what’s “~/.aws/credentials”
AWS credentials
🔍 What is ~/.aws/credentials?
This file holds AWS credentials for different user profiles. It’s read by tools like:
- AWS CLI (
aws) - AWS SDKs (Python boto3, Java SDK, etc.)
- Any program using the AWS shared credentials provider
Each profile is a named set of AWS credentials (like default, dev-alice, etc.), and contains at minimum:
aws_access_key_idaws_secret_access_key
For temporary credentials (like those from SSO or STS), it also includes:
aws_session_token
📁 File Example Explained
[default] # Default profile, used when no --profile flag is given
aws_access_key_id = xx1
aws_secret_access_key = yy1
aws_session_token = zz1 # Indicates this is a temporary session (probably from SSO, MFA, or STS)
[dev-alice] # A named profile for "alice"
aws_access_key_id = xx2
aws_secret_access_key = yy2
[dev-bob] # A named profile for "bob"
aws_access_key_id = xx3
aws_secret_access_key = yy3You can use each profile like:
aws s3 ls --profile dev-bob🛠️ How to Generate Credentials (via CLI)
There are a few ways to generate and populate credentials into this file.
1. Manually Adding Long-Term IAM User Credentials
This is the most straightforward (but least secure):
aws configure --profile dev-bobIt will prompt:
AWS Access Key ID [None]: xx3
AWS Secret Access Key [None]: yy3
Default region name [None]: us-east-1
Default output format [None]: json2. Using AWS SSO (Recommended for human users)
aws configure sso --profile dev-aliceAfter setup:
aws sso login --profile dev-aliceThis will populate a ~/.aws/cli/cache/*.json file and the credentials file with temporary credentials.
3. Using aws sts assume-role (For programmatic access)
If you have a role to assume:
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/MyRole \
--role-session-name my-sessionIt will return JSON like:
{
"Credentials": {
"AccessKeyId": "xx",
"SecretAccessKey": "yy",
"SessionToken": "zz"
}
}You can write this output into the ~/.aws/credentials file manually or using a script.
4. Using SSM Agent (as in your case)
SSM Agent can inject temporary credentials into the default profile of ~/.aws/credentials when running in a managed instance with a role. These are automatically rotated. You usually don’t generate them manually — they’re provided when the EC2 instance has an Instance Profile (IAM role attached).
🔐 Pro Tips
defaultprofile is automatically used if no profile is specified.- Use
AWS_PROFILE=dev-bobenv variable in scripts to use a specific profile. aws sts get-caller-identity --profile dev-bobis a great command to verify who you are with each profile.