The AWS CLI signs requests on your behalf, and includes a date in the signature.

Ensure that your computer's date and time are set correctly; if not, the date in
the signature may not match the date of the request, and AWS rejects the request.

Sections

Quick Configuration
Configuration Settings and Precedence
Configuration and Credential Files
Named Profiles
Environment Variables
Command Line Options
Instance Metadata
Using an HTTP Proxy
Assuming a Role
Command Completion
Quick Configuration
For general use, the aws configure command is the fastest way to set up your AWS
CLI installation.

$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
The AWS CLI will prompt you for four pieces of information. AWS Access Key ID and
AWS Secret Access Key are your account credentials.

To get the access key ID and secret access key for an IAM user

Access keys consist of an access key ID and secret access key, which are used to
sign programmatic requests that you make to AWS. If you don't have access keys, you
can create them from the AWS Management Console. We recommend that you use IAM
access keys instead of AWS account root user access keys. IAM lets you securely
control access to AWS services and resources in your AWS account.

The only time that you can view or download the secret access keys is when you
create the keys. You cannot recover them later. However, you can create new access
keys at any time. You must also have permissions to perform the required IAM
actions. For more information, see Permissions Required to Access IAM Resources in
the IAM User Guide.

Open the IAM console.

In the navigation pane of the console, choose Users.

Choose your IAM user name (not the check box).

Choose the Security credentials tab and then choose Create access key.

To see the new access key, choose Show. Your credentials will look something like
this:

Access key ID: AKIAIOSFODNN7EXAMPLE

Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

To download the key pair, choose Download .csv file. Store the keys in a secure
location.
Keep the keys confidential in order to protect your AWS account, and never email
them. Do not share them outside your organization, even if an inquiry appears to
come from AWS or Amazon.com. No one who legitimately represents Amazon will ever
ask you for your secret key.

Related topics

What Is IAM? in the IAM User Guide

AWS Security Credentials in AWS General Reference

Default region is the name of the region you want to make calls against by default.
This is usually the region closest to you, but it can be any region. For example,
type us-west-2 to use US West (Oregon).

Note

You must specify an AWS region when using the AWS CLI. For a list of services and
available regions, see Regions and Endpoints. The region designators used by the
AWS CLI are the same names that you see in AWS Management Console URLs and service
endpoints.

Default output format can be either json, text, or table. If you don't specify an
output format, json is used.

If you have multiple profiles, you can configure additional, named profiles by
using the --profile option.

$ aws configure --profile user2

AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE
AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: text
To update any of your settings, simply run aws configure again and enter new values
as appropriate. The next sections contain more information on the files that aws
configure creates, additional settings, and named profiles.

Configuration Settings and Precedence

The AWS CLI uses a provider chain to look for AWS credentials in a number of
different places, including system or user environment variables and local AWS
configuration files.

The AWS CLI looks for credentials and configuration settings in the following
order:

Command line options – region, output format and profile can be specified as
command options to override default settings.

Environment variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and

AWS_SESSION_TOKEN.

The AWS credentials file – located at ~/.aws/credentials on Linux, macOS, or Unix,

or at C:\Users\USERNAME \.aws\credentials on Windows. This file can contain
multiple named profiles in addition to a default profile.

The CLI configuration file – typically located at ~/.aws/config on Linux, macOS, or

Unix, or at C:\Users\USERNAME \.aws\config on Windows. This file can contain a
default profile, named profiles, and CLI specific configuration parameters for
each.

Container credentials – provided by Amazon Elastic Container Service on container

instances when you assign a role to your task.

Instance profile credentials – these credentials can be used on EC2 instances with
an assigned instance role, and are delivered through the Amazon EC2 metadata
service.

Creating an IAM User in Your AWS Account

You can create one or more IAM users in your AWS account. You might create an IAM
user when someone joins your team, or when you create a new application that needs
to make API calls to AWS.

Important

If you arrived at this page while trying to enable Amazon Advertising for your
application or website, see Becoming a Product Advertising API Developer.

If you arrived at this page from the IAM console, it is possible that your account
does not include IAM users, even though you are signed in. You could be signed in
as the AWS account root user, using a role, or signed in with temporary
credentials. To learn more about these IAM identities, see Identities (Users,
Groups, and Roles).

Topics

Creating IAM Users (Console)

Creating IAM Users (AWS CLI)
Creating IAM Users (AWS API)
The process of creating a user and enabling that user to perform work tasks
consists of the following steps:

Create the user in the AWS Management Console, the AWS CLI, Tools for Windows
PowerShell, or using an AWS API operation. If you create the user in the AWS
Management Console, then steps 1–4 are handled automatically, based on your
choices. If you create the users programmatically, then you must perform each of
those steps individually.

