# Configuring settings for the AWS CLI
This section explains how to configure the settings that the AWS Command Line Interface (AWS CLI) uses to interact with AWS. These include the following:
+ **Credentials** identify who is calling the API. Access credentials are used to encrypt the request to the AWS servers to confirm your identity and retrieve associated permissions policies. These permissions determine the actions you can perform. For information on setting up your credentials, see [Authentication and access credentials for the AWS CLI](cli-chap-authentication.md).
+ **Other configuration details** to tell the AWS CLI how to process requests, such as the default output format and the default AWS Region.
**Note**
AWS requires that all incoming requests are cryptographically signed. The AWS CLI does this for you. The "signature" includes a date/time stamp. Therefore, you must ensure that your computer's date and time are set correctly. If you don't, and the date/time in the signature is too far off of the date/time recognized by the AWS service, AWS rejects the request.
## Configuration and credentials precedence
Credentials and configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. Certain locations take precedence over others. The AWS CLI credentials and configuration settings take precedence in the following order:
1. **[Command line options](cli-configure-options.md)** – Overrides settings in any other location, such as the `--region`, `--output`, and `--profile` parameters.
1. **[Environment variables](cli-configure-envvars.md)** – You can store values in your system's environment variables.
1. **[Assume role](cli-configure-role.md)** – Assume the permissions of an IAM role through configuration or the [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) command.
1. **[Assume role with web identity](cli-configure-role.md)** – Assume the permissions of an IAM role using web identity through configuration or the [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) command.
1. **[AWS IAM Identity Center](cli-configure-files.md)** – The IAM Identity Center configuration settings stored in the `config` file are updated when you run the `aws configure sso` command. Credentials are then authenticated when you run the `aws sso login` command. The `config` file is located at `~/.aws/config` on Linux or macOS, or at `C:\Users\USERNAME\.aws\config` on Windows.
1. **[Credentials file](cli-configure-files.md)** – The `credentials` and `config` file are updated when you run the command `aws configure`. The `credentials` file is located at `~/.aws/credentials` on Linux or macOS, or at `C:\Users\USERNAME\.aws\credentials` on Windows.
1. **[Custom process](cli-configure-sourcing-external.md)** – Get your credentials from an external source.
1. **[Configuration file](cli-configure-files.md)** – The `credentials` and `config` file are updated when you run the command `aws configure`. The `config` file is located at `~/.aws/config` on Linux or macOS, or at `C:\Users\USERNAME\.aws\config` on Windows.
1. **[Container credentials](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html)** – You can associate an IAM role with each of your Amazon Elastic Container Service (Amazon ECS) task definitions. Temporary credentials for that role are then available to that task's containers. For more information, see [IAM Roles for Tasks](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html) in the *Amazon Elastic Container Service Developer Guide*.
1. **[Amazon EC2 instance profile credentials](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html)** – You can associate an IAM role with each of your Amazon Elastic Compute Cloud (Amazon EC2) instances. Temporary credentials for that role are then available to code running in the instance. The credentials are delivered through the Amazon EC2 metadata service. For more information, see [IAM Roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide* and [Using Instance Profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) in the *IAM User Guide*.
## Additional topics in this section
+ [Configuration and credential file settings in the AWS CLI](cli-configure-files.md)
+ [Configuring environment variables for the AWS CLI](cli-configure-envvars.md)
+ [Command line options in the AWS CLI](cli-configure-options.md)
+ [Configuring command completion in the AWS CLI](cli-configure-completion.md)
+ [AWS CLI retries in the AWS CLI](cli-configure-retries.md)
+ [Using an HTTP proxy for the AWS CLI](cli-configure-proxy.md)
# Configuration and credential file settings in the AWS CLI
You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI.
The files are divided into `profiles`. By default, the AWS CLI uses the settings found in the profile named `default`. To use alternate settings, you can create and reference additional profiles.
You can override an individual setting by either setting one of the supported environment variables, or by using a command line parameter. For more information on configuration setting precedence, see [Configuring settings for the AWS CLI](cli-chap-configure.md).
**Note**
For information on setting up your credentials, see [Authentication and access credentials for the AWS CLI](cli-chap-authentication.md).
**Topics**
+ [
## Format of the configuration and credential files
](#cli-configure-files-format)
+ [
## Where are configuration settings stored?
](#cli-configure-files-where)
+ [
## Using named profiles
](#cli-configure-files-using-profiles)
+ [
## Set and view configuration settings using commands
](#cli-configure-files-methods)
+ [
## Setting new configuration and credentials command examples
](#cli-configure-files-examples)
+ [
## Supported `config` file settings
](#cli-configure-files-settings)
## Format of the configuration and credential files
The `config` and `credentials` files are organized into sections. Sections include *profiles*, *sso-sessions*, and *services*. A section is a named collection of settings, and continues until another section definition line is encountered. Multiple profiles and sections can be stored in the `config` and `credentials` files.
These files are plaintext files that use the following format:
+ Section names are enclosed in brackets [ ] such as `[default]`, `[profile user1]`, and `[sso-session]`.
+ All entries in a section take the general form of `setting_name=value`.
+ Lines can be commented out by starting the line with a hash character (`#`).
**The `config` and `credentials` files contain the following section types:**
+ [`profile`](#cli-configure-files-format-profile)
+ [`sso-session`](#cli-configure-files-format-sso-session)
+ [`services`](#cli-configure-files-format-services)
### Section type: `profile`
Depending on the file, profile section names use the following format:
+ **Config file:** `[default]` `[profile user1]`
+ **Credentials file:** `[default]` `[user1]`
Do ***not*** use the word `profile` when creating an entry in the `credentials` file.
Each profile can specify different credentials and can also specify different AWS Regions and output formats. When naming the profile in a `config` file, include the prefix word "`profile`", but do not include it in the `credentials` file.
The following examples show a `credentials` and `config` file with two profiles, region, and output specified. The first *[default]* is used when you run a AWS CLI command with no profile specified. The second is used when you run a AWS CLI command with the `--profile user1` parameter.
------
#### [ IAM Identity Center (SSO) ]
This example is for AWS IAM Identity Center. For more information, see [Configuring IAM Identity Center authentication with the AWS CLI](cli-configure-sso.md).
**Credentials file**
The `credentials` file is not used for this authentication method.
**Config file**
```
[default]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = readOnly
region = us-west-2
output = text
[profile user1]
sso_session = my-sso
sso_account_id = 444455556666
sso_role_name = readOnly
region = us-east-1
output = json
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
```
------
#### [ IAM Identity Center (Legacy SSO) ]
This example is for the legacy method of AWS IAM Identity Center. For more information, see [Configuring IAM Identity Center authentication with the AWS CLI](cli-configure-sso.md).
**Credentials file**
The `credentials` file is not used for this authentication method.
**Config file**
```
[default]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 111122223333
sso_role_name = readOnly
region = us-west-2
output = text
[profile user1]
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_region = us-east-1
sso_account_id = 444455556666
sso_role_name = readOnly
region = us-east-1
output = json
```
------
#### [ Short-term credentials ]
This example is for the short-term credentials from AWS Identity and Access Management. For more information, see [Authenticating with short-term credentials for the AWS CLI](cli-authentication-short-term.md).
**Credentials file**
```
[default]
aws_access_key_id=ASIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
[user1]
aws_access_key_id=ASIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
aws_session_token = fcZib3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
```
**Config file**
```
[default]
region=us-west-2
output=json
[profile user1]
region=us-east-1
output=text
```
------
#### [ IAM role ]
This example is for assuming an IAM role. Profiles that use IAM roles pull credentials from another profile, and then apply IAM role permissions. In the following examples, `default` is the source profile for credentials and `user1` borrows the same credentials then assumes a new role. For more information, see [Using an IAM role in the AWS CLI](cli-configure-role.md).
**Credentials file**
The `credentials` file depends on what authentication your source profile uses. For the following example, the source profile uses short-term credentials.
```
[default]
aws_access_key_id=ASIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
```
**Config file**
```
[default]
region=us-west-2
output=json
[profile user1]
role_arn=arn:aws:iam::777788889999:role/user1role
source_profile=default
role_session_name=session_user1
region=us-east-1
output=text
```
------
#### [ Amazon EC2 instance metadata credentials ]
This example is for the credentials obtained from the hosting Amazon EC2 instance metadata. For more information, see [Using Amazon EC2 instance metadata as credentials in the AWS CLI](cli-configure-metadata.md).
**Credentials file**
The `credentials` file is not used for this authentication method.
**Config file**
```
[default]
role_arn=arn:aws:iam::123456789012:role/defaultrole
credential_source=Ec2InstanceMetadata
region=us-west-2
output=json
[profile user1]
role_arn=arn:aws:iam::777788889999:role/user1role
credential_source=Ec2InstanceMetadata
region=us-east-1
output=text
```
------
#### [ Long-term credentials ]
**Warning**
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
This example is for the long-term credentials from AWS Identity and Access Management. For more information, see [Authenticating using IAM user credentials for the AWS CLI](cli-authentication-user.md).
**Credentials file**
```
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
```
**Config file**
```
[default]
region=us-west-2
output=json
[profile user1]
region=us-east-1
output=text
```
------
For more information and additional authorization and credential methods see, see [Authenticating using IAM user credentials for the AWS CLI](cli-authentication-user.md).
### Section type: `sso-session`
The `sso-session` section of the `config` file is used to group configuration variables for acquiring SSO access tokens, which can then be used to acquire AWS credentials. The following settings are used:
+ **(Required)** `sso\$1start\$1url`
+ **(Required)** `sso\$1region`
+ `sso\$1account\$1id`
+ `sso\$1role\$1name`
+ `sso\$1registration\$1scopes`
You define an `sso-session` section and associate it to a profile. `sso_region` and `sso_start_url` must be set within the `sso-session` section. Typically, `sso_account_id` and `sso_role_name` must be set in the `profile` section so that the SDK can request SSO credentials.
The following example configures the SDK to request SSO credentials and supports automated token refresh:
```
[profile dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
```
This also allows `sso-session` configurations to be reused across multiple profiles:
```
[profile dev]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole
[profile prod]
sso_session = my-sso
sso_account_id = 111122223333
sso_role_name = SampleRole2
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
```
However, `sso_account_id` and `sso_role_name` aren't required for all scenarios of SSO token configuration. If your application only uses AWS services that support bearer authentication, then traditional AWS credentials are not needed. Bearer authentication is an HTTP authentication scheme that uses security tokens called bearer tokens. In this scenario, `sso_account_id` and `sso_role_name` aren't required. See the individual guide for your AWS service to determine if it supports bearer token authorization.
Additionally, registration scopes can be configured as part of a `sso-session`. Scope is a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application will be limited to the scopes granted. These scopes define the permissions requested to be authorized for the registered OIDC client and access tokens retrieved by the client. The following example sets `sso_registration_scopes` to provide access for listing accounts/roles:
```
[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start
sso_registration_scopes = sso:account:access
```
The authentication token is cached to disk under the `~/.aws/sso/cache` directory with a filename based on the session name.
For more information on this configuration type, see [Configuring IAM Identity Center authentication with the AWS CLI](cli-configure-sso.md).
### Section type: `services`
The `services` section is a group of settings that configures custom endpoints for AWS service requests. A profile then is linked to a `services` section.
```
[profile dev]
services = my-services
```
The `services` section is separated into subsections by ` = ` lines, where `` is the AWS service identifier key. The AWS service identifier is based on the API model’s `serviceId` by replacing all spaces with underscores and lowercasing all letters. For a list of all service identifier keys to use in the `services` section, see [Using endpoints in the AWS CLI](cli-configure-endpoints.md). The service identifier key is followed by nested settings with each on its own line and indented by two spaces.
The following example configures the endpoint to use for requests made to the Amazon DynamoDB service in the *my-services* section that is used in the *dev* profile. Any immediately following lines that are indented are included in that subsection and apply to that service.
```
[profile dev]
services = my-services
[services my-services]
dynamodb =
endpoint_url = http://localhost:8000
```
For more information on service-specific endpoints, see [Using endpoints in the AWS CLI](cli-configure-endpoints.md).
If your profile has role-based credentials configured through a `source_profile` parameter for IAM assume role functionality, the SDK only uses service configurations for the specified profile. It does not use profiles that are role chained to it. For example, using the following shared `config` file:
```
[profile A]
credential_source = Ec2InstanceMetadata
endpoint_url = https://profile-a-endpoint.aws/
[profile B]
source_profile = A
role_arn = arn:aws:iam::123456789012:role/roleB
services = profileB
[services profileB]
ec2 =
endpoint_url = https://profile-b-ec2-endpoint.aws
```
If you use profile `B` and make a call in your code to Amazon EC2, the endpoint resolves as `https://profile-b-ec2-endpoint.aws`. If your code makes a request to any other service, the endpoint resolution will not follow any custom logic. The endpoint does not resolve to the global endpoint defined in profile `A`. For a global endpoint to take effect for profile `B`, you would need to set `endpoint_url` directly within profile `B`.
## Where are configuration settings stored?
The AWS CLI stores sensitive credential information that you specify with `aws configure` in a local file named `credentials`, in a folder named `.aws` in your home directory. The less sensitive configuration options that you specify with `aws configure` are stored in a local file named `config`, also stored in the `.aws` folder in your home directory.
**Storing credentials in the config file**
You can keep all of your profile settings in a single file as the AWS CLI can read credentials from the `config` file. If there are credentials in both files for a profile sharing the same name, the keys in the credentials file take precedence. We suggest keeping credentials in the `credentials` files. These files are also used by the various language software development kits (SDKs). If you use one of the SDKs in addition to the AWS CLI, confirm if the credentials should be stored in their own file.
Where you find your home directory location varies based on the operating system, but is referred to using the environment variables `%UserProfile%` in Windows and `$HOME` or `~` (tilde) in Unix-based systems. You can specify a non-default location for the files by setting the `AWS_CONFIG_FILE` and `AWS_SHARED_CREDENTIALS_FILE` environment variables to another local path. See [Configuring environment variables for the AWS CLI](cli-configure-envvars.md) for details.
When you use a shared profile that specifies an AWS Identity and Access Management (IAM) role, the AWS CLI calls the AWS STS `AssumeRole` operation to retrieve temporary credentials. These credentials are then stored (in `~/.aws/cli/cache`). Subsequent AWS CLI commands use the cached temporary credentials until they expire, and at that point the AWS CLI automatically refreshes the credentials.
## Using named profiles
If no profile is explicitly defined, the `default` profile is used.
To use a named profile, add the `--profile profile-name` option to your command. The following example lists all of your Amazon EC2 instances using the credentials and settings defined in the `user1` profile.
```
$ aws ec2 describe-instances --profile user1
```
To use a named profile for multiple commands, you can avoid specifying the profile in every command by setting the `AWS_PROFILE` environment variable as the default profile. You can override this setting by using the `--profile` parameter.
------
#### [ Linux or macOS ]
```
$ export AWS_PROFILE=user1
```
------
#### [ Windows ]
```
C:\> setx AWS_PROFILE user1
```
Using `[set](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/set_1)` to set an environment variable changes the value used until the end of the current command prompt session, or until you set the variable to a different value.
Using [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/setx](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/setx) to set an environment variable changes the value in all command shells that you create after running the command. It does ***not*** affect any command shell that is already running at the time you run the command. Close and restart the command shell to see the effects of the change.
Setting the environment variable changes the default profile until the end of your shell session, or until you set the variable to a different value. You can make environment variables persistent across future sessions by putting them in your shell's startup script. For more information, see [Configuring environment variables for the AWS CLI](cli-configure-envvars.md).
------
## Set and view configuration settings using commands
There are several ways to view and set your configuration settings using commands.
**`[aws configure](https://docs.aws.amazon.com/cli/v1/reference/configure/index.html)`**
Run this command to quickly set and view your credentials, Region, and output format. The following example shows sample values.
```
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
```
**`[aws configure set](https://docs.aws.amazon.com/cli/v1/reference/configure/set.html)`**
You can set any credentials or configuration settings using `aws configure set`. Specify the profile that you want to view or modify with the `--profile` setting.
For example, the following command sets the `region` in the profile named `integ`.
```
$ aws configure set region us-west-2 --profile integ
```
To remove a setting, manually delete the setting in your `config` and `credentials` files in a text editor.
**[https://docs.aws.amazon.com/cli/v1/reference/configure/get.html](https://docs.aws.amazon.com/cli/v1/reference/configure/get.html)**
You can retrieve any credentials or configuration settings you've set using `aws configure get`. Specify the profile that you want to view or modify with the `--profile` setting.
For example, the following command retrieves the `region` setting in the profile named `integ`.
```
$ aws configure get region --profile integ
us-west-2
```
If the output is empty, the setting is not explicitly set and uses the default value.
**[https://docs.aws.amazon.com/cli/latest/reference/reference/configure/import.html](https://docs.aws.amazon.com/cli/latest/reference/reference/configure/import.html)**
Import `CSV` credentials generated from the IAM web console. This is not for credentials generated from IAM Identity Center; customers who use IAM Identity Center should use aws configure sso. A CSV file is imported with the profile name matching the username. The CSV file must contain the following headers.
+ User Name
+ Access key ID
+ Secret access key
During initial key pair creation, once you close the **Download .csv file** dialog box, you cannot access your secret access key after you close the dialog box. If you need a `.csv` file, you'll need to create one yourself with the required headers and your stored key pair information. If you do not have access to your key pair information, you need to create a new key pair.
```
$ aws configure import --csv file://credentials.csv
```
**[https://docs.aws.amazon.com/cli/v1/reference/configure/list.html](https://docs.aws.amazon.com/cli/v1/reference/configure/list.html)**
To list configuration data, use the `aws configure list` command. This command lists the profile, access key, secret key, and region configuration information used for the specified profile. For each configuration item, it shows the value, where the configuration value was retrieved, and the configuration variable name.
For example, if you provide the AWS Region in an environment variable, this command shows you the name of the region you've configured, that this value came from an environment variable, and the name of the environment variable.
For temporary credential methods such as roles and IAM Identity Center, this command displays the temporarily cached access key and secret access key is displayed.
```
$ aws configure list
NAME : VALUE : TYPE : LOCATION
profile : : None : None
access_key : ****************ABCD : shared-credentials-file :
secret_key : ****************ABCD : shared-credentials-file :
region : us-west-2 : env : AWS_DEFAULT_REGION
```
**[https://docs.aws.amazon.com/cli/v1/reference/configure/list-profiles.html](https://docs.aws.amazon.com/cli/v1/reference/configure/list-profiles.html)**
To list all your profile names, use the `aws configure list-profiles` command.
```
$ aws configure list-profiles
default
test
```
**`aws configure mfa-login`**
Run this command to configure a new profile to use with multi-factor authentication (MFA) and your IAM user credentials in the specified profile. If no profile is specified, the MFA is based on the `default` profile. If no default profile is configured, the `mfa-login` command prompts you for you AWS credentials before asking for your MFA information. The following command example uses your default configuration and creates an MFA profile.
```
$ aws configure mfa-login
MFA serial number or ARN: arn:aws:iam::123456789012:mfa/MFADeviceName
MFA token code: 123456
Profile to update [session-MFADeviceName]:
Temporary credentials written to profile 'session-MFADeviceName'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile session-MFADeviceName when running AWS CLI commands
```
To update an existing profile, use the `--update-profile` parameter.
```
$ aws configure mfa-login --profile myprofile --update-profile mfaprofile
MFA token code: 123456
Temporary credentials written to profile 'mfaprofile'
Credentials will expire at 2023-05-19 18:06:10 UTC
To use these credentials, specify --profile mfaprofile when running AWS CLI commands
```
This command currently supports only hardware or software based one-time password (OTP) authenticators. Passkeys and U2F devices are not currently supported with this command.
