By using AWS re:Post, you agree to the Terms of Use
/AWS CLI does not pick up credentials file with sudo (EC2, Linux)/

AWS CLI does not pick up credentials file with sudo (EC2, Linux)


Using ssm-user on ec2 I can authenticate successfully, receiving credentials as json (using the API, not using aws CLI). These are stored in the default location ~/.aws/credentials, working properly. This file is properly picked up from tools using the API like e.g. terraform. The file is protected and can be read by ssm-user only.

When runing CLI, I have do use sudo /usr/local/bin/aws, the default installation requires sudo for all aws calls. sudo of course can read this file, but it does not use it. Using aws --debug I can see aws CLI trying the file, continuing with additional possibilities to authenticate. I can inject the credentials with environment variables, so it's neither the credentials nor the aws CLI installation itself. And the file name is correct.

Is there any further reasoning why the aws CLI does not use the credentials file? Or any command line option showing more than --debug?

1 Answers

Hi, can you check to which home directory you have configured?

sudo echo $HOME

You'll likely have /home/ec2-user /home/ssm-user and /home/root home directories. Also, have you considered using an IAM role attached to the instance for managing access to AWS resources?

answered 3 months ago
  • Thank you. Before posting I already compared the contents and path of ~/.aws/credentials with and without sudo. In both cases they are the same, pointing to the same directory. And in fact I can read the credentials manually from there and use them for authentication using environment variables. In addition I now have compared output of "echo $HOME" with "sudo echo $HOME", all pointing to the same path, one of yours listed above. aws CLI refuses to use the file. The instance is running on another AWS account but for us. Therefore we do not intend to attach the role to the instance.

  • A security best practice is to rotate your credentials. Using an Instance Profile and Role will enable that automatically. You should use the instance metadata version 2:

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions