : ****************MPLE     : shared-credentials-file : 
secret_key : ****************EKEY     : shared-credentials-file : 
region     : <not set>                : None             : None
```
If the TYPE column for access_key and secret_key is shared-credentials-file, the session is reading credentials from the file located in the earlier steps.

Current AWS CLI output may leave the LOCATION column blank for credentials coming from the shared file, so the TYPE column is the more reliable indicator here.

Related: How to find the AWS CLI config file
Related: How to use environment variables in AWS CLI

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.