For more information on using MFA with IAM, see [AWS Multi-factor authentication in IAM ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) in the *AWS Identity and Access Management User Guide*.
**`aws configure sso`**
Run this command to quickly set and view your AWS IAM Identity Center credentials, Region, and output format. The following example shows sample values.
```
$ aws configure sso
SSO session name (Recommended): my-sso
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [None]: sso:account:access
```
**`aws configure sso-session`**
Run this command to quickly set and view your AWS IAM Identity Center credentials, Region, and output format in the `sso-session` section of the `credentials` and `config` files. The following example shows sample values.
```
$ aws configure sso-session
SSO session name: my-sso
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [None]: sso:account:access
```
**`aws configure export-credentials`**
Run this command to export currently set credentials in the specified format. By default, the command exports the default credentials in the `process` format, which is a JSON format supported by the AWS SDKs and Tools credential format.
```
$ aws configure export-credentials
{
"Version": 1,
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
```
To export a specific profile and format, use the `--profile` and `--format` options. The format options are as follows:
+ **(default)****`process`** ‐ The JSON format supported by the AWS SDKs and Tools `credential_process` configuration.
+ **`env`** ‐ Environment variables in exported shell format.
+ **`env-no-export`** ‐ Non-exported environment variables in shell format.
+ **`powershell`** ‐ Environment variables in PowerShell format.
+ **`windows-cmd`** ‐ Environment variables in Windows Command Line format.
The following example exports the `user1` profile to an exported shell format.
```
$ aws configure export-credentials --profile user1 --format env
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
## Setting new configuration and credentials command examples
The following examples show configuring a default profile with credentials, region, and output specified for different authentication methods.
------
#### [ Console sessions as short-term credentials ]
This example lets you use your existing console credentials with the `aws login` command. This sign in method can be used with root credentials created during initial account set up, an IAM user, or a federated identity from your identity provider. For more information, see [Login for AWS local development using console credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sign-in.html).
```
$ aws login
No AWS region has been configured. The AWS region is the geographic location of your AWS resources.
If you've used AWS before and already have resources in your account, tell us which region they were
created in. If you haven't created resources in your account before, you can pick the region closest to you:
https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-regions.html. You are able to change
the region in the CLI at any time with the command `aws configure set region NEW_REGION`.
AWS Region [us-east-1]: us-east-1
Attempting to open the login page for `us-east-1` in your default browser. If the browser does not open,
use the following URL to complete your login:
https://us-east-1.signin.aws.amazon.com/v1/authorize
If you cannot connect to this URL, make sure that you have specified a valid region.
Waiting for login...
Logged in with role `arn:aws:sts::012345678910:user/iam-user`, and configured profile
`default` to use `us-east-1`. This session will expire on October 14, 2025 at 2:04 PST. After this time, you
can renew your session with `aws login`.
```
------
#### [ IAM Identity Center (SSO) ]
This example is for AWS IAM Identity Center using the `aws configure sso` wizard. For more information, see [Configuring IAM Identity Center authentication with the AWS CLI](cli-configure-sso.md).
```
$ aws configure sso
SSO session name (Recommended): my-sso
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]:us-east-1
Attempting to automatically open the SSO authorization page in your default browser.
There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (111122223333)
ProductionAccount, production-account-admin@example.com (444455556666)
Using the account ID 111122223333
There are 2 roles available to you.
> ReadOnly
FullAccess
Using the role name "ReadOnly"
CLI default client Region [None]: us-west-2
CLI default output format [None]: json
CLI profile name [123456789011_ReadOnly]: user1
```
------
#### [ IAM Identity Center (Legacy SSO) ]
This example is for the legacy method of AWS IAM Identity Center using the `aws configure sso` wizard. To use the legacy SSO, leave the session name blank. For more information, see [Configuring IAM Identity Center authentication with the AWS CLI](cli-configure-sso.md).
```
$ aws configure sso
SSO session name (Recommended):
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]:us-east-1
SSO authorization page has automatically been opened in your default browser.
Follow the instructions in the browser to complete this authorization request.
There are 2 AWS accounts available to you.
> DeveloperAccount, developer-account-admin@example.com (111122223333)
ProductionAccount, production-account-admin@example.com (444455556666)
Using the account ID 111122223333
There are 2 roles available to you.
> ReadOnly
FullAccess
Using the role name "ReadOnly"
CLI default client Region [None]: us-west-2
CLI default output format [None]: json
CLI profile name [123456789011_ReadOnly]: user1
```
------
#### [ Short-term credentials ]
This example is for the short-term credentials from AWS Identity and Access Management. The aws configure wizard is used to set initial values and then the `aws configure set` command assigns the last value needed. For more information, see [Authenticating with short-term credentials for the AWS CLI](cli-authentication-short-term.md).
```
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
$ aws configure set aws_session_token fcZib3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
```
------
#### [ IAM role ]
This example is for assuming an IAM role. Profiles that use IAM roles pull credentials from another profile, and then apply IAM role permissions. In the following examples, `default` is the source profile for credentials and `user1` borrows the same credentials then assumes a new role. There is no wizard for this process, therefore each value is set using the `aws configure set` command. For more information, see [Using an IAM role in the AWS CLI](cli-configure-role.md).
```
$ aws configure set role_arn arn:aws:iam::123456789012:role/defaultrole
$ aws configure set source_profile default
$ aws configure set role_session_name session_user1
$ aws configure set region us-west-2
$ aws configure set output json
```
------
#### [ Amazon EC2 instance metadata credentials ]
This example is for the credentials obtained from the hosting Amazon EC2 instance metadata. There is no wizard for this process, therefore each value is set using the `aws configure set` command. For more information, see [Using Amazon EC2 instance metadata as credentials in the AWS CLI](cli-configure-metadata.md).
```
$ aws configure set role_arn arn:aws:iam::123456789012:role/defaultrole
$ aws configure set credential_source Ec2InstanceMetadata
$ aws configure set region us-west-2
$ aws configure set output json
```
------
#### [ Long-term credentials ]
**Warning**
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
This example is for the long-term credentials from AWS Identity and Access Management. For more information, see [Authenticating using IAM user credentials for the AWS CLI](cli-authentication-user.md).
```
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
```
------
## Supported `config` file settings
**Topics**
+ [
### Global settings
](#cli-configure-files-global)
+ [
### S3 Custom command settings
](#cli-configure-files-s3)
The following settings are supported in the `config` file. The values listed in the specified (or default) profile are used unless they are overridden by the presence of an environment variable with the same name, or a command line option with the same name. For more information on what order settings take precendence, see [Configuring settings for the AWS CLI](cli-chap-configure.md)
### Global settings
** `account_id_endpoint_mode` **
Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](cli-configure-endpoints.md#endpoints-accountid).
This setting can be set to the following:
+ **(default)** **`preferred`** – The endpoint should include account ID if available.
+ **`disabled`** – A resolved endpoint doesn't include account ID.
+ **`required`** – The endpoint must include account ID. If the account ID isn't available, the SDK throws an error.
Can be overridden by the `AWS\$1ACCOUNT\$1ID\$1ENDPOINT\$1MODE` environment variable. To use account-based endpoints, the ID must be set in the `AWS\$1ACCOUNT\$1ID` environment variable or `aws\$1account\$1id` setting.
```
account_id_endpoint_mode = preferred
```
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
** `aws_access_key_id` **
Specifies the AWS access key used as part of the credentials to authenticate the command request. Although this can be stored in the `config` file, we recommend that you store this in the `credentials` file.
Can be overridden by the `AWS_ACCESS_KEY_ID` environment variable. You can't specify the access key ID as a command line option.
```
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
```
** `aws_account_id` **
Specifies the AWS account-based endpoint ID to use for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](cli-configure-endpoints.md#endpoints-accountid).
Can be overridden by the `AWS\$1ACCOUNT\$1ID` environment variable. The `AWS\$1ACCOUNT\$1ID\$1ENDPOINT\$1MODE` environment variable or `account\$1id\$1endpoint\$1mode` setting must be set to `preferred` or `required` to use this setting.
```
aws_account_id = 123456789EXAMPLE
```
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`aws_secret_access_key`**
Specifies the AWS secret key used as part of the credentials to authenticate the command request. Although this can be stored in the `config` file, we recommend that you store this in the `credentials` file.
Can be overridden by the `AWS_SECRET_ACCESS_KEY` environment variable. You can't specify the secret access key as a command line option.
```
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
**`aws_session_token`**
Specifies an AWS session token. A session token is required only if you manually specify temporary security credentials. Although this can be stored in the `config` file, we recommend that you store this in the `credentials` file.
Can be overridden by the `AWS_SESSION_TOKEN` environment variable. You can't specify the session token as a command line option.
```
aws_session_token = AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4Olgk
```
**`ca_bundle`**
Specifies a CA certificate bundle (a file with the `.pem` extension) that is used to verify SSL certificates.
Can be overridden by the `AWS\$1CA\$1BUNDLE` environment variable or the `--ca-bundle` command line option.
```
ca_bundle = dev/apps/ca-certs/cabundle-2019mar05.pem
```
**`cli_auto_prompt`**
Enables the auto-prompt for the AWS CLI version 2. There are two settings that can be used:
+ **`on`** uses the full auto-prompt mode each time you attempt to run an `aws` command. This includes pressing **ENTER** after both a complete command or incomplete command.
```
cli_auto_prompt = on
```
+ **`on-partial`** uses partial auto-prompt mode. If a command is incomplete or cannot be run due to client-side validation errors, auto-prompt is used. This mode is particular useful if you have pre-existing scripts, runbooks, or you only want to be auto-prompted for commands you are unfamiliar with rather than prompted on every command.
```
cli_auto_prompt = on-partial
```
You can override this setting by using the `aws\$1cli\$1auto\$1prompt` environment variable or the `--cli-auto-prompt` and `--no-cli-auto-prompt` command line parameters.
For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](cli-usage-parameters-prompting.md).
**`cli_binary_format`**
Specifies how the AWS CLI version 2 interprets binary input parameters. It can be one of the following values:
+ **base64** – This is the default value. An input parameter that is typed as a binary large object (BLOB) accepts a base64-encoded string. To pass true binary content, put the content in a file and provide the file's path and name with the `fileb://` prefix as the parameter's value. To pass base64-encoded text contained in a file, provide the file's path and name with the `file://` prefix as the parameter's value.
+ **raw-in-base64-out** – Default for the AWS CLI version 1. If the setting's value is `raw-in-base64-out`, files referenced using the `file://` prefix is read as text and then the AWS CLI attempts to encode it to binary.
This entry does not have an equivalent environment variable. You can specify the value on a single command by using the `--cli-binary-format raw-in-base64-out` parameter.
```
cli_binary_format = raw-in-base64-out
```
If you reference a binary value in a file using the `fileb://` prefix notation, the AWS CLI *always* expects the file to contain raw binary content and does not attempt to convert the value.
If you reference a binary value in a file using the `file://` prefix notation, the AWS CLI handles the file according to the current `cli_binary_format` setting. If that setting's value is `base64` (the default when not explicitly set), the AWS CLI expects the file to contain base64-encoded text. If that setting's value is `raw-in-base64-out`, the AWS CLI expects the file to contain raw binary content.
**`cli_help_output`**
As of version `2.31.0` The display for the `help` command is configured by the `cli_help_output` setting, and has the following values:
+ **(default)** `terminal` ‐ Open the man page in the terminal.
+ `browser` ‐ Open the man page as a local HTML file in your default browser. A notice is printed to your terminal when your default browser is being opened, and an error message if the AWS CLI cannot open your browser.
+ `url` ‐ Print the URL to the online AWS CLI Reference Guide for the version of the AWS CLI you have installed. Settings for client-side paging, such as the `AWS_PAGER` environment variable, is respected.
```
cli_help_output = browser
```
For more information on the `help` command, see [Accessing help and resources for the AWS CLI](cli-usage-help.md).
**`cli_history`**
Disabled by default. This setting enables command history for the AWS CLI. After enabling this setting, the AWS CLI records the history of `aws` commands.
```
cli_history = enabled
```
You can list your history using the `aws history list` command, and use the resulting `command_ids` in the `aws history show` command for details. For more information see [https://docs.aws.amazon.com/cli/latest/reference/history/index.html](https://docs.aws.amazon.com/cli/latest/reference/history/index.html) in the *AWS CLI reference guide*.
**`cli_pager`**
Specifies the pager program used for output. By default, AWS CLI version 2 returns all output through your operating system’s default pager program.
Can be overridden by the AWS\$1PAGER environment variable.
```
cli_pager=less
```
**`cli_timestamp_format`**
Specifies the output format of timestamp values. You can specify either of the following values:
+ **iso8601** – The default value for the AWS CLI version 2. If specified, the AWS CLI reformats all timestamps in the output according to [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html). ISO 8601 formatted timestamps look like the following examples. The following example demonstrates how the time is formatted by separating the date and time with a `T` and including a `Z` after the time.
```
YYYY-MM-DDThh:mm:ssZ
```
The following examples shows a timestamp using the previous formatting.
```
2024-05-08T15:16:43Z
```
+ **wire** – The default value for the AWS CLI version 1. If specified, the AWS CLI displays all timestamp values exactly as received in the HTTP query response.
This setting does not have an equivalent environment variable or command line option. This setting does not alter timestamp inputs, only output formatting.
```
cli_timestamp_format = iso8601
```
**`credential\$1process`**
Specifies an external command that the AWS CLI runs to generate or retrieve authentication credentials to use for this command. The command must return the credentials in a specific format. For more information about how to use this setting, see [Sourcing credentials with an external process in the AWS CLI](cli-configure-sourcing-external.md).
This entry does not have an equivalent environment variable or command line option.
```
credential_process = /opt/bin/awscreds-retriever --username susan
```
**`credential\$1source`**
Used within Amazon EC2 instances or containers to specify where the AWS CLI can find credentials to use to assume the role you specified with the `role_arn` parameter. You cannot specify both `source_profile` and `credential_source` in the same profile.
This parameter can have one of three values:
+ **Environment** – Specifies that the AWS CLI is to retrieve source credentials from environment variables.
+ **Ec2InstanceMetadata** – Specifies that the AWS CLI is to use the IAM role attached to the [EC2 instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) to get source credentials.
+ **EcsContainer** – Specifies that the AWS CLI is to use the IAM role attached to the ECS container as source credentials.
```
credential_source = Ec2InstanceMetadata
```
**`duration_seconds`**
Specifies the maximum duration of the role session, in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role (which can be a maximum of 43200). This is an optional parameter and by default, the value is set to 3600 seconds.
**`endpoint_url`**
Specifies the endpoint that is used for all service requests. If this setting is used in the [`services`](#cli-configure-files-format-services) section of the `config` file, then the endpoint is used only for the specified service. For more information, see [Set global endpoint for all AWS services](cli-configure-endpoints.md#endpoints-global).
The following example uses the global endpoint `http://localhost:1234` and a service-specific endpoint of `http://localhost:4567` for Amazon S3.
```
[profile dev]
endpoint_url = http://localhost:1234
services = s3-specific
[services s3-specific]
s3 =
endpoint_url = http://localhost:4567
```
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`ignore_configure_endpoint_urls`**
If enabled, the AWS CLI ignores all custom endpoint configurations specified in the `config` file. Valid values are `true` and `false`.
```
ignore_configure_endpoint_urls = true
```
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`external\$1id`**
Specifies a unique identifier that is used by third parties to assume a role in their customers' accounts. This maps to the `ExternalId` parameter in the `AssumeRole` operation. This parameter is needed only if the trust policy for the role specifies a value for `ExternalId`. For more information, see [How to use an external ID when granting access to your AWS resources to a third party ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) in the *IAM User Guide*.
**`max\$1attempts`**
Specifies a value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the `max_attempts` value that you provide.
You can override this value by using the `AWS_MAX_ATTEMPTS` environment variable.
```
max_attempts = 3
```
**`mfa\$1serial`**
The identification number of an MFA device to use when assuming a role. This is mandatory only if the trust policy of the role being assumed includes a condition that requires MFA authentication. The value can be either a serial number for a hardware device (such as `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual MFA device (such as `arn:aws:iam::123456789012:mfa/user`).
**`output`**
Specifies the default output format for commands requested using this profile. You can specify any of the following values:
+ **[`json`](cli-usage-output-format.md#json-output)** – The output is formatted as a [JSON](https://json.org/) string.
+ **[`yaml`](cli-usage-output-format.md#yaml-output)** – The output is formatted as a [YAML](https://yaml.org/) string.
+ **[`yaml-stream`](cli-usage-output-format.md#yaml-stream-output)** – The output is streamed and formatted as a [YAML](https://yaml.org/) string. Streaming allows for faster handling of large data types.
+ **[`text`](cli-usage-output-format.md#text-output)** – The output is formatted as multiple lines of tab-separated string values. This can be useful to pass the output to a text processor, like `grep`, `sed`, or `awk`.
+ **[`table`](cli-usage-output-format.md#table-output)** – The output is formatted as a table using the characters \$1\$1- to form the cell borders. It typically presents the information in a "human-friendly" format that is much easier to read than the others, but not as programmatically useful.
+ **[`off`](cli-usage-output-format.md#off-output)** – The output suppresses all command output to stdout. This is useful in automation scripts and CI/CD pipelines where you only need to check the command's exit code without processing the output.
Can be overridden by the `AWS_DEFAULT_OUTPUT` environment variable or the `--output` command line option.
```
output = table
```
**`parameter_validation`**
Specifies whether the AWS CLI client attempts to validate parameters before sending them to the AWS service endpoint.
+ **true** – This is the default value. If specified, the AWS CLI performs local validation of command line parameters.
+ **false** – If specified, the AWS CLI does not validate command line parameters before sending them to the AWS service endpoint.
This entry does not have an equivalent environment variable or command line option.
```
parameter_validation = false
```
**`region`**
Specifies the AWS Region to send requests to for commands requested using this profile.
+ You can specify any of the Region codes available for the chosen service as listed in [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*.
+ `aws_global` enables you to specify the global endpoint for services that support a global endpoint in addition to Regional endpoints, such as AWS Security Token Service (AWS STS) and Amazon Simple Storage Service (Amazon S3).
You can override this value by using the `AWS_REGION` environment variable, `AWS_DEFAULT_REGION` environment variable, or the `--region` command line option.
```
region = us-west-2
```
**`request_checksum_calculation`**
Specifies when a checksum is calculated for request payloads, and has the following options:
+ `when_supported` – **(Default)** The request payload checksum is calculated when an operation either specifies a checksum algorithm in its service model or requires request checksums.
+ `when_required` – The request payload checksum is calculated when an operation requires request checksums or when a user provides a `requestAlgorithmMember` that is modeled by the AWS service.
```
request_checksum_calculation = when_supported
```
The environment variable [`AWS_REQUEST_CHECKSUM_CALCULATION`](cli-configure-envvars.md#envvars-list-AWS_REQUEST_CHECKSUM_CALCULATION) overrides this setting.
**`response_checksum_validation`**
Specifies when checksum validation is performed for response payloads, and has the following options:
+ `when_supported` – **(Default)** The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports.
+ `when_required` – The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports, and you set the modeled `requestValidationModeMember` to `ENABLED` in the operation input.
```
response_checksum_validation = when_supported
```
The environment variable [`AWS_RESPONSE_CHECKSUM_VALIDATION`](cli-configure-envvars.md#envvars-list-AWS_RESPONSE_CHECKSUM_VALIDATION) overrides this setting.
**`retry\$1mode`**
Specifies which retry mode AWS CLI uses. There are three retry modes available: `standard` (default), `legacy` (default), and `adaptive`. For more information on retries, see [AWS CLI retries in the AWS CLI](cli-configure-retries.md).
