AWS CLI

Tips and notes on AWS CLI configuration.

AWS config file
#

The AWS CLI (and any SDK/tool that reads it) uses ~/.aws/config for named profiles. To use a different file, set the AWS_CONFIG_FILE environment variable:

export AWS_CONFIG_FILE=/path/to/config

credential_process
#

Instead of storing static keys in ~/.aws/credentials, use credential_process to source credentials dynamically — from environment variables, a secrets manager, or any shell command that outputs the expected JSON.

# ~/.aws/config
[profile myprofile]
services = myservices
credential_process = sh -c 'echo "{\"Version\":1,\"AccessKeyId\":\"$MY_ACCESS_KEY_ID\",\"SecretAccessKey\":\"$MY_SECRET_ACCESS_KEY\",\"SessionToken\":\"\"}"'

[services myservices]
s3 =
  endpoint_url = https://s3.example.com

Key points:

credential_process must output JSON with Version, AccessKeyId, SecretAccessKey, and optionally SessionToken and Expiration
SessionToken must be present in the JSON (set to "" if unused)
services lets you override endpoints per-service for a profile, useful for self-hosted S3-compatible stores like Garage
Credentials are sourced at runtime — no secrets stored on disk

AWS config file#

credential_process#

AWS config file
#

credential_process
#