How to Install and Configure AWS CLI v2 on macOS, Linux, and Windows
By the end of this guide you will have AWS CLI v2 installed on your operating system, configured with credentials, and verified with a real API call. You will also know how to set up named profiles for multiple accounts and authenticate with IAM Identity Center (SSO), the approach AWS recommends for teams.
This is a complete walkthrough. It covers installation on macOS, Linux, and Windows, first-time configuration, profile management, SSO setup, and the most common mistakes that trip up beginners. If the CLI is already installed and you want to jump straight into commands, see Using the AWS CLI.
What the AWS CLI is and why you need it
The AWS Command Line Interface (CLI) is a single tool that lets you create, read, update, and delete AWS resources from your terminal. Instead of clicking through the AWS Console in a browser, you type short commands that do the same thing. You can then script, repeat, and version-control those commands.
Think of the AWS Console as walking up to each appliance in your house to adjust it by hand. The AWS CLI is a universal remote. You still control the same appliances, but you do it from the couch, and you can program the remote to run a sequence of actions with a single button press.
The CLI matters because most real-world AWS work goes beyond the Console. Automation scripts, CI/CD pipelines, infrastructure provisioning, and day-to-day admin tasks are all faster and more reliable when driven from the command line. If you plan to work with AWS professionally, the CLI is one of the first tools to learn.
When to use the AWS CLI
- Local development: test S3 uploads, invoke Lambda functions, or query DynamoDB tables without leaving your editor.
- Automation and scripts: write Bash or PowerShell scripts that provision resources, rotate secrets, or generate reports on a schedule.
- CI/CD pipelines: deploy code, push container images, or invalidate CloudFront caches as part of an automated build.
- Multi-account work: switch between development, staging, and production accounts using named profiles instead of logging in and out of the Console.
- Teams using SSO / IAM Identity Center: authenticate once via browser, then run commands across every account your role can access.
AWS CLI vs Console vs CloudShell
| AWS CLI (local) | AWS Console | AWS CloudShell | |
|---|---|---|---|
| Runs on | Your laptop / CI server | Browser | Browser (AWS-hosted terminal) |
| Scriptable | Yes | No | Yes |
| Persistent storage | Full local filesystem | N/A | 1 GB per region |
| Offline use | Yes (for config/prep) | No | No |
| Best for | Daily work, automation, CI/CD | Visual exploration, one-off tasks | Quick commands when you cannot install locally |
If you just need a quick command without installing anything, AWS CloudShell is a good option. For anything repeatable, the local CLI is the better choice.
Before you start
You need an active AWS account. If you do not have one, create a free-tier account at
aws.amazon.com.
Do not use your root account credentials for CLI access. The root user has unrestricted access to everything in the account and cannot be scoped down. Create an IAM user or, better yet, use IAM roles via IAM Identity Center.
There are two main ways to authenticate the CLI:
Long-lived access keys are an Access Key ID and Secret Access Key tied to an IAM user. These never expire on their own, which makes them a security risk if leaked. They work for learning and personal projects but are not recommended for teams or production.
Temporary credentials are short-lived tokens issued by AWS STS or IAM Identity Center (SSO). These expire automatically and are the preferred approach wherever available.
For a deeper comparison, see AWS Access Keys Explained.
Install AWS CLI v2 on macOS
AWS CLI v2 is the version to install for all new setups. It does not require a separate Python installation.
Option 1: Homebrew
brew install awscliOption 2: Official .pkg installer
# Download the installer
curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
# Run it (requires admin)
sudo installer -pkg AWSCLIV2.pkg -target /Verify
aws --version
# Expected output (version numbers will vary):
# aws-cli/2.x.x Python/3.x.x Darwin/... source/...Install AWS CLI v2 on Linux
You need curl (or wget) and unzip installed.
Most distributions include both by default.
x86_64 (Intel / AMD)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/installARM / aarch64 (Graviton, Raspberry Pi, etc.)
curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/installVerify
aws --versionSome Linux distributions (including older Amazon Linux releases) ship an
awscli package that installs AWS CLI v1. If you see version
aws-cli/1.x.x after installing, you have a v1/v2 conflict.
Remove the v1 package (pip uninstall awscli or your package manager’s
remove command), then install v2 with the official bundle above. Both versions use
the same aws command name, so only one should be on your PATH at a time.
Install AWS CLI v2 on Windows
Download and run the official MSI installer:
- Download
AWSCLIV2.msifrom the AWS CLI v2 install page. - Run the installer and follow the prompts.