You can override this value by using the `AWS_RETRY_MODE` environment variable.
```
retry_mode = standard
```
**`role\$1arn`**
Specifies the Amazon Resource Name (ARN) of an IAM role that you want to use to run the AWS CLI commands. You must also specify one of the following parameters to identify the credentials that have permission to assume this role:
+ source\$1profile
+ credential\$1source
```
role_arn = arn:aws:iam::123456789012:role/role-name
```
The environment variable [`AWS_ROLE_ARN`](cli-configure-envvars.md#envvars-list-AWS_ROLE_ARN) overrides this setting.
For more information on using web identities, see [Assume role with web identity](cli-configure-role.md#cli-configure-role-oidc).
**`role\$1session\$1name`**
Specifies the name to attach to the role session. This value is provided to the `RoleSessionName` parameter when the AWS CLI calls the `AssumeRole` operation, and becomes part of the assumed role user ARN: ` arn:aws:sts::123456789012:assumed-role/role_name/role_session_name`. This is an optional parameter. If you do not provide this value, a session name is generated automatically. This name appears in AWS CloudTrail logs for entries associated with this session.
```
role_session_name = maria_garcia_role
```
The environment variable [`AWS_ROLE_SESSION_NAME`](cli-configure-envvars.md#envvars-list-AWS_ROLE_SESSION_NAME) overrides this setting.
For more information on using web identities, see [Assume role with web identity](cli-configure-role.md#cli-configure-role-oidc).
**`services`**
Specifies the service configuration to use for your profile.
```
[profile dev-s3-specific-and-global]
endpoint_url = http://localhost:1234
services = s3-specific
[services s3-specific]
s3 =
endpoint_url = http://localhost:4567
```
For more information on the `services` section, see [Section type: `services`](#cli-configure-files-format-services).
The environment variable [`AWS_ROLE_SESSION_NAME`](cli-configure-envvars.md#envvars-list-AWS_ROLE_SESSION_NAME) overrides this setting.
For more information on using web identities, see [Assume role with web identity](cli-configure-role.md#cli-configure-role-oidc).
**`sdk_ua_app_id`**
A single AWS account can be used by multiple customer applications to make calls to AWS services. Application ID identifies which source application made a set of calls using an AWS service. AWS SDKs and services don't use or interpret this value other than to surface it back in customer communications. For example, this value can be included in operational emails to uniquely identify which of your applications is associated with the notification.
The Application ID is a string with maximum length of 50 characters. Letters, numbers and the following special characters are allowed: `! $ % & * + - . , ^ _ ` | ~` By default, no value is assigned.
```
sdk_ua_app_id = prod1
```
This setting can be overwritten by using the [`AWS_SDK_UA_APP_ID`](cli-configure-envvars.md#envvars-list-AWS_SDK_UA_APP_ID) environment variable. You can't set this value as a command line parameter.
**`sigv4a_signing_region_set`**
Specifies the regions to use when signing with SigV4a using a comma-delimited list. If this variable is not set, the AWS CLI uses the default used by the AWS service. If the AWS service has no default, the request signature becomes valid in all regions using a value of `*`.
```
sigv4a_signing_region_set = us-west-2, us-east-1
```
For more information on SigV4a, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*
This setting can be overwritten by using the [`AWS_SIGV4A_SIGNING_REGION_SET`](cli-configure-envvars.md#envvars-list-AWS_SIGV4A_SIGNING_REGION_SET) environment variable. You can't set this value as a command line parameter.
**`source\$1profile`**
Specifies a named profile with long-term credentials that the AWS CLI can use to assume a role that you specified with the `role_arn` parameter. You cannot specify both `source_profile` and `credential_source` in the same profile.
```
source_profile = production-profile
```
**`sso\$1account\$1id`**
Specifies the AWS account ID that contains the IAM role with the permission that you want to grant to the associated IAM Identity Center user.
This setting does not have an environment variable or command line option.
```
sso_account_id = 123456789012
```
**`sso\$1region` **
Specifies the AWS Region that contains the AWS access portal host. This is separate from, and can be a different Region than the default CLI `region` parameter.
This setting does not have an environment variable or command line option.
```
sso_region = us_west-2
```
**`sso\$1registration\$1scopes` **
A comma-delimited list of scopes to be authorized for the `sso-session`. Scopes authorize access to IAM Identity Center bearer token authorized endpoints. A valid scope is a string, such as `sso:account:access`. This setting isn't applicable to the legacy non-refreshable configuration.
```
sso_registration_scopes = sso:account:access
```
**`sso\$1role\$1name` **
Specifies the friendly name of the IAM role that defines the user's permissions when using this profile.
This setting does not have an environment variable or command line option.
```
sso_role_name = ReadAccess
```
**`sso\$1start\$1url`**
Specifies the URL that points to the organization's AWS access portal. The AWS CLI uses this URL to establish a session with the IAM Identity Center service to authenticate its users. To find your AWS access portal URL, use one of the following:
+ Open your invitation email, the AWS access portal URL is listed.
+ Open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). The AWS access portal URL is listed in your settings.
This setting does not have an environment variable or command line option.
```
sso_start_url = https://my-sso-portal.awsapps.com/start
```
**`use_dualstack_endpoint`**
Enables the use of dual-stack endpoints to send AWS requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. Valid settings are `true` and `false`. This is disabled by default. For more information, see [Set to use dual-stack endpoints for all AWS services](cli-configure-endpoints.md#endpoints-dual-stack).
This is mutually exclusive with the `use_accelerate_endpoint` setting.
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`use_fips_endpoint`**
Some AWS services offer endpoints that support [Federal Information Processing Standard (FIPS) 140-2](http://aws.amazon.com/compliance/fips/) in some AWS Regions. When the AWS service supports FIPS, this setting specifies what FIPS endpoint the AWS CLI should use . Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. These endpoints might be required by enterprises that interact with the United States government. For more information see, [Set to use FIPs endpoints for all AWS services](cli-configure-endpoints.md#endpoints-fips).
If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the `--endpoint-url` option or use [service-specific endpoints](cli-configure-endpoints.md#endpoints-service-specific).
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`web\$1identity\$1token\$1file`**
Specifies the path to a file that contains an OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. The AWS CLI loads the contents of this file and passes it as the `WebIdentityToken` argument to the `AssumeRoleWithWebIdentity` operation.
The environment variable `AWS\$1WEB\$1IDENTITY\$1TOKEN\$1FILE` overrides this setting.
For more information on using web identities, see [Assume role with web identity](cli-configure-role.md#cli-configure-role-oidc).
**`tcp_keepalive`**
Specifies whether the AWS CLI client uses TCP keep-alive packets.
This entry does not have an equivalent environment variable or command line option.
```
tcp_keepalive = false
```
### S3 Custom command settings
Amazon S3 supports several settings that configure how the AWS CLI performs Amazon S3 operations. Some apply to all S3 commands in both the `s3api` and `s3` namespaces. Others are specifically for the S3 "custom" commands that abstract common operations and do more than a one-to-one mapping to an API operation. The `aws s3` transfer commands `cp`, `sync`, `mv`, and `rm` have additional settings you can use to control S3 transfers.
All of these options can be configured by specifying the `s3` nested setting in your `config` file. Each setting is then indented on its own line.
**Note**
These settings are entirely optional. You should be able to successfully use the `aws s3` transfer commands without configuring any of these settings. These settings are provided to enable you to tune for performance or to account for the specific environment where you are running these `aws s3` commands.
These settings are all set under a top-level `s3` key in the `config` file, as shown in the following example for the `development` profile.
```
[profile development]
s3 =
max_concurrent_requests = 20
max_queue_size = 10000
multipart_threshold = 64MB
multipart_chunksize = 16MB
max_bandwidth = 50MB/s
use_accelerate_endpoint = true
addressing_style = path
```
The following settings apply to any S3 command in the `s3` or `s3api` namespaces.
**`addressing_style`**
Specifies which addressing style to use. This controls whether the bucket name is in the hostname or is part of the URL. Valid values are: `path`, `virtual`, and `auto`. The default value is `auto`.
There are two styles of constructing an Amazon S3 endpoint. The first is called `virtual` and includes the bucket name as part of the hostname. For example: `https://bucketname.s3.amazonaws.com`. Alternatively, with the `path` style, you treat the bucket name as if it is a path in the URI; for example, `https://s3.amazonaws.com/bucketname`. The default value in the CLI is to use `auto`, which attempts to use the `virtual` style where it can, but will fall back to `path` style when required. For example, if your bucket name is not DNS compatible, the bucket name cannot be part of the hostname and must be in the path. With `auto`, the CLI will detect this condition and automatically switch to `path` style for you. If you set the addressing style to `path`, you must then ensure that the AWS Region you configured in the AWS CLI matches the Region of your bucket.
**`payload_signing_enabled`**
Specifies whether to SHA256 sign sigv4 payloads. By default, this is disabled for streaming uploads (`UploadPart` and `PutObject`) when using HTTPS. By default, this is set to `false` for streaming uploads (`UploadPart` and `PutObject`), but only if a `ContentMD5` is present (it is generated by default) and the endpoint uses HTTPS.
If set to true, S3 requests receive additional content validation in the form of a SHA256 checksum which is calculated for you and included in the request signature. If set to false, the checksum isn't calculated. Disabling this can be useful to reduce the performance overhead created by the checksum calculation.
**`use_accelerate_endpoint`**
Use the Amazon S3 Accelerate endpoint for all `s3` and `s3api` commands. The default value is false. This is mutually exclusive with the `use_dualstack_endpoint` setting.
If set to true, the AWS CLI directs all Amazon S3 requests to the `S3 Accelerate` endpoint at `s3-accelerate.amazonaws.com`. To use this endpoint, you must enable your bucket to use `S3 Accelerate`. All requests are sent using the virtual style of bucket addressing: `my-bucket.s3-accelerate.amazonaws.com`. Any `ListBuckets`, `CreateBucket`, and `DeleteBucket `requests aren't sent to the S3 Accelerate endpoint as that endpoint doesn't support those operations. This behavior can also be set if the `--endpoint-url` parameter is set to `https://s3-accelerate.amazonaws.com` or `http://s3-accelerate.amazonaws.com` for any `s3` or `s3api` command.
**`use_dualstack_endpoint`**
Enables the use of dual-stack endpoints to send `s3` and `s3api` requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. Valid settings are `true` and `false`. This is disabled by default. For more information, see [Set to use dual-stack endpoints for all AWS services](cli-configure-endpoints.md#endpoints-dual-stack).
This is mutually exclusive with the `use_accelerate_endpoint` setting.
**`disable_s3_express_session_auth`**
Whether to disable Amazon S3 Express session authentication for `s3` and `s3api` commands. The value must be a boolean. Defaults to false. If set to true, client will NOT use Amazon S3 Express session authentication. If set to false, default behavior will be used for determining whether to use Amazon S3 Express session authentication.
You can override this setting by using the ` AWS\$1S3\$1DISABLE\$1EXPRESS\$1SESSION\$1AUTH` environment variable.
The following settings apply only to commands in the `s3` namespace command set.
**`max_bandwidth`**
Specifies the maximum bandwidth that can be consumed for uploading and downloading data to and from Amazon S3. The default is no limit.
This limits the maximum bandwidth that the S3 commands can use to transfer data to and from Amazon S3. This value applies to only uploads and downloads; it doesn't apply to copies or deletes. The value is expressed as bytes per second. The value can be specified as:
+ An integer. For example, `1048576` sets the maximum bandwidth usage to 1 megabyte per second.
+ An integer followed by a rate suffix. You can specify rate suffixes using: `KB/s`, `MB/s`, or `GB/s`. For example, `300KB/s`, `10MB/s`.
In general, we recommend that you first try to lower bandwidth consumption by lowering `max_concurrent_requests`. If that doesn't adequately limit bandwidth consumption to the desired rate, you can use the `max_bandwidth` setting to further limit bandwidth consumption. This is because `max_concurrent_requests` controls how many threads are currently running. If you instead first lower `max_bandwidth` but leave a high `max_concurrent_requests` setting, it can result in threads having to wait unnecessarily. This can lead to excess resource consumption and connection timeouts.
**`max_concurrent_requests`**
Specifies the maximum number of concurrent requests. The default value is 10.
The `aws s3` transfer commands are multithreaded. At any given time, multiple Amazon S3 requests can be running. For example, when you use the command `aws s3 cp localdir s3://bucket/ --recursive` to upload files to an S3 bucket, the AWS CLI can upload the files `localdir/file1`, `localdir/file2`, and `localdir/file3` in parallel. The setting `max_concurrent_requests` specifies the maximum number of transfer operations that can run at the same time.
You might need to change this value for a few reasons:
+ Decreasing this value – On some environments, the default of 10 concurrent requests can overwhelm a system. This can cause connection timeouts or slow the responsiveness of the system. Lowering this value makes the S3 transfer commands less resource intensive. The tradeoff is that S3 transfers can take longer to complete. Lowering this value might be necessary if you use a tool to limit bandwidth.
+ Increasing this value – In some scenarios, you might want the Amazon S3 transfers to complete as quickly as possible, using as much network bandwidth as necessary. In this scenario, the default number of concurrent requests might not be sufficient to use all of the available network bandwidth. Increasing this value can improve the time it takes to complete an Amazon S3 transfer.
**`max_queue_size`**
Specifies the maximum number of tasks in the task queue. The default value is 1000.
The AWS CLI internally uses a model where it queues up Amazon S3 tasks that are then executed by consumers whose numbers are limited by `max_concurrent_requests`. A task generally maps to a single Amazon S3 operation. For example, a task could be a `PutObjectTask`, or a `GetObjectTask`, or an `UploadPartTask`. The rate at which tasks are added to the queue can be much faster than the rate at which consumers finish the tasks. To avoid unbounded growth, the task queue size is capped to a specific size. This setting changes the value of that maximum number.
You generally don't need to change this setting. This setting also corresponds to the number of tasks that the AWS CLI is aware of that need to be run. This means that by default the AWS CLI can only see 1000 tasks ahead. Increasing this value means that the AWS CLI can more quickly know the total number of tasks needed, assuming that the queuing rate is quicker than the rate of task completion. The tradeoff is that a larger max\$1queue\$1size requires more memory.
**`multipart_chunksize`**
Specifies the chunk size that the AWS CLI uses for multipart transfers of individual files. The default value is 8 MB, with a minimum of 5 MB.
When a file transfer exceeds the `multipart_threshold`, the AWS CLI divides the file into chunks of this size. This value can be specified using the same syntax as `multipart_threshold`, either as the number of bytes as an integer, or by using a size and a suffix.
**`multipart_threshold`**
Specifies the size threshold the AWS CLI uses for multipart transfers of individual files. The default value is 8 MB.
When uploading, downloading, or copying a file, the Amazon S3 commands switch to multipart operations if the file exceeds this size. You can specify this value in one of two ways:
+ The file size in bytes. For example, `1048576`.
+ The file size with a size suffix. You can use `KB`, `MB`, `GB`, or `TB`. For example: `10MB`, `1GB`.
**Note**
S3 can impose constraints on valid values that can be used for multipart operations. For more information, see the [S3 Multipart Upload documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html) in the *Amazon Simple Storage Service User Guide*.
# Configuring environment variables for the AWS CLI
Environment variables provide another way to specify configuration options and credentials, and can be useful for scripting.
**Precedence of options**
+ If you specify an option by using one of the environment variables described in this topic, it overrides any value loaded from a profile in the configuration file.
+ If you specify an option by using a parameter on the AWS CLI command line, it overrides any value from either the corresponding environment variable or a profile in the configuration file.
For more information about precedence and how the AWS CLI determines which credentials to use, see [Configuring settings for the AWS CLI](cli-chap-configure.md).
**Topics**
+ [
## How to set environment variables
](#envvars-set)
+ [
## AWS CLI supported environment variables
](#envvars-list)
## How to set environment variables
The following examples show how you can configure environment variables for the default user.
------
#### [ Linux or macOS ]
```
$ export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ export AWS_DEFAULT_REGION=us-west-2
```
Setting the environment variable changes the value used until the end of your shell session, or until you set the variable to a different value. You can make the variables persistent across future sessions by setting them in your shell's startup script.
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_ACCESS_KEY_ID AKIAIOSFODNN7EXAMPLE
C:\> setx AWS_SECRET_ACCESS_KEY wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
C:\> setx AWS_DEFAULT_REGION us-west-2
```
Using [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx) to set an environment variable changes the value used in both the current command prompt session and all command prompt sessions that you create after running the command. It does ***not*** affect other command shells that are already running at the time you run the command. You may need to restart you terminal for settings to load.
**To set for current session only**
Using `[set](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1)` to set an environment variable changes the value used until the end of the current command prompt session, or until you set the variable to a different value.
```
C:\> set AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
C:\> set AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
C:\> set AWS_DEFAULT_REGION=us-west-2
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
PS C:\> $Env:AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
PS C:\> $Env:AWS_DEFAULT_REGION="us-west-2"
```
If you set an environment variable at the PowerShell prompt as shown in the previous examples, it saves the value for only the duration of the current session. To make the environment variable setting persistent across all PowerShell and Command Prompt sessions, store it by using the **System** application in **Control Panel**. Alternatively, you can set the variable for all future PowerShell sessions by adding it to your PowerShell profile. See the [PowerShell documentation](https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_environment_variables) for more information about storing environment variables or persisting them across sessions.
------
## AWS CLI supported environment variables
The AWS CLI supports the following environment variables.
**`AWS_ACCESS_KEY_ID`**
Specifies an AWS access key associated with an IAM account.
If defined, this environment variable overrides the value for the profile setting `aws_access_key_id`. You can't specify the access key ID by using a command line option.
**`AWS_ACCOUNT_ID`**
Specifies the AWS account-based endpoint ID to use for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](cli-configure-endpoints.md#endpoints-accountid).
This setting overrides the `aws\$1account\$1id` setting. The `AWS\$1ACCOUNT\$1ID\$1ENDPOINT\$1MODE` environment variable or `account\$1id\$1endpoint\$1mode` setting must be set to `preferred` or `required` to use this setting.
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`AWS_ACCOUNT_ID_ENDPOINT_MODE`**
Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. For more information on account-based endpoints, see [Account-based endpoints](cli-configure-endpoints.md#endpoints-accountid).
This setting can be set to the following:
+ **(default)** **`preferred`** – The endpoint should include account ID if available.
+ **`disabled`** – A resolved endpoint doesn't include account ID.
+ **`required`** – The endpoint must include account ID. If the account ID isn't available, the SDK throws an error.
This setting overrides the `account\$1id\$1endpoint\$1mode` setting. To use account-based endpoints, the ID must be set in the `AWS\$1ACCOUNT\$1ID` environment variable or `aws\$1account\$1id` setting.
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`AWS_CA_BUNDLE`**
Specifies the path to a certificate bundle to use for HTTPS certificate validation.
If defined, this environment variable overrides the value for the profile setting `ca\$1bundle`. You can override this environment variable by using the `--ca-bundle` command line parameter.
**`AWS_CLI_AUTO_PROMPT`**
Enables the auto-prompt for the AWS CLI version 2. There are two settings that can be used:
+ **`on`** uses the full auto-prompt mode each time you attempt to run an `aws` command. This includes pressing **ENTER** after both a complete command or incomplete command.
+ **`on-partial`** uses partial auto-prompt mode. If a command is incomplete or cannot be run due to client-side validation errors, auto-prompt is used. This mode is useful if you have pre-existing scripts, runbooks, or you only want to be auto-prompted for commands you are unfamiliar with rather than prompted on every command.