Create credentials for the user, depending on the type of access the user requires:

Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or
use the Tools for Windows PowerShell. In that case, create an access key (access
key ID and a secret access key) for that user.

AWS Management Console access: If the user needs to access the AWS Management
Console, create a password for the user.

As a best practice, create only the credentials that the user needs. For example,
for a user who requires access only through the AWS Management Console, do not
create access keys.

Give the user permissions to perform the required tasks by adding the user to one
or more groups. You can also grant permissions by attaching permission policies
directly to the user. However, we recommend instead that you put your users in
groups and manage permissions through policies that are attached to those groups.
You can also use a permissions boundary to limit the permissions that a user can
have, though this is not common.
(Optional) Add metadata to the user by attaching tags. For more information about
using tags in IAM, see Tagging IAM Identities.

Provide the user with the necessary sign-in information. This includes the password
and the console URL for the account sign-in page where the user provides those
credentials. For more information, see How IAM Users Sign In to AWS.

(Optional) Configure multi-factor authentication (MFA) for the user. MFA requires
the user to provide a one-time-use code each time he or she signs into the AWS
Management Console.

(Optional) Give users permissions to manage their own security credentials. (By
default, users do not have permissions to manage their own credentials.) For more
information, see Permitting IAM Users to Change Their Own Passwords.

For information about the permissions that you need in order to create a user, see
Permissions Required to Access IAM Resources.

Creating IAM Users (Console)

You can use the AWS Management Console to create IAM users.

To create one or more IAM users (console)

Sign in to the AWS Management Console and open the IAM console at
https://console.aws.amazon.com/iam/.

In the navigation pane, choose Users and then choose Add user.

Type the user name for the new user. This is the sign-in name for AWS. If you want
to add more than one user at the same time, choose Add another user for each
additional user and type their user names. You can add up to 10 users at one time.

Note

User names can be a combination of up to 64 letters, digits, and these characters:

plus (+), equal (=), comma (,), period (.), at sign (@), and hyphen (-). Names must
be unique within an account. They are not distinguished by case. For example, you
cannot create two users named TESTUSER and testuser. For more information about
limitations on IAM entities, see Limitations on IAM Entities and Objects.

Select the type of access this set of users will have. You can select programmatic
access, access to the AWS Management Console, or both.

Select Programmatic access if the users require access to the API, AWS CLI, or
Tools for Windows PowerShell. This creates an access key for each new user. You can
view or download the access keys when you get to the Final page.

Select AWS Management Console access if the users require access to the AWS
Management Console. This creates a password for each new user.

For Console password, choose one of the following:

Autogenerated password. Each user gets a randomly generated password that meets the
account password policy in effect (if any). You can view or download the passwords
when you get to the Final page.

Custom password. Each user is assigned the password that you type in the box.

(Optional) We recommend that you select Require password reset to ensure that users
are forced to change their password the first time they sign in.

Note

If you have not enabled the account-wide password policy setting Allow users to
change their own password, then selecting Require password reset automatically
attaches an AWS managed policy named IAMUserChangePassword to the new users that
grants them permission to change their own passwords.

Choose Next: Permissions.

On the Set permissions page, specify how you want to assign permissions to this set
of new users. Choose one of the following three options:

Add user to group. Choose this option if you want to assign the users to one or
more groups that already have permissions policies. IAM displays a list of the
groups in your account, along with their attached policies. You can select one or
more existing groups, or choose Create group to create a new group. For more
information, see Changing Permissions for an IAM User.

Copy permissions from existing user. Choose this option to copy all of the group
memberships, attached managed policies, embedded inline policies, and any existing
permissions boundaries from an existing user to the new users. IAM displays a list
of the users in your account. Select the one whose permissions most closely match
the needs of your new users.

Attach existing policies to user directly. Choose this option to see a list of the
AWS managed and customer managed policies in your account. Select the policies that
you want to attach to the new users or choose Create policy to open a new browser
tab and create a new policy from scratch. For more information, see step 4 in the
procedure Creating IAM Policies (Console). After you create the policy, close that
tab and return to your original tab to add the policy to the new user. As a best
practice, we recommend that you instead attach your policies to a group and then
make users members of the appropriate groups.

(Optional) Set a permissions boundary. This is an advanced feature.

Open the Set permissions boundary section and choose Use a permissions boundary to
control the maximum user permissions. IAM displays a list of the AWS managed and
customer managed policies in your account. Select the policy to use for the
permissions boundary or choose Create policy to open a new browser tab and create a
new policy from scratch. For more information, see step 4 in the procedure Creating
IAM Policies (Console). After you create the policy, close that tab and return to
your original tab to select the policy to use for the permissions boundary.

