Introduction

Clearing AWS CLI credentials is not only about aws configure. The CLI can read credentials from multiple places, including the shared credentials file, the config file, environment variables, and SSO sessions, so you need to remove or unset the source that is actually being used.

Find Where the Active Credentials Come From

Before deleting anything, check what the CLI is currently resolving:

aws configure list

That command shows the active access key, secret source, region, and profile information. It is the fastest way to tell whether the CLI is using:

• values from ~/.aws/credentials
• values from ~/.aws/config
• environment variables
• a named profile

If you skip this step, you can delete one credential source and still wonder why the CLI keeps authenticating through another one.

Remove Credentials From the Shared Files

For access-key-based profiles, the credentials are commonly stored in:

• '~/.aws/credentials'
• '~/.aws/config'

You can edit those files and remove the relevant profile section. A typical credentials file looks like this:

1[default]
2aws_access_key_id = AKIA...
3aws_secret_access_key = very-secret-value
4
5[dev]
6aws_access_key_id = AKIA...
7aws_secret_access_key = another-secret-value

If you want to clear the default profile, remove that section or delete the specific keys from the file. Do the same for any matching profile section in the config file if it contains session or region settings you also want gone.

Unset Environment Variables

Environment variables override shared config files, so they are a common reason the CLI still appears authenticated after file cleanup.

On macOS or Linux:

1unset AWS_ACCESS_KEY_ID
2unset AWS_SECRET_ACCESS_KEY
3unset AWS_SESSION_TOKEN
4unset AWS_PROFILE

On Windows PowerShell:

1Remove-Item Env:AWS_ACCESS_KEY_ID
2Remove-Item Env:AWS_SECRET_ACCESS_KEY
3Remove-Item Env:AWS_SESSION_TOKEN
4Remove-Item Env:AWS_PROFILE

If the variables are being set by your shell startup files or terminal profile, remove them there as well or they will come back in the next session.

Clear AWS SSO Sessions if Needed

If you authenticate with AWS IAM Identity Center through AWS CLI SSO, removing access keys may not matter because the CLI can still use a cached SSO login. In that case, log out explicitly:

aws sso logout

That clears locally cached SSO access for the active sessions and is often the missing step when file-based credential cleanup seems ineffective.

Verify That Credentials Are Gone

After cleanup, test the result:

aws sts get-caller-identity

If credentials are no longer available, the CLI should fail with an authentication-related error instead of returning an AWS account and ARN. You can also rerun:

aws configure list

That confirms whether the credential source is now empty or whether another profile is still active.

Prefer Deletion Over Empty Strings

It may be tempting to overwrite keys with blank values using aws configure set, but that often leaves confusing partial state behind. Removing the actual profile entries or unsetting the environment variables is usually cleaner because it makes the absence of credentials explicit.

For named profiles, also remember that an application may still set AWS_PROFILE=dev or another profile name. Clearing default does not affect a different profile that is still selected at runtime.

Common Pitfalls

The biggest mistake is clearing only one source of credentials. The AWS CLI credential provider chain can keep working through environment variables, another profile, or cached SSO state.

Another common issue is editing ~/.aws/credentials but forgetting ~/.aws/config. Region or profile settings in the config file can still make it look as though the old setup is active.

Shell startup files are another trap. If your terminal exports AWS variables in .zshrc, .bashrc, or a profile script, those values will reappear every time you open a new shell.

Finally, do not confuse clearing credentials with revoking them. Removing local credentials only affects your machine. If a key was exposed or should no longer exist, deactivate or delete it in AWS as well.

Summary

• Start with aws configure list to see where the CLI is getting credentials.
• Remove the relevant profile from ~/.aws/credentials and ~/.aws/config if needed.
• Unset any AWS credential environment variables because they override file settings.
• Run aws sso logout if you use AWS CLI SSO sessions.
• Verify the result with aws sts get-caller-identity after cleanup.