If defined, this environment variable overrides the value for the `cli\$1auto\$1prompt` profile setting. You can override this environment variable by using the `--cli-auto-prompt` and `--no-cli-auto-prompt` command line parameters.
For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](cli-usage-parameters-prompting.md).
**`AWS_CLI_FILE_ENCODING`**
Specifies the encoding used for text files. By default encoding matches your locale. To set encoding different from the locale, use the `aws_cli_file_encoding` environment variable. For example, if you use Windows with default encoding `CP1252`, setting `aws_cli_file_encoding=UTF-8` sets the CLI to open text files using `UTF-8`.
**`AWS_CLI_HISTORY_FILE`**
Overrides the default location for storing command history when the `cli_history` feature is enabled. The default path is `~/.aws/cli/history/history.db`. You can use this variable to specify an alternative storage location.
**`AWS_CLI_S3_MV_VALIDATE_SAME_S3_PATHS`**
If the source and destination buckets are the same when using the `s3 mv` command, the source file or object can be moved onto itself, which can result in accidental deletion of your source file or object. The `AWS_CLI_S3_MV_VALIDATE_SAME_S3_PATHS` environment variable and `--validate-same-s3-paths` option specifies whether to validate your access point ARNs or access point aliases in your Amazon S3 source or destination URIs.
Path validation for `s3 mv` requires additional API calls.
**`AWS_S3_DISABLE_EXPRESS_SESSION_AUTH`**
Whether to disable S3 Express session authentication. The value must be a boolean. Defaults to false. If set to true, the client will NOT use S3 Express session authentication.
If defined, this environment variable overrides the value for the profile S3 setting `disable_s3_express_session_auth`.
**`AWS_CONFIG_FILE`**
Specifies the location of the file that the AWS CLI uses to store configuration profiles. The default path is `~/.aws/config`.
You can't specify this value in a named profile setting or by using a command line parameter.
**`AWS_DATA_PATH`**
A list of additional directories to check outside of the built-in search path of `~/.aws/models` when loading AWS CLI data. Setting this environment variable indicates additional directories to check first before falling back to the built-in search path. Multiple entries should be separated with the `os.pathsep` character, which is `:` on Linux or macOS and `;` on Windows.
**`AWS_DEFAULT_OUTPUT`**
Specifies the [output format](cli-usage-output.md) to use.
If defined, this environment variable overrides the value for the profile setting `output`. You can override this environment variable by using the `--output` command line parameter.
**`AWS_DEFAULT_REGION`**
The `Default region name` identifies the AWS Region whose servers you want to send your requests to by default. This is typically the Region closest to you, but it can be any Region. For example, you can type `us-west-2` to use US West (Oregon). This is the Region that all later requests are sent to, unless you specify otherwise in an individual command.
You must specify an AWS Region when using the AWS CLI, either explicitly or by setting a default Region. For a list of the available Regions, see [Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html). The Region designators used by the AWS CLI are the same names that you see in AWS Management Console URLs and service endpoints.
If defined, this environment variable overrides the value for the profile setting `region`. You can override this environment variable by using the `--region` command line parameter and the AWS SDK compatible `AWS_REGION` environment variable.
**`AWS_EC2_METADATA_DISABLED`**
Disables the use of the Amazon EC2 instance metadata service (IMDS).
If set to true, user credentials or configuration (like the Region) are not requested from IMDS.
**`AWS_ENDPOINT_URL`**
Specifies the endpoint that is used for all service requests. For more information, see [Set global endpoint for all AWS services](cli-configure-endpoints.md#endpoints-global).
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`AWS_ENDPOINT_URL_`**
Specifies a custom endpoint that is used for a specific service, where `` is replaced with the AWS service identifier. For example, Amazon DynamoDB has a `serviceId` of [https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/dynamodb/2012-08-10/service-2.json#L10](https://github.com/boto/botocore/blob/bcaf618c4b93c067efa0b85d3e92f3985ff60906/botocore/data/dynamodb/2012-08-10/service-2.json#L10). For this service, the endpoint URL environment variable is `AWS_ENDPOINT_URL_DYNAMODB`.
For a list of all service-specific environment variables, see [List of service-specific identifiers](cli-configure-endpoints.md#endpoints-service-specific-table).
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`AWS_IGNORE_CONFIGURED_ENDPOINT_URLS`**
If enabled, the AWS CLI ignores all custom endpoint configurations. Valid values are `true` and `false`. For more information, see [Set global endpoint for all AWS services](cli-configure-endpoints.md#endpoints-global).
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. For endpoint precedence, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**[`AWS_MAX_ATTEMPTS`](cli-configure-files.md#cli-config-max_attempts)**
Specifies a value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the value that you provide. For more information on retries, see [AWS CLI retries in the AWS CLI](cli-configure-retries.md).
If defined, this environment variable overrides the value for the profiles setting `max_attempts`.
**`AWS_METADATA_SERVICE_NUM_ATTEMPTS`**
When attempting to retrieve credentials on an Amazon EC2 instance that has been configured with an IAM role, the AWS CLI attempts to retrieve credentials once from the instance metadata service before stopping. If you know your commands will run on an Amazon EC2 instance, you can increase this value to make AWS CLI retry multiple times before giving up.
**`AWS_METADATA_SERVICE_TIMEOUT`**
The number of seconds before a connection to the instance metadata service should time out. When attempting to retrieve credentials on an Amazon EC2 instance that is configured with an IAM role, a connection to the instance metadata service times out after 1 second by default. If you know you're running on an Amazon EC2 instance with an IAM role configured, you can increase this value if needed.
**[`AWS_PAGER`](cli-configure-files.md#cli-config-cli_pager)**
Specifies the pager program used for output. By default, AWS CLI version 2 returns all output through your operating system’s default pager program.
To disable all use of an external paging program, set the variable to an empty string.
If defined, this environment variable overrides the value for the profile setting `cli_pager`.
**[`AWS_PROFILE`](cli-configure-files.md#cli-configure-files-using-profiles)**
Specifies the name of the AWS CLI profile with the credentials and options to use. This can be the name of a profile stored in a `credentials` or `config` file, or the value `default` to use the default profile.
If defined, this environment variable overrides the behavior of using the profile named `[default]` in the configuration file. You can override this environment variable by using the `--profile` command line parameter.
**`AWS_REGION`**
The AWS SDK compatible environment variable that specifies the AWS Region to send the request to.
If defined, this environment variable overrides the values in the environment variable `AWS_DEFAULT_REGION` and the profile setting `region`. You can override this environment variable by using the `--region` command line parameter.
**`AWS_REQUEST_CHECKSUM_CALCULATION`**
Specifies when a checksum is calculated for request payloads, and has the following options:
+ `when_supported` – **(Default)** The request payload checksum is calculated when an operation either specifies a checksum algorithm in its service model or requires request checksums.
+ `when_required` – The request payload checksum is calculated when an operation requires request checksums or when a user provides a `requestAlgorithmMember` that is modeled by the AWS service.
If defined, this environment variable overrides the value for the profiles setting [`request_checksum_calculation`](cli-configure-files.md#cli-config-request_checksum_calculation).
**`AWS_RESPONSE_CHECKSUM_VALIDATION`**
Specifies when checksum validation is performed for response payloads, and has the following options:
+ `when_supported` – **(Default)** The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports.
+ `when_required` – The response payload checksum validation is performed when an operation specifies a response algorithm in its service model that the AWS CLI supports, and you set the modeled `requestValidationModeMember` to `ENABLED` in the operation input.
If defined, this environment variable overrides the value for the profiles setting [`response_checksum_validation`](cli-configure-files.md#cli-config-response_checksum_validation).
**[`AWS_RETRY_MODE`](cli-configure-files.md#cli-config-retry_mode)**
Specifies which retry mode AWS CLI uses. There are three retry modes available: legacy (default), standard, and adaptive. For more information on retries, see [AWS CLI retries in the AWS CLI](cli-configure-retries.md).
If defined, this environment variable overrides the value for the profiles setting `retry_mode`.
**`AWS_ROLE_ARN`**
Specifies the Amazon Resource Name (ARN) of an IAM role with a web identity provider that you want to use to run the AWS CLI commands.
Used with the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_SESSION_NAME` environment variables.
If defined, this environment variable overrides the value for the profile setting [`role_arn`](cli-configure-files.md#cli-config-role_arn). You can't specify a role session name as a command line parameter.
This environment variable only applies to an assumed role with web identity provider it does not apply to the general assume role provider configuration.
For more information on using web identities, see [Assume role with web identity](cli-configure-role.md#cli-configure-role-oidc).
**`AWS_ROLE_SESSION_NAME`**
Specifies the name to attach to the role session. This value is provided to the `RoleSessionName` parameter when the AWS CLI calls the `AssumeRole` operation, and becomes part of the assumed role user ARN: ` arn:aws:sts::123456789012:assumed-role/role_name/role_session_name`. This is an optional parameter. If you do not provide this value, a session name is generated automatically. This name appears in AWS CloudTrail logs for entries associated with this session.
If defined, this environment variable overrides the value for the profile setting [`role_session_name`](cli-configure-files.md#cli-config-role_session_name).
Used with the `AWS_ROLE_ARN` and `AWS_WEB_IDENTITY_TOKEN_FILE` environment variables.
For more information on using web identities, see [Assume role with web identity](cli-configure-role.md#cli-configure-role-oidc).
This environment variable only applies to an assumed role with web identity provider it does not apply to the general assume role provider configuration.
**`AWS_SDK_UA_APP_ID`**
A single AWS account can be used by multiple customer applications to make calls to AWS services. Application ID identifies which source application made a set of calls using an AWS service. AWS SDKs and services don't use or interpret this value other than to surface it back in customer communications. For example, this value can be included in operational emails to uniquely identify which of your applications is associated with the notification.
By default, there is no value.
The Application ID is a string with maximum length of 50 characters. Letters, numbers and the following special characters are allowed:
```
! $ % & * + - . , ^ _ ` | ~
```
If defined, this environment variable overrides the value for the profile setting [`sdk_ua_app_id`](cli-configure-files.md#cli-config-sdk_ua_app_id). You can't specify Application ID as a command line option.
**`AWS_SECRET_ACCESS_KEY`**
Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
If defined, this environment variable overrides the value for the profile setting `aws_secret_access_key`. You can't specify the secret access key ID as a command line option.
**`AWS_SESSION_TOKEN`**
Specifies the session token value that is required if you are using temporary security credentials that you retrieved directly from AWS STS operations. For more information, see the [Output section of the assume-role command](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html#output) in the *AWS CLI Command Reference*.
If defined, this environment variable overrides the value for the profile setting `aws_session_token`.
**`AWS_SHARED_CREDENTIALS_FILE`**
Specifies the location of the file that the AWS CLI uses to store access keys. The default path is `~/.aws/credentials`.
You can't specify this value in a named profile setting or by using a command line parameter.
**`AWS_SIGV4A_SIGNING_REGION_SET`**
Specifies the regions to use when signing with SigV4a using a comma-delimited list. If this variable is not set, the AWS CLI uses the default used by the AWS service. If the AWS service has no default, the request signature becomes valid in all regions using a value of `*`.
For more information on SigV4a, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*
If defined, this environment variable overrides the value for the profile setting [`sigv4a_signing_region_set`](cli-configure-files.md#cli-config-sigv4a_signing_region_set).
**`AWS_USE_DUALSTACK_ENDPOINT`**
Enables the use of dual-stack endpoints to send AWS requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. This is disabled by default. For more information, see [Set to use dual-stack endpoints for all AWS services](cli-configure-endpoints.md#endpoints-dual-stack).
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**`AWS_USE_FIPS_ENDPOINT`**
Some AWS services offer endpoints that support [Federal Information Processing Standard (FIPS) 140-2](http://aws.amazon.com/compliance/fips/) in some AWS Regions. When the AWS service supports FIPS, this setting specifies what FIPS endpoint the AWS CLI should use . Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. These endpoints might be required by enterprises that interact with the United States government. For more information see, [Set to use FIPs endpoints for all AWS services](cli-configure-endpoints.md#endpoints-fips).
If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the `--endpoint-url` option or use [service-specific endpoints](cli-configure-endpoints.md#endpoints-service-specific).
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**[`AWS_WEB_IDENTITY_TOKEN_FILE`](#cli-configure-envvars)**
Specifies the path to a file that contains an OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. The AWS CLI loads the contents of this file and passes it as the `WebIdentityToken` argument to the `AssumeRoleWithWebIdentity` operation.
Used with the `AWS_ROLE_ARN` and `AWS_ROLE_SESSION_NAME` environment variables.
If defined, this environment variable overrides the value for the profile setting `web_identity_token_file`.
For more information on using web identities, see [Assume role with web identity](cli-configure-role.md#cli-configure-role-oidc).
This environment variable only applies to an assumed role with web identity provider it does not apply to the general assume role provider configuration.
# Command line options in the AWS CLI
In the AWS CLI, command line options are global parameters you can use to override the default configuration settings, any corresponding profile setting, or environment variable setting for that single command. You can't use command line options to directly specify credentials, although you can specify which profile to use.
**Topics**
+ [
## How to use command line options
](#cli-configure-options-how)
+ [
## AWS CLI supported global command line options
](#cli-configure-options-list)
+ [
## Common uses of command line options
](#cli-configure-options-common)
## How to use command line options
Most command line options are simple strings, such as the profile name `profile1` in the following example:
```
$ aws s3 ls --profile profile1
amzn-s3-demo-bucket1
amzn-s3-demo-bucket2
...
```
Each option that takes an argument requires a space or equals sign (=) separating the argument from the option name. If the argument value is a string that contains a space, you must use quotation marks around the argument. For details on argument types and formatting for parameters, see [Specifying parameter values in the AWS CLI](cli-usage-parameters.md).
## AWS CLI supported global command line options
In the AWS CLI you can use the following command line options to override the default configuration settings, any corresponding profile setting, or environment variable setting for that single command.
**--ca-bundle ****
Specifies the certificate authority (CA) certificate bundle to use when verifying SSL certificates.
If defined, this option overrides the value for the profile setting `ca\$1bundle` and the `AWS\$1CA\$1BUNDLE` environment variable.
**--cli-auto-prompt**
Enables auto-prompt mode for a single command. As the following examples show, you can specify it at any point.
```
$ aws --cli-auto-prompt
$ aws dynamodb --cli-auto-prompt
$ aws dynamodb describe-table --cli-auto-prompt
```
This option overrides the `aws\$1cli\$1auto\$1prompt` environment variable and the `cli\$1auto\$1prompt` profile setting.
For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](cli-usage-parameters-prompting.md).
**--cli-binary-format**
Specifies how the AWS CLI version 2 interprets binary input parameters. It can be one of the following values:
+ **base64** – This is the default value. An input parameter that is typed as a binary large object (BLOB) accepts a base64-encoded string. To pass true binary content, put the content in a file and provide the file's path and name with the `fileb://` prefix as the parameter's value. To pass base64-encoded text contained in a file, provide the file's path and name with the `file://` prefix as the parameter's value.
+ **raw-in-base64-out** – Default for the AWS CLI version 1. If the setting's value is `raw-in-base64-out`, files referenced using the `file://` prefix is read as text and then the AWS CLI attempts to encode it to binary.
This overrides the `cli\$1binary\$1format` file configuration setting.
```
$ aws lambda invoke \
--cli-binary-format raw-in-base64-out \
--function-name my-function \
--invocation-type Event \
--payload '{ "name": "Bob" }' \
response.json
```
If you reference a binary value in a file using the `fileb://` prefix notation, the AWS CLI *always* expects the file to contain raw binary content and does not attempt to convert the value.
If you reference a binary value in a file using the `file://` prefix notation, the AWS CLI handles the file according to the current `cli_binary_format` setting. If that setting's value is `base64` (the default when not explicitly set), the AWS CLI expects the file to contain base64-encoded text. If that setting's value is `raw-in-base64-out`, the AWS CLI expects the file to contain raw binary content.
**--cli-connect-timeout ****
Specifies the maximum socket connect time in seconds. If the value is set to zero (0), the socket connect waits indefinitely (is blocking) and doesn't timeout. The default value is 60 seconds.
**--cli-read-timeout ****
Specifies the maximum socket read time in seconds. If the value is set to zero (0) the socket read waits indefinitely (is blocking) and doesn't timeout. The default value is 60 seconds.
**--color ****
Specifies support for color output. Valid values are `on`, `off`, and `auto`. The default value is `auto`.
**--debug**
A Boolean switch that enables debug logging. The AWS CLI by default provides cleaned up information regarding any successes or failures regarding command outcomes in the command output. The `--debug` option provides the full Python logs. This includes additional `stderr` diagnostic information about the operation of the command that can be useful when troubleshooting why a command provides unexpected results. To easily view debug logs, we suggest sending the logs to a file to more easily search the information. You can do this by using one of the following.
To send **only** the `stderr` diagnostic information, append `2> debug.txt` where `debug.txt` is the name you want to use for your debug file:
```
$ aws servicename commandname options --debug 2> debug.txt
```
To send **both** the output and `stderr` diagnostic information, append `&> debug.txt` where `debug.txt` is the name you want to use for your debug file:
```
$ aws servicename commandname options --debug &> debug.txt
```
**--endpoint-url ****
Specifies the URL to send the request to. For most commands, the AWS CLI automatically determines the URL based on the selected service and the specified AWS Region. However, some commands require that you specify an account-specific URL. You can also configure some AWS services to [host an endpoint directly within your private VPC](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html#what-is-privatelink), which might then need to be specified.
The following command example uses a custom Amazon S3 endpoint URL.
```
$ aws s3 ls --endpoint-url http://localhost:4567
```
**Endpoint precedence**
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI checks these endpoint settings in a particular order, and uses the endpoint setting with the highest precedence. For the endpoint precedence list, see [Endpoint configuration and settings precedence](cli-configure-endpoints.md#endpoints-precedence).
**--no-cli-auto-prompt**
Disables auto-prompt mode for a single command.
```
$ aws dynamodb describe-table --table-name Table1 --no-cli-auto-prompt
```
This option overrides the `aws\$1cli\$1auto\$1prompt` environment variable and the `cli\$1auto\$1prompt` profile setting.
For information on the AWS CLI version 2 auto-prompt feature, see [Enabling and using command prompts in the AWS CLI](cli-usage-parameters-prompting.md).
**--no-cli-pager**
A Boolean switch that disables using a pager for the output of the command.
**--no-paginate**
A Boolean switch that disables the multiple calls the automatically AWS CLI makes to receive all command results that creates pagination of the output. This means only the first page of your output is displayed.
**--no-sign-request**
A Boolean switch that disables signing the HTTP requests to the AWS service endpoint. This prevents credentials from being loaded.
**--no-verify-ssl**
By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection and call, the AWS CLI verifies the SSL certificates. Using this option overrides the default behavior of verifying SSL certificates.
This option is **not** best practice. If you use `--no-verify-ssl`, your traffic between your client and AWS services is no longer secured. This means your traffic is a security risk and vulnerable to man-in-the-middle exploits. If you're having issues with certificates, it's best to resolve those issues instead. For certificate troubleshooting steps, see [SSL certificate errors](cli-chap-troubleshooting.md#tshoot-certificate-verify-failed).
**--output ****
Specifies the output format to use for this command. You can specify any of the following values:
+ **[`json`](cli-usage-output-format.md#json-output)** – The output is formatted as a [JSON](https://json.org/) string.
+ **[`yaml`](cli-usage-output-format.md#yaml-output)** – The output is formatted as a [YAML](https://yaml.org/) string.
+ **[`yaml-stream`](cli-usage-output-format.md#yaml-stream-output)** – The output is streamed and formatted as a [YAML](https://yaml.org/) string. Streaming allows for faster handling of large data types.