Choose Next: Tagging.

(Optional) Add metadata to the user by attaching tags as key-value pairs. For more
information about using tags in IAM, see Tagging IAM Identities.

Choose Next: Review to see all of the choices you made up to this point. When you
are ready to proceed, choose Create user.

To view the users' access keys (access key IDs and secret access keys), choose Show
next to each password and access key that you want to see. To save the access keys,
choose Download .csv and then save the file to a safe location.

Important
This is your only opportunity to view or download the secret access keys, and you
must provide this information to your users before they can use the AWS API. Save
the user's new access key ID and secret access key in a safe and secure place. You
will not have access to the secret keys again after this step.

Provide each user with his or her credentials. On the final page you can choose
Send email next to each user. Your local mail client opens with a draft that you
can customize and send. The email template includes the following details to each
user:

User name

URL to the account sign-in page. Use the following example, substituting the
correct account ID number or account alias:

https://AWS-account-ID or alias.signin.aws.amazon.com/console
For more information, see How IAM Users Sign In to AWS.

Important

The user's password is not included in the generated email. You must provide them
to the customer in a way that complies with your organization's security
guidelines.

Creating IAM Users (AWS CLI)

You can use the AWS CLI to create an IAM user.

To create an IAM user (AWS CLI)

Create a user.

aws iam create-user

(Optional) Give the user access to the AWS Management Console. This requires a
password. You must also give the user the URL of your account's sign-in page.

aws iam create-login-profile

(Optional) Give the user programmatic access. This requires access keys.

aws iam create-access-key

Tools for Windows PowerShell: New-IAMAccessKey

IAM API: CreateAccessKey

Important

This is your only opportunity to view or download the secret access keys, and you
must provide this information to your users before they can use the AWS API. Save
the user's new access key ID and secret access key in a safe and secure place. You
will not have access to the secret keys again after this step.

Add the user to one or more groups. The groups that you specify should have
attached policies that grant the appropriate permissions for the user.

aws iam add-user-to-group

(Optional) Attach a policy to the user that defines the user's permissions. Note:
We recommend that you manage user permissions by adding the user to a group and
attaching a policy to the group instead of attaching directly to a user.

aws iam attach-user-policy

(Optional) Add custom attributes to the user by attaching tags. For more
information, see Managing Tags on IAM Identities (AWS CLI or AWS API).

(Optional) Give the user permission to manage his or her own security credentials.
For more information, see Allow Users to Manage Their Own Passwords, Access Keys,
and SSH Keys.

Creating IAM Users (AWS API)

You can use the AWS API to create an IAM user.

To create an IAM user from the (AWS API)

Create a user.

CreateUser

(Optional) Give the user access to the AWS Management Console. This requires a
password. You must also give the user the URL of your account's sign-in page.

CreateLoginProfile

(Optional) Give the user programmatic access. This requires access keys.

CreateAccessKey

Important

This is your only opportunity to view or download the secret access keys, and you
must provide this information to your users before they can use the AWS API. Save
the user's new access key ID and secret access key in a safe and secure place. You
will not have access to the secret keys again after this step.

Add the user to one or more groups. The groups that you specify should have
attached policies that grant the appropriate permissions for the user.

AddUserToGroup

(Optional) Attach a policy to the user that defines the user's permissions. Note:
We recommend that you manage user permissions by adding the user to a group and
attaching a policy to the group instead of attaching directly to a user.

AttachUserPolicy

(Optional) Add custom attributes to the user by attaching tags. For more
information, see Managing Tags on IAM Identities (AWS CLI or AWS API).

(Optional) Give the user permission to manage his or her own security credentials.
For more information, see Allow Users to Manage Their Own Passwords, Access Keys,
and SSH Keys.

list¶
Description
List the AWS CLI configuration data. This command will show you the current
configuration data. For each configuration item, it will show you the value, where
the configuration value was retrieved, and the configuration variable name. For
example, if you provide the AWS region in an environment variable, this command
will show you the name of the region you've configured, it will tell you that this
value came from an environment variable, and it will tell you the name of the
environment variable.

See 'aws help' for descriptions of global parameters.

Synopsis
aws configure list [--profile profile-name]
Options
None

See 'aws help' for descriptions of global parameters.

Examples
To show your current configuration values:

$ aws configure list

Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************ABCD config_file ~/.aws/config
secret_key ****************ABCD config_file ~/.aws/config
region us-west-2 env AWS_DEFAULT_REGION