Installing & Configuring the AWS CLI
The AWS CLI (Command Line Interface) is a single tool that lets you control almost every AWS service by typing commands instead of clicking around the web console. Once it is installed and configured, you can create servers, list buckets, or query databases right from your terminal — and you can script those actions so they run the same way every time. This page shows you how to install AWS CLI version 2 (the current, recommended major version) on macOS, Windows, and Linux, and how to wire it up to your AWS account with aws configure.
When to use the CLI (and when not to)
The web console (the point-and-click website at console.aws.amazon.com) is great for learning, exploring, and doing one-off tasks. The CLI is better when you want to repeat an action, automate it, or share the exact steps with a teammate. A command is precise and copy-pasteable; a console screenshot goes stale the moment the UI changes.
| Tool | Best for | Avoid when |
|---|---|---|
| AWS Management Console | Learning, exploring, rare one-off changes | You need repeatability or scripting |
| AWS CLI v2 | Scripting, automation, fast repeatable tasks | You are brand new and unsure what a command will do |
| AWS SDKs | Building applications in a programming language | A simple shell command is enough |
Tip: If you do not want to install anything at all, AWS CloudShell gives you a browser-based terminal with the CLI pre-installed and pre-authenticated. See CloudShell.
Installing AWS CLI v2
AWS CLI v2 ships as a self-contained installer — you do not need Python or pip. Always install v2; the older v1 is no longer recommended.
macOS
Download and run the official package installer:
curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
sudo installer -pkg AWSCLIV2.pkg -target /Or, if you use Homebrew (a popular macOS package manager):
brew install awscliWindows
Run the MSI installer from PowerShell:
msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msiOr use the Windows package manager, winget:
winget install -e --id Amazon.AWSCLILinux (x86_64)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/installOn ARM-based Linux (for example a Graviton instance or a Raspberry Pi), swap the URL for awscli-exe-linux-aarch64.zip.
Verify the install
On any OS, confirm it worked:
aws --versionOutput:
aws-cli/2.31.4 Python/3.13.4 Linux/6.8.0 exe/x86_64.ubuntu.24If you see aws-cli/2.x, you are ready. If the command is “not found”, close and reopen your terminal so it picks up the new path.
Configuring credentials with aws configure
Before the CLI can do anything, it needs to know who you are (credentials) and where to work (region). The quickest way to set this up is the interactive aws configure command.
aws configureIt prompts for four values:
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-1
Default output format [None]: jsonWhat each value means:
| Prompt | What it is | Example |
|---|---|---|
| Access Key ID | A public-ish identifier for your credentials | AKIAIOSFODNN7EXAMPLE |
| Secret Access Key | The matching password — keep it private | wJalrXUtn...EXAMPLEKEY |
| Default region | The AWS Region (a physical location, e.g. N. Virginia) to use by default | us-east-1 |
| Default output | How results are printed — json, text, table, or yaml | json |
Test that it works by asking AWS who you are:
aws sts get-caller-identityOutput:
{
"UserId": "AIDAEXAMPLE1234567890",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/devcraftly-cli"
}If you get an identity back, your CLI is connected to your account.
Where credentials are stored
aws configure writes two plain-text files in a hidden folder in your home directory:
~/.aws/credentials # access key id + secret access key
~/.aws/config # default region + output formatOn Windows the folder is %USERPROFILE%\.aws\. These files are not encrypted — they are readable text. You can have more than one set of credentials by using named profiles (covered in CLI profiles).
Gotcha: avoid long-lived access keys
This is the single most important security point on this page. An access key you type into aws configure is a long-lived credential — it works forever until you manually delete it. Because it sits in a plain-text file on your laptop, it is the most commonly leaked AWS secret in the world: people accidentally commit ~/.aws/credentials to GitHub, paste it into chat, or leave it on a stolen machine. Attackers scan public repositories for these keys within seconds.
Warning: Long-lived IAM access keys are the #1 source of AWS account compromise. Prefer temporary credentials that expire automatically.
The modern, recommended approach is IAM Identity Center (formerly AWS SSO — Single Sign-On). Instead of storing a permanent secret, you log in through your browser and the CLI receives short-lived credentials that expire (often after a few hours). Set it up once:
aws configure ssoThis walks you through your sign-in URL and stores a session token instead of a permanent key. When the session expires, you simply run aws sso login again. There is no long-lived secret on disk to leak.
If you must use access keys (for example a quick personal sandbox), treat them like passwords: never commit them, rotate them regularly, and delete unused ones in the IAM console.
Best Practices
- Install AWS CLI v2 only; it is self-contained and does not need Python or pip.
- Prefer IAM Identity Center /
aws configure ssoor other temporary credentials over long-lived access keys. - Never commit
~/.aws/credentialsto Git — add.aws/and*.pemto your global gitignore as a safety net. - Give CLI credentials the least privilege they need; do not use root account keys (the root user should have no access keys at all).
- Rotate any long-lived access keys regularly and delete keys you no longer use from the IAM console.
- Set a sensible default region with
aws configure set region us-east-1so commands do not fail with “must specify a region”. - Run
aws sts get-caller-identitywhenever you are unsure which account or identity the CLI is using.