+ **[`text`](cli-usage-output-format.md#text-output)** – The output is formatted as multiple lines of tab-separated string values. This can be useful to pass the output to a text processor, like `grep`, `sed`, or `awk`.
+ **[`table`](cli-usage-output-format.md#table-output)** – The output is formatted as a table using the characters \$1\$1- to form the cell borders. It typically presents the information in a "human-friendly" format that is much easier to read than the others, but not as programmatically useful.
+ **[`off`](cli-usage-output-format.md#off-output)** – The output suppresses all command output to stdout. This is useful in automation scripts and CI/CD pipelines where you only need to check the command's exit code without processing the output.
**--profile ****
Specifies the [named profile](cli-configure-files.md#cli-configure-files-using-profiles) to use for this command. To set up additional named profiles, you can use the `aws configure` command with the `--profile` option.
```
$ aws configure --profile
```
**--query ****
Specifies a [JMESPath query](https://jmespath.org/) to use in filtering the response data. For more information, see [Filtering output in the AWS CLI](cli-usage-filter.md).
**--region ****
Specifies which AWS Region to send this command's AWS request to. For a list of all of the Regions that you can specify, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*.
**--version**
A Boolean switch that displays the current version of the AWS CLI program that is running.
## Common uses of command line options
Common uses for command line options include checking your resources in multiple AWS Regions, and changing the output format for legibility or ease of use when scripting. In the following examples, we run the **describe-instances** command against each Region until we find which Region our instance is in.
```
$ aws ec2 describe-instances --output table --region us-west-1
-------------------
|DescribeInstances|
+-----------------+
$ aws ec2 describe-instances --output table --region us-west-2
------------------------------------------------------------------------------
| DescribeInstances |
+----------------------------------------------------------------------------+
|| Reservations ||
|+-------------------------------------+------------------------------------+|
|| OwnerId | 012345678901 ||
|| ReservationId | r-abcdefgh ||
|+-------------------------------------+------------------------------------+|
||| Instances |||
||+------------------------+-----------------------------------------------+||
||| AmiLaunchIndex | 0 |||
||| Architecture | x86_64 |||
...
```
# Configuring command completion in the AWS CLI
The AWS Command Line Interface (AWS CLI) includes a bash-compatible command-completion feature that enables you to use the **Tab** key to complete a partially entered command. On most systems you need to configure this manually.
For information on the AWS CLI version 2 auto-prompt feature instead, see [Enabling and using command prompts in the AWS CLI](cli-usage-parameters-prompting.md).
**Topics**
+ [
## How it works
](#cli-command-completion-about)
+ [
## Configuring command completion on Linux or macOS
](#cli-command-completion-linux)
+ [
## Configuring command completion on Windows
](#cli-command-completion-windows)
## How it works
When you partially enter a command, parameter, or option, the command-completion feature either automatically completes your command or displays a suggested list of commands. To prompt command completion, you partially enter in a command and press the completion key, which is typically *Tab* in most shells.
The following examples show different ways that you can use command completion:
+ Partially enter a command and press *Tab* to display a suggested list of commands.
```
$ aws dynamodb dTAB
delete-backup describe-global-table
delete-item describe-global-table-settings
delete-table describe-limits
describe-backup describe-table
describe-continuous-backups describe-table-replica-auto-scaling
describe-contributor-insights describe-time-to-live
describe-endpoints
```
+ Partially enter a parameter and press *Tab* to display a suggested list of parameters.
```
$ aws dynamodb delete-table --TAB
--ca-bundle --endpoint-url --profile
--cli-connect-timeout --generate-cli-skeleton --query
--cli-input-json --no-paginate --region
--cli-read-timeout --no-sign-request --table-name
--color --no-verify-ssl --version
--debug --output
```
+ Enter a parameter and press *Tab* to display a suggested list of resource values. This feature is available only in the AWS CLI version 2.
```
$ aws dynamodb delete-table --table-name TAB
Table 1 Table 2 Table 3
```
## Configuring command completion on Linux or macOS
To configure command completion on Linux or macOS, you must know the name of the shell you're using and the location of the `aws_completer` script.
**Note**
Command completion is automatically configured and enabled by default on Amazon EC2 instances that run Amazon Linux.
**Topics**
+ [
### Confirm the completer's folder is in your path
](#cli-command-completion-path)
+ [
### Enable command completion
](#cli-command-completion-enable)
+ [
### Verify command completion
](#cli-command-completion-test)
### Confirm the completer's folder is in your path
For the AWS completer to work successfully, the `aws_completer` needs to be in your shell's path. The `which` command can check if the completer is in your path.
```
$ which aws_completer
/usr/local/bin/aws_completer
```
If the which command can't find the completer, then use the following steps to add the completer's folder to your path.
#### Step 1: Locate the AWS completer
The location of the AWS completer can vary depending on the installation method used.
+ **Package Manager** - Programs such as `pip`, `yum`, `brew`, and `apt-get` typically install the AWS completer (or a symlink to it) to a standard path location.
+ If you used `pip` **without** the `--user` parameter, the default path is `/usr/local/bin/aws_completer`.
+ If you used `pip` **with** the `--user` parameter the default path is `/home/username/.local/bin/aws_completer`.
+ **Bundled Installer** - If you used the bundled installer, the default path is `/usr/local/bin/aws_completer`.
If all else fails, you can use the `find` command to search your file system for the AWS completer.
```
$ find / -name aws_completer
/usr/local/bin/aws_completer
```
#### Step 2: Identify your shell
To identify which shell you're using, you can use one of the following commands.
+ **echo \$1SHELL** – Displays the shell's program file name. This usually matches the name of the in-use shell, unless you launched a different shell after logging in.
```
$ echo $SHELL
/bin/bash
```
+ **ps** – Displays the processes running for the current user. One of them is the shell.
```
$ ps
PID TTY TIME CMD
2148 pts/1 00:00:00 bash
8756 pts/1 00:00:00 ps
```
#### Step 3: Add the completer to your path
1. Find your shell's profile script in your user folder.
```
$ ls -a ~/
. .. .bash_logout .bash_profile .bashrc Desktop Documents Downloads
```
+ **Bash**– `.bash_profile`, `.profile`, or `.bash_login`
+ **Zsh**– `.zshrc`
+ **Tcsh**– `.tcshrc`, `.cshrc`, or `.login`
1. Add an export command at the end of your profile script that's similar to the following example. Replace `/usr/local/bin/` with the folder that you discovered in the previous section.
```
export PATH=/usr/local/bin/:$PATH
```
1. Reload the profile into the current session to put those changes into effect. Replace `.bash_profile` with the name of the shell script you discovered in the first section.
```
$ source ~/.bash_profile
```
### Enable command completion
After confirming the completer is in your path, enable command completion by running the appropriate command for the shell that you're using. You can add the command to your shell's profile to run it each time you open a new shell. In each command, replace the */usr/local/bin/* path with the one found on your system in [Confirm the completer's folder is in your path](#cli-command-completion-path).
+ **`bash`** – Use the built-in command `complete`.
```
$ complete -C '/usr/local/bin/aws_completer' aws
```
Add the previous command to `~/.bashrc` to run it each time you open a new shell. Your `~/.bash_profile` should source `~/.bashrc` to ensure that the command is also run in login shells.
+ **`zsh`** – To run command completion, you need to run `bashcompinit` by adding the following autoload line at the end of your `~/.zshrc` profile script.
```
$ autoload bashcompinit && bashcompinit
$ autoload -Uz compinit && compinit
```
To enable command completion, use the built-in command `complete`.
```
$ complete -C '/usr/local/bin/aws_completer' aws
```
Add the previous commands to `~/.zshrc` to run it each time you open a new shell.
+ **`tcsh`** – Complete for `tcsh` takes a word type and pattern to define the completion behavior.
```
> complete aws 'p/*/`aws_completer`/'
```
Add the previous command to `~/.tcshrc` to run it each time you open a new shell.
After you've enabled command completion, [Verify command completion](#cli-command-completion-test) is working.
### Verify command completion
After enabling command completion, reload your shell, enter a partial command, and press **Tab** to see the available commands.
```
$ aws sTAB
s3 ses sqs sts swf
s3api sns storagegateway support
```
## Configuring command completion on Windows
**Note**
For information on how PowerShell handles their completion, including their various completion keys, see [about\$1Tab\$1Expansion](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_tab_expansion) in the *Microsoft PowerShell Docs*.
To enable command completion for PowerShell on Windows, complete the following steps in PowerShell.
1. Open your `$PROFILE` with the following command.
```
PS C:\> Notepad $PROFILE
```
If you do not have a `$PROFILE`, create a user profile using the following command.
```
PS C:\> if (!(Test-Path -Path $PROFILE ))
{ New-Item -Type File -Path $PROFILE -Force }
```
For more information on PowerShell profiles, see [How to Use Profiles in Windows PowerShell ISE](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/ise/how-to-use-profiles-in-windows-powershell-ise) on the *Microsoft Docs* website.
1. To enable command completion, add the following code block to your profile, save, and then close the file.
```
Register-ArgumentCompleter -Native -CommandName aws -ScriptBlock {
param($commandName, $wordToComplete, $cursorPosition)
$env:COMP_LINE=$wordToComplete
if ($env:COMP_LINE.Length -lt $cursorPosition){
$env:COMP_LINE=$env:COMP_LINE + " "
}
$env:COMP_POINT=$cursorPosition
aws_completer.exe | ForEach-Object {
[System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
}
Remove-Item Env:\COMP_LINE
Remove-Item Env:\COMP_POINT
}
```
1. After enabling command completion, reload your shell, enter a partial command, and press **Tab** to cycle through the available commands.
```
$ aws sTab
```
```
$ aws s3
```
To see all available commands available to your completion, enter a partial command and press **Ctrl** \$1 **Space**.
```
$ aws sCtrl + Space
s3 ses sqs sts swf
s3api sns storagegateway support
```
# AWS CLI retries in the AWS CLI
This topic describes how the AWS CLI might see calls to AWS services fail due to unexpected issues. These issues can occur on the server side or might fail due to rate limiting from the AWS service you're attempting to call. These kinds of failures usually don’t require special handling and the call is automatically made again, often after a brief waiting period. The AWS CLI provides many features to assist in retrying client calls to AWS services when these kinds of errors or exceptions are experienced.
**Topics**
+ [
## Available retry modes
](#cli-usage-retries-modes)
+ [
## Configuring a retry mode
](#cli-usage-retries-configure)
+ [
## Viewing logs of retry attempts
](#cli-usage-retries-validate)
## Available retry modes
**Topics**
+ [
### Standard retry mode (default)
](#cli-usage-retries-modes-standard.title)
+ [
### Legacy retry mode
](#cli-usage-retries-legacy)
+ [
### Adaptive retry mode
](#cli-usage-retries-modes-adaptive)
### Standard retry mode (default)
`Standard` mode is a standard set of retry rules across the AWS SDKs with more functionality than legacy and is the default mode is the default for AWS CLI. Standard mode was created for the AWS CLI version 2 and is backported to AWS CLI version 1. Standard mode’s functionality includes:
+ A default value of 2 for maximum retry attempts, making a total of 3 call attempts. This value can be overwritten through the `max_attempts` configuration parameter.
+ Retry attempts for the following expanded list of errors/exceptions:
+ Transient errors/exceptions
+ `RequestTimeout`
+ `RequestTimeoutException`
+ `PriorRequestNotComplete`
+ `ConnectionError`
+ `HTTPClientError`
+ Service-side throttling/limit errors and exceptions:
+ `Throttling`
+ `ThrottlingException`
+ `ThrottledException`
+ `RequestThrottledException`
+ `TooManyRequestsException`
+ `ProvisionedThroughputExceededException`
+ `TransactionInProgressException`
+ `RequestLimitExceeded`
+ `BandwidthLimitExceeded`
+ `LimitExceededException`
+ `RequestThrottled`
+ `SlowDown`
+ `EC2ThrottledException`
+ Retry attempts on nondescriptive, transient error codes. Specifically, these HTTP status codes: 500, 502, 503, 504.
+ Any retry attempt will include an exponential backoff by a base factor of 2 for a maximum backoff time of 20 seconds.
### Legacy retry mode
`Legacy` mode uses an older retry handler that has limited functionality which includes:
+ A default value of 4 for maximum retry attempts, making a total of 5 call attempts. This value can be overwritten through the `max_attempts` configuration parameter.
+ DynamoDB has a default value of 9 for maximum retry attempts, making a total of 10 call attempts. This value can be overwritten through the `max_attempts` configuration parameter.
+ Retry attempts for the following limited number of errors/exceptions:
+ General socket/connection errors:
+ `ConnectionError`
+ `ConnectionClosedError`
+ `ReadTimeoutError`
+ `EndpointConnectionError`
+ Service-side throttling/limit errors and exceptions:
+ `Throttling`
+ `ThrottlingException`
+ `ThrottledException`
+ `RequestThrottledException`
+ `ProvisionedThroughputExceededException`
+ Retry attempts on several HTTP status codes, including 429, 500, 502, 503, 504, and 509.
+ Any retry attempt will include an exponential backoff by a base factor of 2.
### Adaptive retry mode
**Warning**
Adaptive mode is an experimental mode and is subject to change, both in features and behavior.
`Adaptive` retry mode is an experimental retry mode that includes all the features of standard mode. In addition to the standard mode features, adaptive mode also introduces client-side rate limiting through the use of a token bucket and rate-limit variables that are dynamically updated with each retry attempt. This mode offers flexibility in client-side retries that adapts to the error/exception state response from an AWS service.
With each new retry attempt, adaptive mode modifies the rate-limit variables based on the error, exception, or HTTP status code presented in the response from the AWS service. These rate-limit variables are then used to calculate a new call rate for the client. Each exception/error or non-success HTTP response (provided in the list above) from an AWS service updates the rate-limit variables as retries occur until success is reached, the token bucket is exhausted, or the configured maximum attempts value is reached.
## Configuring a retry mode
The AWS CLI includes a variety of both retry configurations as well as configuration methods to consider when creating your client object.
### Available configuration methods
In the AWS CLI, users can configure retries in the following ways:
+ Environment variables
+ AWS CLI configuration file
Users can customize the following retry options:
+ Retry mode - Specifies which retry mode the AWS CLI uses. As described previously, there are three retry modes available: legacy, standard, and adaptive. The default value for the AWS CLI version 2 is standard.
+ Max attempts - Specifies the value of maximum retry attempts the AWS CLI retry handler uses, where the initial call counts toward the value that you provide. The default value is based on your retry mode.
### Defining a retry configuration in your environment variables
To define your retry configuration for the AWS CLI, update your operating system's environment variables.
The retry environment variables are:
+ `AWS_RETRY_MODE`
+ `AWS_MAX_ATTEMPTS`
For more information on environment variables, see [Configuring environment variables for the AWS CLI](cli-configure-envvars.md).
### Defining a retry configuration in your AWS configuration file
To change your retry configuration, update your global AWS configuration file. The default location for your AWS config file is \$1/.aws/config.
The following is an example of an AWS config file:
```
[default]
retry_mode = standard
max_attempts = 6
```
For more information on configuration files, see [Configuration and credential file settings in the AWS CLI](cli-configure-files.md).
## Viewing logs of retry attempts
The AWS CLI uses Boto3's retry methodology and logging. You can use the `--debug` option on any command to receive debug logs. For more information on how to use the `--debug` option, see [Command line options in the AWS CLI](cli-configure-options.md).
If you search for "retry" in your debug logs, you'll find the retry information you need. The client log entries for retry attempts depend on which retry mode you’ve enabled.
**Legacy mode:**
Retry messages are generated by botocore.retryhandler. You’ll see one of three messages:
+ `No retry needed`
+ `Retry needed, action of: `
+ `Reached the maximum number of retry attempts: `
**Standard or adaptive mode:**
Retry messages are generated by botocore.retries.standard. You’ll see one of three messages:
+ `No retrying request`
+ `Retry needed, retrying request after delay of: `
+ `Retry needed but retry quota reached, not retrying request`
For the full definition file of botocore retries, see [\$1retry.json](https://github.com/boto/botocore/blob/develop/botocore/data/_retry.json) on the *botocore GitHub Repository*.
# Using an HTTP proxy for the AWS CLI
To access AWS through proxy servers, you can configure the `HTTP_PROXY` and `HTTPS_PROXY` environment variables with either the DNS domain names or IP addresses and port numbers that your proxy servers use.
**Topics**
+ [
## Using the examples
](#cli-configure-proxy-using)
+ [
## Authenticating to a proxy
](#cli-configure-proxy-auth)
+ [
## Using a proxy on Amazon EC2 instances
](#cli-configure-proxy-ec2)
+ [
## Troubleshooting
](#cli-configure-proxy-tshoot)
## Using the examples
**Note**
The following examples show the environment variable name in all uppercase letters. However, if you specify a variable twice using different cases, the lowercase letters take precedence. We recommend that you define each variable only once to avoid system confusion and unexpected behavior.
The following examples show how you can use either the explicit IP address of your proxy or a DNS name that resolves to the IP address of your proxy. Either can be followed by a colon and the port number to which queries should be sent.
------
#### [ Linux or macOS ]
```
$ export HTTP_PROXY=http://10.15.20.25:1234
$ export HTTP_PROXY=http://proxy.example.com:1234
$ export HTTPS_PROXY=http://10.15.20.25:5678
$ export HTTPS_PROXY=http://proxy.example.com:5678
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx HTTP_PROXY http://10.15.20.25:1234
C:\> setx HTTP_PROXY http://proxy.example.com:1234
C:\> setx HTTPS_PROXY http://10.15.20.25:5678
C:\> setx HTTPS_PROXY http://proxy.example.com:5678
```
Using [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx) to set an environment variable changes the value used in both the current command prompt session and all command prompt sessions that you create after running the command. It does ***not*** affect other command shells that are already running at the time you run the command.
**To set for current session only**
Using `[set](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1)` to set an environment variable changes the value used until the end of the current command prompt session, or until you set the variable to a different value.
```
C:\> set HTTP_PROXY=http://10.15.20.25:1234
C:\> set HTTP_PROXY=http://proxy.example.com:1234
C:\> set HTTPS_PROXY=http://10.15.20.25:5678
C:\> set HTTPS_PROXY=http://proxy.example.com:5678
```
------
## Authenticating to a proxy
**Note**
The AWS CLI doesn't support NTLM proxies. If you use an NTLM or Kerberos protocol proxy, you might be able to connect through an authentication proxy like [Cntlm](http://cntlm.sourceforge.net).
The AWS CLI supports HTTP Basic authentication. Specify the username and password in the proxy URL, as follows.
------
#### [ Linux or macOS ]
```
$ export HTTP_PROXY=http://username:password@proxy.example.com:1234
$ export HTTPS_PROXY=http://username:password@proxy.example.com:5678
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx HTTP_PROXY http://username:password@proxy.example.com:1234
C:\> setx HTTPS_PROXY http://username:password@proxy.example.com:5678
```
**To set for current session only**
```
C:\> set HTTP_PROXY=http://username:password@proxy.example.com:1234
C:\> set HTTPS_PROXY=http://username:password@proxy.example.com:5678
```
------
## Using a proxy on Amazon EC2 instances
If you configure a proxy on an Amazon EC2 instance launched with an attached IAM role, ensure that you exempt the address used to access the [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html). To do this, set the `NO_PROXY` environment variable to the IP address of the instance metadata service, 169.254.169.254. This address does not vary.
