Priority of credentials read by the AWS CLI

4 minute read

Content level: Foundational

Using the AWS CLI to interact with AWS resources requires authentication credentials. Depending on the configuration, it may not work correctly and troubleshooting may be necessary, so this document provides some tips.

When using the AWS CLI, have you ever experienced situations where "the credentials you set up weren't used" or "it was executed with an unintended IAM role"?
AWS credentials are loaded in a specific order depending on where they are configured.
Knowing this order can reduce the time spent troubleshooting.

Order in which credentials are loaded

The priority order of credentials read by the AWS CLI is described in the following document.
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-authentication.html

Command line options – Overrides settings in any other location, such as the --region, --output, and --profile parameters.

Environment variables – You can store values in your system's environment variables.

Assume role – Assume the permissions of an IAM role through configuration or the assume-role command.

Assume role with web identity – Assume the permissions of an IAM role using web identity through configuration or the assume-role-with-web-identity command.

AWS IAM Identity Center – The IAM Identity Center configuration settings stored in the config file are updated when you run the aws configure sso command. Credentials are then authenticated when you run the aws sso login command. The config file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME.aws\config on Windows.

Credentials file – The credentials and config file are updated when you run the command aws configure. The credentials file is located at ~/.aws/credentials on Linux or macOS, or at C:\Users\USERNAME.aws\credentials on Windows.

Custom process – Get your credentials from an external source.

Configuration file – The credentials and config file are updated when you run the command aws configure. The config file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME.aws\config on Windows.

Container credentials – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. For more information, see IAM Roles for Tasks in the Amazon Elastic Container Service Developer Guide.

Amazon EC2 instance profile credentials – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide and Using Instance Profiles in the IAM User Guide.

The files are loaded in the order listed above, from top to bottom.
Especially when running on a local PC, it's common for files to be registered in environment variables or credentials files and not loaded with the necessary permissions.

How to locate the currently loaded credentials

To identify the IAM credentials currently in use, the "get-caller-identity" command is an effective tool.
This command can be used to check the IDs of IAM users and AWS accounts.

aws sts get-caller-identity

{
    "UserId": "hogefuga",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/test"
}

Additionally, the "configure list" command is useful for identifying the location of currently loaded credentials.
This command allows you to check whether the information is being read from environment variables or from a credentials file.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

aws configure list --profile test
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                  test           manual    --profile
access_key     ****************hoge shared-credentials-file
secret_key     ****************hoge shared-credentials-file
    region                us-east-1      config-file    ~/.aws/config

aws configure list
      Name                    Value             Type    Location
      ----                    -----             ----    --------
   profile                <not set>             None    None
access_key     ****************fuga              env
secret_key     ****************fuga              env
    region                us-east-1              env    AWS_DEFAULT_REGION

Topics: Management & Governance
Tags: AWS Command Line Interface
Language: English

EXPERT

Riku_Kobayashi

published 16 days ago75 views

No comments

Relevant content

Amazon GameLift supports shared credentials for hosted game servers with server SDK 5.x
EXPERT
Sachin
published 3 years ago
Seamless Amazon Keyspaces Integration with SageMaker Using SigV4 Authentication
EXPERT
Vadim Lyakhovich
published 9 months ago
Accelerating Incident Detection and Response onboarding with the Incident Detection and Response CLI
AWS OFFICIALUpdated 23 days ago
Trouble Configuring AWS Toolkit CLI in Visual Studio Code: Authentication and Credential
User-1261712
asked 3 years ago
AWS CLI does not pick up credentials file with sudo (EC2, Linux)
AWS-User-5252849
asked 4 years ago
AWS CLI commands after AWS SDK credential store authentication
Accepted Answer
Dan
asked 4 years ago
How do I use the AWS CLI to authenticate access to AWS resources with an MFA token?
AWS OFFICIALUpdated a year ago
How do I use the AWS CLI to make AssumeRole calls and store temporary user credentials?
AWS OFFICIALUpdated 8 months ago
How do I enforce MFA authentication for IAM users that use the AWS Management Console and the AWS CLI?
AWS OFFICIALUpdated 6 months ago
How do I use the AWS CLI to get temporary credentials for an IAM Identity Center user?
AWS OFFICIALUpdated 8 months ago