How to find the AWS CLI shared credentials file location

The AWS CLI usually reads long-term access keys from the shared credentials file, a plaintext file on the local machine. Find that path first when you need to rotate keys, compare profile files, or confirm whether a shell is still pointing at an old credentials file.

By default the shared credentials file is ~/.aws/credentials on Linux and macOS and %USERPROFILE%\.aws\credentials on Windows. The AWS_SHARED_CREDENTIALS_FILE environment variable changes that path for the current shell or process.

The path alone does not prove that the current shell is using that file. aws configure list shows whether the active access key came from the shared credentials file, an environment variable, or another credential provider.

Steps to find the AWS CLI shared credentials file location:

Print the path that the current shell will use for the shared credentials file.
```
$ printf '%s\n' "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
/home/user/.aws/credentials
```
On Windows, the default path is %USERPROFILE%\.aws\credentials when AWS_SHARED_CREDENTIALS_FILE is not set.
Check whether the path is being overridden by AWS_SHARED_CREDENTIALS_FILE.
```
$ printenv AWS_SHARED_CREDENTIALS_FILE
/opt/company/aws/credentials
```
No output means the CLI is still using the default home-directory path from the previous step.

Related: How to use AWS CLI environment variables
Confirm that the resolved file exists before you open or edit it.
```
$ ls -l "${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
-rw------- 1 user user 230 Apr 19 09:03 /opt/company/aws/credentials
```
If ls returns No such file or directory, the file has not been created at that path yet or the current shell is getting credentials from somewhere else.
Verify whether the current shell is actually loading access keys from the shared credentials file.
```
$ aws configure list
NAME       : VALUE                    : TYPE             : LOCATION
profile    : <not set>                : None             : None
access_key : ****************MPLE     : shared-credentials-file : 
secret_key : ****************EKEY     : shared-credentials-file : 
region     : ap-southeast-1           : config-file      : ~/.aws/config
```
If TYPE shows shared-credentials-file for access_key and secret_key, the current shell is reading keys from the file path you resolved earlier. If it shows env or another source, the shell is getting credentials somewhere else. Current AWS CLI releases typically leave the LOCATION field blank for shared-credentials-file entries.

Repeat the verification with --profile when you need to check a named profile.

$ aws configure list --profile audit
NAME       : VALUE                    : TYPE             : LOCATION
profile    : audit                    : manual           : --profile
access_key : ****************MPLE     : shared-credentials-file : 
secret_key : ****************EKEY     : shared-credentials-file : 
region     : us-east-1                : config-file      : ~/.aws/config

--profile changes the profile section that the CLI reads, but it does not change the credentials file path. The file path still comes from AWS_SHARED_CREDENTIALS_FILE or the default home-directory location.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.