------
#### [ Linux or macOS ]
```
$ export NO_PROXY=169.254.169.254
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx NO_PROXY 169.254.169.254
```
**To set for current session only**
```
C:\> set NO_PROXY=169.254.169.254
```
------
## Troubleshooting
If you come across issues with the AWS CLI, see [Troubleshooting errors for the AWS CLI](cli-chap-troubleshooting.md) for troubleshooting steps. For the most relevant troubleshooting steps, see [SSL certificate errors](cli-chap-troubleshooting.md#tshoot-certificate-verify-failed).
# Using endpoints in the AWS CLI
To connect programmatically to an AWS service, you use an endpoint. An *endpoint* is the URL of the entry point for an AWS web service. The AWS Command Line Interface (AWS CLI) automatically uses the default endpoint for each service in an AWS Region, but you can specify an alternate endpoint for your API requests.
**Contents**
+ [
## Set endpoint for a single command
](#endpoints-command)
+ [
## Set global endpoint for all AWS services
](#endpoints-global)
+ [
## Set to use FIPs endpoints for all AWS services
](#endpoints-fips)
+ [
## Set to use dual-stack endpoints for all AWS services
](#endpoints-dual-stack)
+ [
## Set service-specific endpoints
](#endpoints-service-specific)
+ [Environment variables](#endpoints-service-specific-envvars)
+ [Shared `config` file](#endpoints-service-specific-config)
+ [List of service-specific identifiers](#endpoints-service-specific-table)
+ [Account-based endpoints](#endpoints-accountid)
+ [
## Endpoint configuration and settings precedence
](#endpoints-precedence)
## Set endpoint for a single command
To override any endpoint settings or environment variables for a single command, use the `--endpoint-url` command line option. The following command example uses a custom Amazon S3 endpoint URL.
```
$ aws s3 ls --endpoint-url http://localhost:4567
```
## Set global endpoint for all AWS services
To route requests for all services to a custom endpoint URL, use one of the following settings:
+ Environment variables:
+ `AWS\$1IGNORE\$1CONFIGURED\$1ENDPOINT\$1URLS` - Ignore configured endpoint URLs.
------
#### [ Linux or macOS ]
```
$ export AWS_IGNORE_CONFIGURED_ENDPOINT_URLS=true
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_IGNORE_CONFIGURED_ENDPOINT_URLS true
```
**To set for current session only**
```
C:\> set AWS_IGNORE_CONFIGURED_ENDPOINT_URLS=true
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_IGNORE_CONFIGURED_ENDPOINT_URLS="true"
```
------
+ `AWS\$1ENDPOINT\$1URL` - Set global endpoint URL.
------
#### [ Linux or macOS ]
```
$ export AWS_ENDPOINT_URL=http://localhost:4567
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_ENDPOINT_URL http://localhost:4567
```
**To set for current session only**
```
C:\> set AWS_ENDPOINT_URL=http://localhost:4567
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_ENDPOINT_URL="http://localhost:4567"
```
------
+ The `config` file:
+ `ignore\$1configure\$1endpoint\$1urls` - Ignore configured endpoint URLs.
```
ignore_configure_endpoint_urls = true
```
+ `endpoint\$1url` - Set global endpoint URL.
```
endpoint_url = http://localhost:4567
```
Service-specific endpoints and the `--endpoint-url` command line option override any global endpoints.
## Set to use FIPs endpoints for all AWS services
To route requests for all services to use FIPs endpoints, use one of the following:
+ `AWS\$1USE\$1FIPS\$1ENDPOINT` environment variable.
------
#### [ Linux or macOS ]
```
$ export AWS_USE_FIPS_ENDPOINT=true
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_USE_FIPS_ENDPOINT true
```
**To set for current session only**
```
C:\> set AWS_USE_FIPS_ENDPOINT=true
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_USE_FIPS_ENDPOINT="true"
```
------
+ `use\$1fips\$1endpoint` file setting.
```
use_fips_endpoint = true
```
Some AWS services offer endpoints that support [Federal Information Processing Standard (FIPS) 140-2](http://aws.amazon.com/compliance/fips/) in some AWS Regions. When the AWS service supports FIPS, this setting specifies what FIPS endpoint the AWS CLI should use . Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. These endpoints might be required by enterprises that interact with the United States government.
If this setting is enabled, but a FIPS endpoint does not exist for the service in your AWS Region, the AWS command may fail. In this case, manually specify the endpoint to use in the command using the `--endpoint-url` option or use [service-specific endpoints](#endpoints-service-specific).
For more information on specifying FIPS endpoints by AWS Region, see [FIPS Endpoints by Service](https://aws.amazon.com/compliance/fips/).
## Set to use dual-stack endpoints for all AWS services
To route requests for all services to use dual-stack endpoints when available, use one of the following settings:
+ `AWS\$1USE\$1DUALSTACK\$1ENDPOINT` environment variable.
------
#### [ Linux or macOS ]
```
$ export AWS_USE_DUALSTACK_ENDPOINT=true
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_USE_DUALSTACK_ENDPOINT true
```
**To set for current session only**
```
C:\> set AWS_USE_DUALSTACK_ENDPOINT=true
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_USE_DUALSTACK_ENDPOINT="true"
```
------
+ `use\$1dualstack\$1endpoint` file setting.
```
use_dualstack_endpoint = true
```
Enables the use of dual-stack endpoints to send AWS requests. To learn more about dual-stack endpoints, which support both IPv4 and IPv6 traffic, see [Using Amazon S3 dual-stack endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) in the *Amazon Simple Storage Service User Guide*. Dual-stack endpoints are available for some services in some regions. If a dual-stack endpoint does not exist for the service or AWS Region, the request fails. This is disabled by default.
## Set service-specific endpoints
Service-specific endpoint configuration provides the option to use a persistent endpoint of your choosing for AWS CLI requests. These settings provide flexibility to support local endpoints, VPC endpoints, and third-party local AWS development environments. Different endpoints can be used for testing and production environments. You can specify an endpoint URL for individual AWS services.
Service-specific endpoints can be specified in the following ways:
+ The command line option `--endpoint-url` for a single command.
+ Environment variables:
+ `AWS\$1IGNORE\$1CONFIGURED\$1ENDPOINT\$1URLS` - Ignore all configured endpoint URLs, unless specified on the command line.
+ `AWS\$1ENDPOINT\$1URL\$1` - Specifies a custom endpoint that is used for a specific service, where `` is replace with the AWS service identifier. For all service-specific variables, see [Service-specific endpoints: List of service-specific identifiers](#endpoints-service-specific-table).
+ `config` file:
+ `ignore\$1configure\$1endpoint\$1urls` - Ignore all configured endpoint URLs, unless specified using environment variables or on the command line.
+ The [`services`](cli-configure-files.md#cli-configure-files-format-services) section of the `config` file combined with the `endpoint\$1url` file setting.
**Topics**
+ [Environment variables](#endpoints-service-specific-envvars)
+ [Shared `config` file](#endpoints-service-specific-config)
+ [List of service-specific identifiers](#endpoints-service-specific-table)
### Service-specific endpoints: Environment variables
Environment variables override settings in your config file, but do not override options specified on the command line. Use environment variables if you want all profiles to use the same endpoints on your device.
The following are service-specific environment variables:
+ `AWS\$1IGNORE\$1CONFIGURED\$1ENDPOINT\$1URLS` - Ignore all configured endpoint URLs, unless specified on the command line.
------
#### [ Linux or macOS ]
```
$ export AWS_IGNORE_CONFIGURED_ENDPOINT_URLS=true
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_IGNORE_CONFIGURED_ENDPOINT_URLS true
```
**To set for current session only**
```
C:\> set AWS_IGNORE_CONFIGURED_ENDPOINT_URLS=true
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_IGNORE_CONFIGURED_ENDPOINT_URLS="true"
```
------
+ `AWS\$1ENDPOINT\$1URL\$1` - Specifies a custom endpoint that is used for a specific service, where `` is replaced with the AWS service identifier. For all service-specific variables, see [Service-specific endpoints: List of service-specific identifiers](#endpoints-service-specific-table).
The following environment variable examples sets an endpoint for AWS Elastic Beanstalk:
------
#### [ Linux or macOS ]
```
$ export AWS_ENDPOINT_URL_ELASTIC_BEANSTALK=http://localhost:4567
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_ENDPOINT_URL_ELASTIC_BEANSTALK http://localhost:4567
```
**To set for current session only**
```
C:\> set AWS_ENDPOINT_URL_ELASTIC_BEANSTALK=http://localhost:4567
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_ENDPOINT_URL_ELASTIC_BEANSTALK="http://localhost:4567"
```
------
For more information on setting environment variables, see [Configuring environment variables for the AWS CLI](cli-configure-envvars.md).
### Service-specific endpoints: Shared `config` file
In the shared `config` file, `endpoint_url` is used in multiple sections. To set a service-specific endpoint, use the `endpoint_url` setting nested under a service identifier key within a `services` section. For details on defining a `services` section in your shared `config` file, see [Section type: `services`](cli-configure-files.md#cli-configure-files-format-services).
The following example uses a `services` section to configure a service-specific endpoint URL for Amazon S3 and a custom global endpoint used for all other services:
```
[profile dev1]
endpoint_url = http://localhost:1234
services = s3-specific
[services testing-s3]
s3 =
endpoint_url = http://localhost:4567
```
A single profile can configure endpoints for multiple services. The following example sets the service-specific endpoint URLs for Amazon S3 and AWS Elastic Beanstalk in the same profile.
For a list of all service identifier keys to use in the `services` section, see [List of service-specific identifiers](#endpoints-service-specific-table).
```
[profile dev1]
services = testing-s3-and-eb
[services testing-s3-and-eb]
s3 =
endpoint_url = http://localhost:4567
elastic_beanstalk =
endpoint_url = http://localhost:8000
```
The service configuration section can be used in multiple profiles. The following example has two profiles use the same `services` definition:
```
[profile dev1]
output = json
services = testing-s3
[profile dev2]
output = text
services = testing-s3
[services testing-s3]
s3 =
endpoint_url = https://localhost:4567
```
### Service-specific endpoints: List of service-specific identifiers
The AWS service identifier is based on the API model’s `serviceId` by replacing all spaces with underscores and lowercasing all letters.
The following table lists all service-specific identifiers, `config` file keys, and environment variables.
| `serviceId` | Service identifier key for shared AWS `config` file | `AWS_ENDPOINT_URL_` environment variable |
| --- | --- | --- |
| AccessAnalyzer | accessanalyzer | AWS\$1ENDPOINT\$1URL\$1ACCESSANALYZER |
| Account | account | AWS\$1ENDPOINT\$1URL\$1ACCOUNT |
| ACM | acm | AWS\$1ENDPOINT\$1URL\$1ACM |
| ACM PCA | acm\$1pca | AWS\$1ENDPOINT\$1URL\$1ACM\$1PCA |
| Alexa For Business | alexa\$1for\$1business | AWS\$1ENDPOINT\$1URL\$1ALEXA\$1FOR\$1BUSINESS |
| amp | amp | AWS\$1ENDPOINT\$1URL\$1AMP |
| Amplify | amplify | AWS\$1ENDPOINT\$1URL\$1AMPLIFY |
| AmplifyBackend | amplifybackend | AWS\$1ENDPOINT\$1URL\$1AMPLIFYBACKEND |
| AmplifyUIBuilder | amplifyuibuilder | AWS\$1ENDPOINT\$1URL\$1AMPLIFYUIBUILDER |
| API Gateway | api\$1gateway | AWS\$1ENDPOINT\$1URL\$1API\$1GATEWAY |
| ApiGatewayManagementApi | apigatewaymanagementapi | AWS\$1ENDPOINT\$1URL\$1APIGATEWAYMANAGEMENTAPI |
| ApiGatewayV2 | apigatewayv2 | AWS\$1ENDPOINT\$1URL\$1APIGATEWAYV2 |
| AppConfig | appconfig | AWS\$1ENDPOINT\$1URL\$1APPCONFIG |
| AppConfigData | appconfigdata | AWS\$1ENDPOINT\$1URL\$1APPCONFIGDATA |
| AppFabric | appfabric | AWS\$1ENDPOINT\$1URL\$1APPFABRIC |
| Appflow | appflow | AWS\$1ENDPOINT\$1URL\$1APPFLOW |
| AppIntegrations | appintegrations | AWS\$1ENDPOINT\$1URL\$1APPINTEGRATIONS |
| Application Auto Scaling | application\$1auto\$1scaling | AWS\$1ENDPOINT\$1URL\$1APPLICATION\$1AUTO\$1SCALING |
| Application Insights | application\$1insights | AWS\$1ENDPOINT\$1URL\$1APPLICATION\$1INSIGHTS |
| ApplicationCostProfiler | applicationcostprofiler | AWS\$1ENDPOINT\$1URL\$1APPLICATIONCOSTPROFILER |
| App Mesh | app\$1mesh | AWS\$1ENDPOINT\$1URL\$1APP\$1MESH |
| AppRunner | apprunner | AWS\$1ENDPOINT\$1URL\$1APPRUNNER |
| AppStream | appstream | AWS\$1ENDPOINT\$1URL\$1APPSTREAM |
| AppSync | appsync | AWS\$1ENDPOINT\$1URL\$1APPSYNC |
| ARC Zonal Shift | arc\$1zonal\$1shift | AWS\$1ENDPOINT\$1URL\$1ARC\$1ZONAL\$1SHIFT |
| Artifact | artifact | AWS\$1ENDPOINT\$1URL\$1ARTIFACT |
| Athena | athena | AWS\$1ENDPOINT\$1URL\$1ATHENA |
| AuditManager | auditmanager | AWS\$1ENDPOINT\$1URL\$1AUDITMANAGER |
| Auto Scaling | auto\$1scaling | AWS\$1ENDPOINT\$1URL\$1AUTO\$1SCALING |
| Auto Scaling Plans | auto\$1scaling\$1plans | AWS\$1ENDPOINT\$1URL\$1AUTO\$1SCALING\$1PLANS |
| b2bi | b2bi | AWS\$1ENDPOINT\$1URL\$1B2BI |
| Backup | backup | AWS\$1ENDPOINT\$1URL\$1BACKUP |
| Backup Gateway | backup\$1gateway | AWS\$1ENDPOINT\$1URL\$1BACKUP\$1GATEWAY |
| BackupStorage | backupstorage | AWS\$1ENDPOINT\$1URL\$1BACKUPSTORAGE |
| Batch | batch | AWS\$1ENDPOINT\$1URL\$1BATCH |
| BCM Data Exports | bcm\$1data\$1exports | AWS\$1ENDPOINT\$1URL\$1BCM\$1DATA\$1EXPORTS |
| Bedrock | bedrock | AWS\$1ENDPOINT\$1URL\$1BEDROCK |
| Bedrock Agent | bedrock\$1agent | AWS\$1ENDPOINT\$1URL\$1BEDROCK\$1AGENT |
| Bedrock Agent Runtime | bedrock\$1agent\$1runtime | AWS\$1ENDPOINT\$1URL\$1BEDROCK\$1AGENT\$1RUNTIME |
| Bedrock Runtime | bedrock\$1runtime | AWS\$1ENDPOINT\$1URL\$1BEDROCK\$1RUNTIME |
| billingconductor | billingconductor | AWS\$1ENDPOINT\$1URL\$1BILLINGCONDUCTOR |
| Braket | braket | AWS\$1ENDPOINT\$1URL\$1BRAKET |
| Budgets | budgets | AWS\$1ENDPOINT\$1URL\$1BUDGETS |
| Cost Explorer | cost\$1explorer | AWS\$1ENDPOINT\$1URL\$1COST\$1EXPLORER |
| chatbot | chatbot | AWS\$1ENDPOINT\$1URL\$1CHATBOT |
| Chime | chime | AWS\$1ENDPOINT\$1URL\$1CHIME |
| Chime SDK Identity | chime\$1sdk\$1identity | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1IDENTITY |
