Practice Now
AWS CLI
config file
credentials file
configuration
cloud computing

AWS CLI config file vs. credentials file

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

Start PracticingLearn More

Introduction

The AWS CLI commonly uses two files in the .aws directory: config and credentials. The short answer is that credentials is usually for access keys and tokens, while config is usually for non-secret profile settings such as region and output format.

The Two Files And Their Usual Roles

The default locations are:

  • '~/.aws/config'
  • '~/.aws/credentials'

In normal usage:

  • 'credentials stores things like aws_access_key_id, aws_secret_access_key, and session tokens'
  • 'config stores settings like region, output, role assumption settings, and other CLI behavior'

That division is the clearest mental model, even though the CLI can read some overlapping values from both places.

Example File Layout

A common setup looks like this.

~/.aws/credentials:

ini
1[default]
2aws_access_key_id = AKIAEXAMPLE
3aws_secret_access_key = secret-example
4
5[dev]
6aws_access_key_id = AKIADEVEXAMPLE
7aws_secret_access_key = dev-secret-example

~/.aws/config:

ini
1[default]
2region = us-west-2
3output = json
4
5[profile dev]
6region = us-east-1
7output = yaml

Notice the profile syntax difference:

  • in credentials, a named profile is [dev]
  • in config, a named profile is [profile dev]

That detail causes a lot of confusion.

Why Use Two Files At All?

Separating secrets from general configuration makes the files easier to reason about.

For example:

  • credentials may be rotated often
  • config may include region, SSO, or role settings that are not secret
  • automation may manage one file differently from the other

This split is not arbitrary; it helps operational clarity.

Overlap And Precedence

AWS CLI documentation notes that the CLI can read overlapping settings from both files. In practice, if the same credential keys appear in both places for the same profile, the credentials file takes precedence for those credential values.

That is why the simplest advice is still the best one:

  • put secrets in credentials
  • put general profile configuration in config

You avoid ambiguity and make future debugging easier.

Role Profiles And SSO Profiles

The config file becomes especially important for more advanced profile types such as:

  • role assumption profiles
  • SSO profiles
  • settings like region, output, and source_profile

Example:

ini
1[profile prod-admin]
2role_arn = arn:aws:iam::123456789012:role/Admin
3source_profile = dev
4region = us-east-1

This kind of profile configuration belongs in config, not in the credentials file.

Inspecting What The CLI Is Using

The AWS CLI can show which values are active.

bash
aws configure list --profile dev

This is useful when you are unsure whether a region came from the config file, an environment variable, or another source.

You can also set values explicitly:

bash
aws configure set region us-west-2 --profile dev

That command writes into the appropriate configuration store rather than forcing you to hand-edit the files every time.

When A Single File Appears To Work

You may see setups that place more settings in one file than the usual split suggests. The CLI can support some of that, but it is not the clearest operating model.

Just because a profile works does not mean it is the cleanest arrangement for long-term maintenance.

For most teams, the conventional split is still the best answer.

Common Pitfalls

The most common mistake is forgetting the profile header syntax difference between the two files.

Another mistake is putting non-secret profile configuration in credentials and then wondering why the setup becomes confusing over time.

Developers also overlook precedence and end up editing the wrong file while debugging profile behavior.

Finally, remember that environment variables and other credential sources can override file-based settings, so the files are not the only source the CLI may consider.

Summary

  • '~/.aws/credentials usually stores access keys, secret keys, and tokens.'
  • '~/.aws/config usually stores region, output, role, SSO, and other non-secret profile settings.'
  • Named profile syntax differs between the two files.
  • Keep secrets in credentials and general configuration in config for clarity.
  • Use aws configure list when you need to debug which values are actually active.
Course illustration
Course illustration
Codemia
© 2026 Codemia
Resources
Legal
Social
All Rights Reserved.