| Chime SDK Media Pipelines | chime\$1sdk\$1media\$1pipelines | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1MEDIA\$1PIPELINES |
| Chime SDK Meetings | chime\$1sdk\$1meetings | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1MEETINGS |
| Chime SDK Messaging | chime\$1sdk\$1messaging | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1MESSAGING |
| Chime SDK Voice | chime\$1sdk\$1voice | AWS\$1ENDPOINT\$1URL\$1CHIME\$1SDK\$1VOICE |
| CleanRooms | cleanrooms | AWS\$1ENDPOINT\$1URL\$1CLEANROOMS |
| CleanRoomsML | cleanroomsml | AWS\$1ENDPOINT\$1URL\$1CLEANROOMSML |
| Cloud9 | cloud9 | AWS\$1ENDPOINT\$1URL\$1CLOUD9 |
| CloudControl | cloudcontrol | AWS\$1ENDPOINT\$1URL\$1CLOUDCONTROL |
| CloudDirectory | clouddirectory | AWS\$1ENDPOINT\$1URL\$1CLOUDDIRECTORY |
| CloudFormation | cloudformation | AWS\$1ENDPOINT\$1URL\$1CLOUDFORMATION |
| CloudFront | cloudfront | AWS\$1ENDPOINT\$1URL\$1CLOUDFRONT |
| CloudFront KeyValueStore | cloudfront\$1keyvaluestore | AWS\$1ENDPOINT\$1URL\$1CLOUDFRONT\$1KEYVALUESTORE |
| CloudHSM | cloudhsm | AWS\$1ENDPOINT\$1URL\$1CLOUDHSM |
| CloudHSM V2 | cloudhsm\$1v2 | AWS\$1ENDPOINT\$1URL\$1CLOUDHSM\$1V2 |
| CloudSearch | cloudsearch | AWS\$1ENDPOINT\$1URL\$1CLOUDSEARCH |
| CloudSearch Domain | cloudsearch\$1domain | AWS\$1ENDPOINT\$1URL\$1CLOUDSEARCH\$1DOMAIN |
| CloudTrail | cloudtrail | AWS\$1ENDPOINT\$1URL\$1CLOUDTRAIL |
| CloudTrail Data | cloudtrail\$1data | AWS\$1ENDPOINT\$1URL\$1CLOUDTRAIL\$1DATA |
| CloudWatch | cloudwatch | AWS\$1ENDPOINT\$1URL\$1CLOUDWATCH |
| codeartifact | codeartifact | AWS\$1ENDPOINT\$1URL\$1CODEARTIFACT |
| CodeBuild | codebuild | AWS\$1ENDPOINT\$1URL\$1CODEBUILD |
| CodeCatalyst | codecatalyst | AWS\$1ENDPOINT\$1URL\$1CODECATALYST |
| CodeCommit | codecommit | AWS\$1ENDPOINT\$1URL\$1CODECOMMIT |
| CodeDeploy | codedeploy | AWS\$1ENDPOINT\$1URL\$1CODEDEPLOY |
| CodeGuru Reviewer | codeguru\$1reviewer | AWS\$1ENDPOINT\$1URL\$1CODEGURU\$1REVIEWER |
| CodeGuru Security | codeguru\$1security | AWS\$1ENDPOINT\$1URL\$1CODEGURU\$1SECURITY |
| CodeGuruProfiler | codeguruprofiler | AWS\$1ENDPOINT\$1URL\$1CODEGURUPROFILER |
| CodePipeline | codepipeline | AWS\$1ENDPOINT\$1URL\$1CODEPIPELINE |
| CodeStar | codestar | AWS\$1ENDPOINT\$1URL\$1CODESTAR |
| CodeStar connections | codestar\$1connections | AWS\$1ENDPOINT\$1URL\$1CODESTAR\$1CONNECTIONS |
| codestar notifications | codestar\$1notifications | AWS\$1ENDPOINT\$1URL\$1CODESTAR\$1NOTIFICATIONS |
| Cognito Identity | cognito\$1identity | AWS\$1ENDPOINT\$1URL\$1COGNITO\$1IDENTITY |
| Cognito Identity Provider | cognito\$1identity\$1provider | AWS\$1ENDPOINT\$1URL\$1COGNITO\$1IDENTITY\$1PROVIDER |
| Cognito Sync | cognito\$1sync | AWS\$1ENDPOINT\$1URL\$1COGNITO\$1SYNC |
| Comprehend | comprehend | AWS\$1ENDPOINT\$1URL\$1COMPREHEND |
| ComprehendMedical | comprehendmedical | AWS\$1ENDPOINT\$1URL\$1COMPREHENDMEDICAL |
| Compute Optimizer | compute\$1optimizer | AWS\$1ENDPOINT\$1URL\$1COMPUTE\$1OPTIMIZER |
| Config Service | config\$1service | AWS\$1ENDPOINT\$1URL\$1CONFIG\$1SERVICE |
| Connect | connect | AWS\$1ENDPOINT\$1URL\$1CONNECT |
| Connect Contact Lens | connect\$1contact\$1lens | AWS\$1ENDPOINT\$1URL\$1CONNECT\$1CONTACT\$1LENS |
| ConnectCampaigns | connectcampaigns | AWS\$1ENDPOINT\$1URL\$1CONNECTCAMPAIGNS |
| ConnectCases | connectcases | AWS\$1ENDPOINT\$1URL\$1CONNECTCASES |
| ConnectParticipant | connectparticipant | AWS\$1ENDPOINT\$1URL\$1CONNECTPARTICIPANT |
| ControlTower | controltower | AWS\$1ENDPOINT\$1URL\$1CONTROLTOWER |
| Cost Optimization Hub | cost\$1optimization\$1hub | AWS\$1ENDPOINT\$1URL\$1COST\$1OPTIMIZATION\$1HUB |
| Cost and Usage Report Service | cost\$1and\$1usage\$1report\$1service | AWS\$1ENDPOINT\$1URL\$1COST\$1AND\$1USAGE\$1REPORT\$1SERVICE |
| Customer Profiles | customer\$1profiles | AWS\$1ENDPOINT\$1URL\$1CUSTOMER\$1PROFILES |
| DataBrew | databrew | AWS\$1ENDPOINT\$1URL\$1DATABREW |
| DataExchange | dataexchange | AWS\$1ENDPOINT\$1URL\$1DATAEXCHANGE |
| Data Pipeline | data\$1pipeline | AWS\$1ENDPOINT\$1URL\$1DATA\$1PIPELINE |
| DataSync | datasync | AWS\$1ENDPOINT\$1URL\$1DATASYNC |
| DataZone | datazone | AWS\$1ENDPOINT\$1URL\$1DATAZONE |
| DAX | dax | AWS\$1ENDPOINT\$1URL\$1DAX |
| Detective | detective | AWS\$1ENDPOINT\$1URL\$1DETECTIVE |
| Device Farm | device\$1farm | AWS\$1ENDPOINT\$1URL\$1DEVICE\$1FARM |
| DevOps Guru | devops\$1guru | AWS\$1ENDPOINT\$1URL\$1DEVOPS\$1GURU |
| Direct Connect | direct\$1connect | AWS\$1ENDPOINT\$1URL\$1DIRECT\$1CONNECT |
| Application Discovery Service | application\$1discovery\$1service | AWS\$1ENDPOINT\$1URL\$1APPLICATION\$1DISCOVERY\$1SERVICE |
| DLM | dlm | AWS\$1ENDPOINT\$1URL\$1DLM |
| Database Migration Service | database\$1migration\$1service | AWS\$1ENDPOINT\$1URL\$1DATABASE\$1MIGRATION\$1SERVICE |
| DocDB | docdb | AWS\$1ENDPOINT\$1URL\$1DOCDB |
| DocDB Elastic | docdb\$1elastic | AWS\$1ENDPOINT\$1URL\$1DOCDB\$1ELASTIC |
| drs | drs | AWS\$1ENDPOINT\$1URL\$1DRS |
| Directory Service | directory\$1service | AWS\$1ENDPOINT\$1URL\$1DIRECTORY\$1SERVICE |
| DynamoDB | dynamodb | AWS\$1ENDPOINT\$1URL\$1DYNAMODB |
| DynamoDB Streams | dynamodb\$1streams | AWS\$1ENDPOINT\$1URL\$1DYNAMODB\$1STREAMS |
| EBS | ebs | AWS\$1ENDPOINT\$1URL\$1EBS |
| EC2 | ec2 | AWS\$1ENDPOINT\$1URL\$1EC2 |
| EC2 Instance Connect | ec2\$1instance\$1connect | AWS\$1ENDPOINT\$1URL\$1EC2\$1INSTANCE\$1CONNECT |
| ECR | ecr | AWS\$1ENDPOINT\$1URL\$1ECR |
| ECR PUBLIC | ecr\$1public | AWS\$1ENDPOINT\$1URL\$1ECR\$1PUBLIC |
| ECS | ecs | AWS\$1ENDPOINT\$1URL\$1ECS |
| EFS | efs | AWS\$1ENDPOINT\$1URL\$1EFS |
| EKS | eks | AWS\$1ENDPOINT\$1URL\$1EKS |
| EKS Auth | eks\$1auth | AWS\$1ENDPOINT\$1URL\$1EKS\$1AUTH |
| Elastic Inference | elastic\$1inference | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1INFERENCE |
| ElastiCache | elasticache | AWS\$1ENDPOINT\$1URL\$1ELASTICACHE |
| Elastic Beanstalk | elastic\$1beanstalk | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1BEANSTALK |
| Elastic Transcoder | elastic\$1transcoder | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1TRANSCODER |
| Elastic Load Balancing | elastic\$1load\$1balancing | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1LOAD\$1BALANCING |
| Elastic Load Balancing v2 | elastic\$1load\$1balancing\$1v2 | AWS\$1ENDPOINT\$1URL\$1ELASTIC\$1LOAD\$1BALANCING\$1V2 |
| EMR | emr | AWS\$1ENDPOINT\$1URL\$1EMR |
| EMR containers | emr\$1containers | AWS\$1ENDPOINT\$1URL\$1EMR\$1CONTAINERS |
| EMR Serverless | emr\$1serverless | AWS\$1ENDPOINT\$1URL\$1EMR\$1SERVERLESS |
| EntityResolution | entityresolution | AWS\$1ENDPOINT\$1URL\$1ENTITYRESOLUTION |
| Elasticsearch Service | elasticsearch\$1service | AWS\$1ENDPOINT\$1URL\$1ELASTICSEARCH\$1SERVICE |
| EventBridge | eventbridge | AWS\$1ENDPOINT\$1URL\$1EVENTBRIDGE |
| Evidently | evidently | AWS\$1ENDPOINT\$1URL\$1EVIDENTLY |
| finspace | finspace | AWS\$1ENDPOINT\$1URL\$1FINSPACE |
| finspace data | finspace\$1data | AWS\$1ENDPOINT\$1URL\$1FINSPACE\$1DATA |
| Firehose | firehose | AWS\$1ENDPOINT\$1URL\$1FIREHOSE |
| fis | fis | AWS\$1ENDPOINT\$1URL\$1FIS |
| FMS | fms | AWS\$1ENDPOINT\$1URL\$1FMS |
| forecast | forecast | AWS\$1ENDPOINT\$1URL\$1FORECAST |
| forecastquery | forecastquery | AWS\$1ENDPOINT\$1URL\$1FORECASTQUERY |
| FraudDetector | frauddetector | AWS\$1ENDPOINT\$1URL\$1FRAUDDETECTOR |
| FreeTier | freetier | AWS\$1ENDPOINT\$1URL\$1FREETIER |
| FSx | fsx | AWS\$1ENDPOINT\$1URL\$1FSX |
| GameLift | gamelift | AWS\$1ENDPOINT\$1URL\$1GAMELIFT |
| Glacier | glacier | AWS\$1ENDPOINT\$1URL\$1GLACIER |
| Global Accelerator | global\$1accelerator | AWS\$1ENDPOINT\$1URL\$1GLOBAL\$1ACCELERATOR |
| Glue | glue | AWS\$1ENDPOINT\$1URL\$1GLUE |
| grafana | grafana | AWS\$1ENDPOINT\$1URL\$1GRAFANA |
| Greengrass | greengrass | AWS\$1ENDPOINT\$1URL\$1GREENGRASS |
| GreengrassV2 | greengrassv2 | AWS\$1ENDPOINT\$1URL\$1GREENGRASSV2 |
| GroundStation | groundstation | AWS\$1ENDPOINT\$1URL\$1GROUNDSTATION |
| GuardDuty | guardduty | AWS\$1ENDPOINT\$1URL\$1GUARDDUTY |
| Health | health | AWS\$1ENDPOINT\$1URL\$1HEALTH |
| HealthLake | healthlake | AWS\$1ENDPOINT\$1URL\$1HEALTHLAKE |
| Honeycode | honeycode | AWS\$1ENDPOINT\$1URL\$1HONEYCODE |
| IAM | iam | AWS\$1ENDPOINT\$1URL\$1IAM |
| identitystore | identitystore | AWS\$1ENDPOINT\$1URL\$1IDENTITYSTORE |
| imagebuilder | imagebuilder | AWS\$1ENDPOINT\$1URL\$1IMAGEBUILDER |
| ImportExport | importexport | AWS\$1ENDPOINT\$1URL\$1IMPORTEXPORT |
| Inspector | inspector | AWS\$1ENDPOINT\$1URL\$1INSPECTOR |
| Inspector Scan | inspector\$1scan | AWS\$1ENDPOINT\$1URL\$1INSPECTOR\$1SCAN |
| Inspector2 | inspector2 | AWS\$1ENDPOINT\$1URL\$1INSPECTOR2 |
| InternetMonitor | internetmonitor | AWS\$1ENDPOINT\$1URL\$1INTERNETMONITOR |
| IoT | iot | AWS\$1ENDPOINT\$1URL\$1IOT |
| IoT Data Plane | iot\$1data\$1plane | AWS\$1ENDPOINT\$1URL\$1IOT\$1DATA\$1PLANE |
| IoT Jobs Data Plane | iot\$1jobs\$1data\$1plane | AWS\$1ENDPOINT\$1URL\$1IOT\$1JOBS\$1DATA\$1PLANE |
| IoT 1Click Devices Service | iot\$11click\$1devices\$1service | AWS\$1ENDPOINT\$1URL\$1IOT\$11CLICK\$1DEVICES\$1SERVICE |
| IoT 1Click Projects | iot\$11click\$1projects | AWS\$1ENDPOINT\$1URL\$1IOT\$11CLICK\$1PROJECTS |
| IoTAnalytics | iotanalytics | AWS\$1ENDPOINT\$1URL\$1IOTANALYTICS |
| IotDeviceAdvisor | iotdeviceadvisor | AWS\$1ENDPOINT\$1URL\$1IOTDEVICEADVISOR |
| IoT Events | iot\$1events | AWS\$1ENDPOINT\$1URL\$1IOT\$1EVENTS |
| IoT Events Data | iot\$1events\$1data | AWS\$1ENDPOINT\$1URL\$1IOT\$1EVENTS\$1DATA |
| IoTFleetHub | iotfleethub | AWS\$1ENDPOINT\$1URL\$1IOTFLEETHUB |
| IoTFleetWise | iotfleetwise | AWS\$1ENDPOINT\$1URL\$1IOTFLEETWISE |
| IoTSecureTunneling | iotsecuretunneling | AWS\$1ENDPOINT\$1URL\$1IOTSECURETUNNELING |
| IoTSiteWise | iotsitewise | AWS\$1ENDPOINT\$1URL\$1IOTSITEWISE |
| IoTThingsGraph | iotthingsgraph | AWS\$1ENDPOINT\$1URL\$1IOTTHINGSGRAPH |
| IoTTwinMaker | iottwinmaker | AWS\$1ENDPOINT\$1URL\$1IOTTWINMAKER |
| IoT Wireless | iot\$1wireless | AWS\$1ENDPOINT\$1URL\$1IOT\$1WIRELESS |
| ivs | ivs | AWS\$1ENDPOINT\$1URL\$1IVS |
| IVS RealTime | ivs\$1realtime | AWS\$1ENDPOINT\$1URL\$1IVS\$1REALTIME |
| ivschat | ivschat | AWS\$1ENDPOINT\$1URL\$1IVSCHAT |
| Kafka | kafka | AWS\$1ENDPOINT\$1URL\$1KAFKA |
| KafkaConnect | kafkaconnect | AWS\$1ENDPOINT\$1URL\$1KAFKACONNECT |
| kendra | kendra | AWS\$1ENDPOINT\$1URL\$1KENDRA |
| Kendra Ranking | kendra\$1ranking | AWS\$1ENDPOINT\$1URL\$1KENDRA\$1RANKING |
| Keyspaces | keyspaces | AWS\$1ENDPOINT\$1URL\$1KEYSPACES |
| Kinesis | kinesis | AWS\$1ENDPOINT\$1URL\$1KINESIS |
| Kinesis Video Archived Media | kinesis\$1video\$1archived\$1media | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1ARCHIVED\$1MEDIA |
| Kinesis Video Media | kinesis\$1video\$1media | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1MEDIA |
| Kinesis Video Signaling | kinesis\$1video\$1signaling | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1SIGNALING |
| Kinesis Video WebRTC Storage | kinesis\$1video\$1webrtc\$1storage | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO\$1WEBRTC\$1STORAGE |
| Kinesis Analytics | kinesis\$1analytics | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1ANALYTICS |
| Kinesis Analytics V2 | kinesis\$1analytics\$1v2 | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1ANALYTICS\$1V2 |
| Kinesis Video | kinesis\$1video | AWS\$1ENDPOINT\$1URL\$1KINESIS\$1VIDEO |
| KMS | kms | AWS\$1ENDPOINT\$1URL\$1KMS |
| LakeFormation | lakeformation | AWS\$1ENDPOINT\$1URL\$1LAKEFORMATION |
| Lambda | lambda | AWS\$1ENDPOINT\$1URL\$1LAMBDA |
| Launch Wizard | launch\$1wizard | AWS\$1ENDPOINT\$1URL\$1LAUNCH\$1WIZARD |
| Lex Model Building Service | lex\$1model\$1building\$1service | AWS\$1ENDPOINT\$1URL\$1LEX\$1MODEL\$1BUILDING\$1SERVICE |
| Lex Runtime Service | lex\$1runtime\$1service | AWS\$1ENDPOINT\$1URL\$1LEX\$1RUNTIME\$1SERVICE |
| Lex Models V2 | lex\$1models\$1v2 | AWS\$1ENDPOINT\$1URL\$1LEX\$1MODELS\$1V2 |
| Lex Runtime V2 | lex\$1runtime\$1v2 | AWS\$1ENDPOINT\$1URL\$1LEX\$1RUNTIME\$1V2 |
| License Manager | license\$1manager | AWS\$1ENDPOINT\$1URL\$1LICENSE\$1MANAGER |
| License Manager Linux Subscriptions | license\$1manager\$1linux\$1subscriptions | AWS\$1ENDPOINT\$1URL\$1LICENSE\$1MANAGER\$1LINUX\$1SUBSCRIPTIONS |
| License Manager User Subscriptions | license\$1manager\$1user\$1subscriptions | AWS\$1ENDPOINT\$1URL\$1LICENSE\$1MANAGER\$1USER\$1SUBSCRIPTIONS |
| Lightsail | lightsail | AWS\$1ENDPOINT\$1URL\$1LIGHTSAIL |
| Location | location | AWS\$1ENDPOINT\$1URL\$1LOCATION |
| CloudWatch Logs | cloudwatch\$1logs | AWS\$1ENDPOINT\$1URL\$1CLOUDWATCH\$1LOGS |
| LookoutEquipment | lookoutequipment | AWS\$1ENDPOINT\$1URL\$1LOOKOUTEQUIPMENT |
| LookoutMetrics | lookoutmetrics | AWS\$1ENDPOINT\$1URL\$1LOOKOUTMETRICS |
| LookoutVision | lookoutvision | AWS\$1ENDPOINT\$1URL\$1LOOKOUTVISION |
| m2 | m2 | AWS\$1ENDPOINT\$1URL\$1M2 |
| Machine Learning | machine\$1learning | AWS\$1ENDPOINT\$1URL\$1MACHINE\$1LEARNING |
| Macie2 | macie2 | AWS\$1ENDPOINT\$1URL\$1MACIE2 |
| ManagedBlockchain | managedblockchain | AWS\$1ENDPOINT\$1URL\$1MANAGEDBLOCKCHAIN |
| ManagedBlockchain Query | managedblockchain\$1query | AWS\$1ENDPOINT\$1URL\$1MANAGEDBLOCKCHAIN\$1QUERY |
| Marketplace Agreement | marketplace\$1agreement | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1AGREEMENT |
| Marketplace Catalog | marketplace\$1catalog | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1CATALOG |
| Marketplace Deployment | marketplace\$1deployment | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1DEPLOYMENT |
| Marketplace Entitlement Service | marketplace\$1entitlement\$1service | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1ENTITLEMENT\$1SERVICE |
| Marketplace Commerce Analytics | marketplace\$1commerce\$1analytics | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1COMMERCE\$1ANALYTICS |
| MediaConnect | mediaconnect | AWS\$1ENDPOINT\$1URL\$1MEDIACONNECT |
| MediaConvert | mediaconvert | AWS\$1ENDPOINT\$1URL\$1MEDIACONVERT |
| MediaLive | medialive | AWS\$1ENDPOINT\$1URL\$1MEDIALIVE |
| MediaPackage | mediapackage | AWS\$1ENDPOINT\$1URL\$1MEDIAPACKAGE |
| MediaPackage Vod | mediapackage\$1vod | AWS\$1ENDPOINT\$1URL\$1MEDIAPACKAGE\$1VOD |
| MediaPackageV2 | mediapackagev2 | AWS\$1ENDPOINT\$1URL\$1MEDIAPACKAGEV2 |
| MediaStore | mediastore | AWS\$1ENDPOINT\$1URL\$1MEDIASTORE |
| MediaStore Data | mediastore\$1data | AWS\$1ENDPOINT\$1URL\$1MEDIASTORE\$1DATA |
| MediaTailor | mediatailor | AWS\$1ENDPOINT\$1URL\$1MEDIATAILOR |
| Medical Imaging | medical\$1imaging | AWS\$1ENDPOINT\$1URL\$1MEDICAL\$1IMAGING |
| MemoryDB | memorydb | AWS\$1ENDPOINT\$1URL\$1MEMORYDB |
| Marketplace Metering | marketplace\$1metering | AWS\$1ENDPOINT\$1URL\$1MARKETPLACE\$1METERING |
| Migration Hub | migration\$1hub | AWS\$1ENDPOINT\$1URL\$1MIGRATION\$1HUB |
| mgn | mgn | AWS\$1ENDPOINT\$1URL\$1MGN |
| Migration Hub Refactor Spaces | migration\$1hub\$1refactor\$1spaces | AWS\$1ENDPOINT\$1URL\$1MIGRATION\$1HUB\$1REFACTOR\$1SPACES |
| MigrationHub Config | migrationhub\$1config | AWS\$1ENDPOINT\$1URL\$1MIGRATIONHUB\$1CONFIG |
| MigrationHubOrchestrator | migrationhuborchestrator | AWS\$1ENDPOINT\$1URL\$1MIGRATIONHUBORCHESTRATOR |
| MigrationHubStrategy | migrationhubstrategy | AWS\$1ENDPOINT\$1URL\$1MIGRATIONHUBSTRATEGY |
| Mobile | mobile | AWS\$1ENDPOINT\$1URL\$1MOBILE |
| mq | mq | AWS\$1ENDPOINT\$1URL\$1MQ |
| MTurk | mturk | AWS\$1ENDPOINT\$1URL\$1MTURK |
| MWAA | mwaa | AWS\$1ENDPOINT\$1URL\$1MWAA |
| Neptune | neptune | AWS\$1ENDPOINT\$1URL\$1NEPTUNE |
| Neptune Graph | neptune\$1graph | AWS\$1ENDPOINT\$1URL\$1NEPTUNE\$1GRAPH |
| neptunedata | neptunedata | AWS\$1ENDPOINT\$1URL\$1NEPTUNEDATA |
| Network Firewall | network\$1firewall | AWS\$1ENDPOINT\$1URL\$1NETWORK\$1FIREWALL |
| NetworkManager | networkmanager | AWS\$1ENDPOINT\$1URL\$1NETWORKMANAGER |
| NetworkMonitor | networkmonitor | AWS\$1ENDPOINT\$1URL\$1NETWORKMONITOR |
| nimble | nimble | AWS\$1ENDPOINT\$1URL\$1NIMBLE |
| OAM | oam | AWS\$1ENDPOINT\$1URL\$1OAM |
| Omics | omics | AWS\$1ENDPOINT\$1URL\$1OMICS |
| OpenSearch | opensearch | AWS\$1ENDPOINT\$1URL\$1OPENSEARCH |
| OpenSearchServerless | opensearchserverless | AWS\$1ENDPOINT\$1URL\$1OPENSEARCHSERVERLESS |
| OpsWorks | opsworks | AWS\$1ENDPOINT\$1URL\$1OPSWORKS |
| OpsWorksCM | opsworkscm | AWS\$1ENDPOINT\$1URL\$1OPSWORKSCM |
| Organizations | organizations | AWS\$1ENDPOINT\$1URL\$1ORGANIZATIONS |
| OSIS | osis | AWS\$1ENDPOINT\$1URL\$1OSIS |
| Outposts | outposts | AWS\$1ENDPOINT\$1URL\$1OUTPOSTS |
| p8data | p8data | AWS\$1ENDPOINT\$1URL\$1P8DATA |
| p8data | p8data | AWS\$1ENDPOINT\$1URL\$1P8DATA |
| Panorama | panorama | AWS\$1ENDPOINT\$1URL\$1PANORAMA |
| Payment Cryptography | payment\$1cryptography | AWS\$1ENDPOINT\$1URL\$1PAYMENT\$1CRYPTOGRAPHY |
| Payment Cryptography Data | payment\$1cryptography\$1data | AWS\$1ENDPOINT\$1URL\$1PAYMENT\$1CRYPTOGRAPHY\$1DATA |
| Pca Connector Ad | pca\$1connector\$1ad | AWS\$1ENDPOINT\$1URL\$1PCA\$1CONNECTOR\$1AD |
| Personalize | personalize | AWS\$1ENDPOINT\$1URL\$1PERSONALIZE |
| Personalize Events | personalize\$1events | AWS\$1ENDPOINT\$1URL\$1PERSONALIZE\$1EVENTS |
| Personalize Runtime | personalize\$1runtime | AWS\$1ENDPOINT\$1URL\$1PERSONALIZE\$1RUNTIME |
| PI | pi | AWS\$1ENDPOINT\$1URL\$1PI |
| Pinpoint | pinpoint | AWS\$1ENDPOINT\$1URL\$1PINPOINT |
| Pinpoint Email | pinpoint\$1email | AWS\$1ENDPOINT\$1URL\$1PINPOINT\$1EMAIL |
| Pinpoint SMS Voice | pinpoint\$1sms\$1voice | AWS\$1ENDPOINT\$1URL\$1PINPOINT\$1SMS\$1VOICE |
| Pinpoint SMS Voice V2 | pinpoint\$1sms\$1voice\$1v2 | AWS\$1ENDPOINT\$1URL\$1PINPOINT\$1SMS\$1VOICE\$1V2 |
| Pipes | pipes | AWS\$1ENDPOINT\$1URL\$1PIPES |
| Polly | polly | AWS\$1ENDPOINT\$1URL\$1POLLY |
| Pricing | pricing | AWS\$1ENDPOINT\$1URL\$1PRICING |
| PrivateNetworks | privatenetworks | AWS\$1ENDPOINT\$1URL\$1PRIVATENETWORKS |
| Proton | proton | AWS\$1ENDPOINT\$1URL\$1PROTON |
| QBusiness | qbusiness | AWS\$1ENDPOINT\$1URL\$1QBUSINESS |
| QConnect | qconnect | AWS\$1ENDPOINT\$1URL\$1QCONNECT |
| QLDB | qldb | AWS\$1ENDPOINT\$1URL\$1QLDB |
| QLDB Session | qldb\$1session | AWS\$1ENDPOINT\$1URL\$1QLDB\$1SESSION |
| QuickSight | quicksight | AWS\$1ENDPOINT\$1URL\$1QUICKSIGHT |
| RAM | ram | AWS\$1ENDPOINT\$1URL\$1RAM |
| rbin | rbin | AWS\$1ENDPOINT\$1URL\$1RBIN |
| RDS | rds | AWS\$1ENDPOINT\$1URL\$1RDS |
| RDS Data | rds\$1data | AWS\$1ENDPOINT\$1URL\$1RDS\$1DATA |
| Redshift | redshift | AWS\$1ENDPOINT\$1URL\$1REDSHIFT |
| Redshift Data | redshift\$1data | AWS\$1ENDPOINT\$1URL\$1REDSHIFT\$1DATA |
| Redshift Serverless | redshift\$1serverless | AWS\$1ENDPOINT\$1URL\$1REDSHIFT\$1SERVERLESS |
| Rekognition | rekognition | AWS\$1ENDPOINT\$1URL\$1REKOGNITION |
| repostspace | repostspace | AWS\$1ENDPOINT\$1URL\$1REPOSTSPACE |
| resiliencehub | resiliencehub | AWS\$1ENDPOINT\$1URL\$1RESILIENCEHUB |
| Resource Explorer 2 | resource\$1explorer\$12 | AWS\$1ENDPOINT\$1URL\$1RESOURCE\$1EXPLORER\$12 |
| Resource Groups | resource\$1groups | AWS\$1ENDPOINT\$1URL\$1RESOURCE\$1GROUPS |
| Resource Groups Tagging API | resource\$1groups\$1tagging\$1api | AWS\$1ENDPOINT\$1URL\$1RESOURCE\$1GROUPS\$1TAGGING\$1API |
| RoboMaker | robomaker | AWS\$1ENDPOINT\$1URL\$1ROBOMAKER |
| RolesAnywhere | rolesanywhere | AWS\$1ENDPOINT\$1URL\$1ROLESANYWHERE |
| Route 53 | route\$153 | AWS\$1ENDPOINT\$1URL\$1ROUTE\$153 |
| Route53 Recovery Cluster | route53\$1recovery\$1cluster | AWS\$1ENDPOINT\$1URL\$1ROUTE53\$1RECOVERY\$1CLUSTER |
| Route53 Recovery Control Config | route53\$1recovery\$1control\$1config | AWS\$1ENDPOINT\$1URL\$1ROUTE53\$1RECOVERY\$1CONTROL\$1CONFIG |
| Route53 Recovery Readiness | route53\$1recovery\$1readiness | AWS\$1ENDPOINT\$1URL\$1ROUTE53\$1RECOVERY\$1READINESS |
| Route 53 Domains | route\$153\$1domains | AWS\$1ENDPOINT\$1URL\$1ROUTE\$153\$1DOMAINS |
| Route53Resolver | route53resolver | AWS\$1ENDPOINT\$1URL\$1ROUTE53RESOLVER |
| RUM | rum | AWS\$1ENDPOINT\$1URL\$1RUM |
| S3 | s3 | AWS\$1ENDPOINT\$1URL\$1S3 |
| S3 Control | s3\$1control | AWS\$1ENDPOINT\$1URL\$1S3\$1CONTROL |
| S3Outposts | s3outposts | AWS\$1ENDPOINT\$1URL\$1S3OUTPOSTS |
| SageMaker | sagemaker | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER |
| SageMaker A2I Runtime | sagemaker\$1a2i\$1runtime | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1A2I\$1RUNTIME |
| Sagemaker Edge | sagemaker\$1edge | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1EDGE |
| SageMaker FeatureStore Runtime | sagemaker\$1featurestore\$1runtime | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1FEATURESTORE\$1RUNTIME |
| SageMaker Geospatial | sagemaker\$1geospatial | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1GEOSPATIAL |
| SageMaker Metrics | sagemaker\$1metrics | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1METRICS |
| SageMaker Runtime | sagemaker\$1runtime | AWS\$1ENDPOINT\$1URL\$1SAGEMAKER\$1RUNTIME |
| savingsplans | savingsplans | AWS\$1ENDPOINT\$1URL\$1SAVINGSPLANS |
| Scheduler | scheduler | AWS\$1ENDPOINT\$1URL\$1SCHEDULER |
| schemas | schemas | AWS\$1ENDPOINT\$1URL\$1SCHEMAS |
| SimpleDB | simpledb | AWS\$1ENDPOINT\$1URL\$1SIMPLEDB |
| Secrets Manager | secrets\$1manager | AWS\$1ENDPOINT\$1URL\$1SECRETS\$1MANAGER |
| SecurityHub | securityhub | AWS\$1ENDPOINT\$1URL\$1SECURITYHUB |
| SecurityLake | securitylake | AWS\$1ENDPOINT\$1URL\$1SECURITYLAKE |
| ServerlessApplicationRepository | serverlessapplicationrepository | AWS\$1ENDPOINT\$1URL\$1SERVERLESSAPPLICATIONREPOSITORY |
| Service Quotas | service\$1quotas | AWS\$1ENDPOINT\$1URL\$1SERVICE\$1QUOTAS |
| Service Catalog | service\$1catalog | AWS\$1ENDPOINT\$1URL\$1SERVICE\$1CATALOG |
| Service Catalog AppRegistry | service\$1catalog\$1appregistry | AWS\$1ENDPOINT\$1URL\$1SERVICE\$1CATALOG\$1APPREGISTRY |
| ServiceDiscovery | servicediscovery | AWS\$1ENDPOINT\$1URL\$1SERVICEDISCOVERY |
| SES | ses | AWS\$1ENDPOINT\$1URL\$1SES |
| SESv2 | sesv2 | AWS\$1ENDPOINT\$1URL\$1SESV2 |
| Shield | shield | AWS\$1ENDPOINT\$1URL\$1SHIELD |
| signer | signer | AWS\$1ENDPOINT\$1URL\$1SIGNER |
| SimSpaceWeaver | simspaceweaver | AWS\$1ENDPOINT\$1URL\$1SIMSPACEWEAVER |
| SMS | sms | AWS\$1ENDPOINT\$1URL\$1SMS |
| Snow Device Management | snow\$1device\$1management | AWS\$1ENDPOINT\$1URL\$1SNOW\$1DEVICE\$1MANAGEMENT |
| Snowball | snowball | AWS\$1ENDPOINT\$1URL\$1SNOWBALL |
| SNS | sns | AWS\$1ENDPOINT\$1URL\$1SNS |
| SQS | sqs | AWS\$1ENDPOINT\$1URL\$1SQS |
| SSM | ssm | AWS\$1ENDPOINT\$1URL\$1SSM |
| SSM Contacts | ssm\$1contacts | AWS\$1ENDPOINT\$1URL\$1SSM\$1CONTACTS |
| SSM Incidents | ssm\$1incidents | AWS\$1ENDPOINT\$1URL\$1SSM\$1INCIDENTS |
| Ssm Sap | ssm\$1sap | AWS\$1ENDPOINT\$1URL\$1SSM\$1SAP |
| SSO | sso | AWS\$1ENDPOINT\$1URL\$1SSO |
| SSO Admin | sso\$1admin | AWS\$1ENDPOINT\$1URL\$1SSO\$1ADMIN |
| SSO OIDC | sso\$1oidc | AWS\$1ENDPOINT\$1URL\$1SSO\$1OIDC |
| SFN | sfn | AWS\$1ENDPOINT\$1URL\$1SFN |
| Storage Gateway | storage\$1gateway | AWS\$1ENDPOINT\$1URL\$1STORAGE\$1GATEWAY |
| STS | sts | AWS\$1ENDPOINT\$1URL\$1STS |
| SupplyChain | supplychain | AWS\$1ENDPOINT\$1URL\$1SUPPLYCHAIN |
| Support | support | AWS\$1ENDPOINT\$1URL\$1SUPPORT |
| Support App | support\$1app | AWS\$1ENDPOINT\$1URL\$1SUPPORT\$1APP |
| SWF | swf | AWS\$1ENDPOINT\$1URL\$1SWF |
| synthetics | synthetics | AWS\$1ENDPOINT\$1URL\$1SYNTHETICS |
| Textract | textract | AWS\$1ENDPOINT\$1URL\$1TEXTRACT |
| Timestream InfluxDB | timestream\$1influxdb | AWS\$1ENDPOINT\$1URL\$1TIMESTREAM\$1INFLUXDB |
| Timestream Query | timestream\$1query | AWS\$1ENDPOINT\$1URL\$1TIMESTREAM\$1QUERY |
| Timestream Write | timestream\$1write | AWS\$1ENDPOINT\$1URL\$1TIMESTREAM\$1WRITE |
| tnb | tnb | AWS\$1ENDPOINT\$1URL\$1TNB |
| Transcribe | transcribe | AWS\$1ENDPOINT\$1URL\$1TRANSCRIBE |
| Transfer | transfer | AWS\$1ENDPOINT\$1URL\$1TRANSFER |
| Translate | translate | AWS\$1ENDPOINT\$1URL\$1TRANSLATE |
| TrustedAdvisor | trustedadvisor | AWS\$1ENDPOINT\$1URL\$1TRUSTEDADVISOR |
| VerifiedPermissions | verifiedpermissions | AWS\$1ENDPOINT\$1URL\$1VERIFIEDPERMISSIONS |
| Voice ID | voice\$1id | AWS\$1ENDPOINT\$1URL\$1VOICE\$1ID |
| VPC Lattice | vpc\$1lattice | AWS\$1ENDPOINT\$1URL\$1VPC\$1LATTICE |
| WAF | waf | AWS\$1ENDPOINT\$1URL\$1WAF |
| WAF Regional | waf\$1regional | AWS\$1ENDPOINT\$1URL\$1WAF\$1REGIONAL |
| WAFV2 | wafv2 | AWS\$1ENDPOINT\$1URL\$1WAFV2 |
| WellArchitected | wellarchitected | AWS\$1ENDPOINT\$1URL\$1WELLARCHITECTED |
| Wisdom | wisdom | AWS\$1ENDPOINT\$1URL\$1WISDOM |
| WorkDocs | workdocs | AWS\$1ENDPOINT\$1URL\$1WORKDOCS |
| WorkLink | worklink | AWS\$1ENDPOINT\$1URL\$1WORKLINK |
| WorkMail | workmail | AWS\$1ENDPOINT\$1URL\$1WORKMAIL |
| WorkMailMessageFlow | workmailmessageflow | AWS\$1ENDPOINT\$1URL\$1WORKMAILMESSAGEFLOW |
| WorkSpaces | workspaces | AWS\$1ENDPOINT\$1URL\$1WORKSPACES |
| WorkSpaces Thin Client | workspaces\$1thin\$1client | AWS\$1ENDPOINT\$1URL\$1WORKSPACES\$1THIN\$1CLIENT |
| WorkSpaces Web | workspaces\$1web | AWS\$1ENDPOINT\$1URL\$1WORKSPACES\$1WEB |
| XRay | xray | AWS\$1ENDPOINT\$1URL\$1XRAY |
## Account-based endpoints
Account-based endpoints can be specified in the following ways:
+ Environment variables
+ `AWS\$1ACCOUNT\$1ID` - Specifies the AWS account-based endpoint ID to use for calls to supported AWS services.
------
#### [ Linux or macOS ]
```
$ export AWS_ACCOUNT_ID=
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_ACCOUNT_ID
```
**To set for current session only**
```
C:\> set AWS_ACCOUNT_ID=
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_ACCOUNT_ID=""
```
------
+ `AWS\$1ACCOUNT\$1ID\$1ENDPOINT\$1MODE` - Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. Can be set to `preferred`, `disabled`, or `required`. Default value is `preferred`.
------
#### [ Linux or macOS ]
```
$ export AWS_ACCOUNT_ID_ENDPOINT_MODE=preferred
```
------
#### [ Windows Command Prompt ]
**To set for all sessions**
```
C:\> setx AWS_ACCOUNT_ID_ENDPOINT_MODE preferred
```
**To set for current session only**
```
C:\> set AWS_ACCOUNT_ID_ENDPOINT_MODE=preferred
```
------
#### [ PowerShell ]
```
PS C:\> $Env:AWS_ACCOUNT_ID_ENDPOINT_MODE="preferred"
```
------
+ The `config` file:
+ `aws\$1account\$1id` - Specifies the AWS account-based endpoint ID to use for calls to supported AWS services.
```
aws_account_id =
```
+ `account\$1id\$1endpoint\$1mode` - Specifies whether to use AWS account-based endpoint IDs for calls to supported AWS services. Can be set to `preferred`, `disabled`, or `required`. Default value is preferred.
```
account_id_endpoint_mode = preferred
```
Account-based endpoints help ensure high performance and scalability by using your AWS account ID to streamline the routing of AWS service requests for services that support this feature. When you use a credential provider and a service that supports account-based endpoints, the AWS CLI automatically constructs and uses an account-based endpoint instead of a regional endpoint.
Account-based endpoints use the following format, where `` is replaced with your AWS account ID and `` is replaced with your AWS Region:
```
https://.myservice..amazonaws.com
```
By default in the AWS CLI, the account-based endpoint mode is set to `preferred`.
## Endpoint configuration and settings precedence
Endpoint configuration settings are located in multiple places, such as the system or user environment variables, local AWS configuration files, or explicitly declared on the command line as a parameter. The AWS CLI endpoint configuration settings take precedence in the following order:
1. The `--endpoint-url` command line option.
1. If enabled, the `AWS\$1IGNORE\$1CONFIGURED\$1ENDPOINT\$1URLS` global endpoint environment variable or profile setting `ignore\$1configure\$1endpoint\$1urls` to ignore custom endpoints.
1. The value provided by a service-specific environment variable `AWS\$1ENDPOINT\$1URL\$1`, such as `AWS_ENDPOINT_URL_DYNAMODB`.
1. The values provided by the `AWS\$1USE\$1DUALSTACK\$1ENDPOINT`, `AWS\$1USE\$1FIPS\$1ENDPOINT`, and `AWS\$1ENDPOINT\$1URL` environment variables.
1. The `AWS\$1ACCOUNT\$1ID\$1ENDPOINT\$1MODE` environment variable is set to `preferred` or `required` using the Account ID in the `AWS\$1ACCOUNT\$1ID` environment variable or `aws\$1account\$1id` setting.
1. The service-specific endpoint value provided by the `endpoint\$1url` setting within a `services` section of the shared `config` file.
1. The value provided by the `endpoint\$1url` setting within a `profile` of the shared `config` file.
1. `use\$1dualstack\$1endpoint`, `use\$1fips\$1endpoint`, and `endpoint\$1url` settings.
1. The `account\$1id\$1endpoint\$1mode` setting is set to `preferred` or `required` using the Account ID in the `AWS\$1ACCOUNT\$1ID` environment variable or `aws\$1account\$1id` setting.
1. Any default endpoint URL for the respective AWS service is used last. For a list of the standard service endpoints available in each Region, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *Amazon Web Services General Reference*.