- Open a new PowerShell or Command Prompt window (existing windows will not see the updated PATH).
aws --version
# aws-cli/2.x.x Python/3.x.x Windows/...If you prefer a command-line install, you can use winget:
winget install Amazon.AWSCLIVerify the installation
Run these commands after installing to confirm everything works. The first two do not require credentials. The third and fourth require a configured profile.
# 1. Check the installed version
aws --version
# 2. List configured profiles (empty list is fine at this point)
aws configure list-profiles
# 3. After configuring credentials (next section), confirm your identity
aws sts get-caller-identity
# 4. Show all settings for the active profile
aws configure listIf aws —version prints a version string, the binary is installed and on
your PATH. If the command is not found, see the troubleshooting section below.
How AWS CLI configuration works
The AWS CLI config files work like the contacts app on your phone. Each “profile” is a contact entry that stores the credentials and region for one AWS account. When you run a command, the CLI looks up the active profile to know who to call and where. Environment variables are like dialing a number manually: they override whatever is in your contacts for that one call.
The CLI stores its settings in two files inside your home directory:
~/.aws/credentialsstores the access key ID and secret access key for each profile.~/.aws/configstores the region, output format, SSO settings, and other options for each profile.
On Windows these files live at C:\Users\USERNAME\.aws\.
The CLI looks for configuration in this order of precedence (highest wins):
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_DEFAULT_REGION) - Profile settings in
~/.aws/credentialsand~/.aws/config
This means an environment variable always overrides whatever is in your config files.
The [default] profile is used when you do not specify —profile.
Configure the default profile
Run aws configure and answer each prompt:
aws configureYou will see four prompts:
| Prompt | What to enter |
|---|---|
AWS Access Key ID | The 20-character key starting with AKIA. Find it in the IAM console under your IAM user’s Security Credentials tab. |
AWS Secret Access Key | The 40-character secret shown once when the key is created. If you lost it, generate a new key pair. |
Default region name | The AWS region for commands to target by default, for example us-east-1 or eu-west-1. Pick the region closest to your users or workloads. |
Default output format | json (default and easiest to parse), table (human-readable), or text (plain, good for piping). |
The example keys in AWS documentation (AKIAIOSFODNN7EXAMPLE) are
placeholder values. Never share your real keys. If you accidentally expose a secret
key, deactivate it immediately in the IAM console and create a new one.
Use named profiles for multiple AWS accounts
Most teams have separate AWS accounts for development, staging, and production. Named profiles let you keep credentials for each account on one machine and switch between them safely.
# Create a profile called "staging"
aws configure --profile staging
# Run a command against the staging account
aws s3 ls --profile staging
# Set a profile for your entire terminal session
export AWS_PROFILE=staging # macOS / Linux
# $env:AWS_PROFILE = "staging" # PowerShell
# Verify which identity is active
aws sts get-caller-identity
# Switch back to the default profile
unset AWS_PROFILE # macOS / Linux
# Remove-Variable AWS_PROFILE # PowerShellAfter configuring two profiles, your ~/.aws/config looks like this:
[default]
region = us-east-1
output = json
[profile staging]
region = us-west-2
output = jsonAnd ~/.aws/credentials:
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[staging]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEYAlways run aws sts get-caller-identity before any destructive command
to confirm you are pointed at the right account. It takes one second and prevents
costly mistakes.
Configure IAM Identity Center (SSO)
IAM Identity Center (formerly AWS SSO) is the recommended way to authenticate the CLI in team and enterprise environments. Instead of storing long-lived keys on disk, you log in through a browser and receive temporary credentials that expire automatically.
# Start the SSO configuration wizard
aws configure ssoYou will be prompted for:
- SSO session name is a label you choose, for example
my-org. - SSO start URL is your organization’s access portal URL, for example
https://my-company.awsapps.com/start. - SSO region is the region where Identity Center is configured (ask your admin if unsure).
- SSO registration scopes is usually
sso:account:access.
A browser window opens for you to approve the device authorization. After approval,
the CLI lists the accounts and roles available to you. Select one, and the wizard
saves a named profile to ~/.aws/config.
# Log in when your session expires
aws sso login --profile my-org-dev
# Run commands with the SSO profile
aws s3 ls --profile my-org-dev
# Log out (invalidates the cached token)
aws sso logoutSSO tokens are cached locally and expire (typically after 1–8 hours depending on
your admin’s settings). When a command fails with an expired-token error, run
aws sso login —profile PROFILE_NAME to re-authenticate.
Use environment variables safely
Environment variables are the highest-priority credential source. They are useful in two scenarios:
- CI/CD pipelines: inject credentials from a secrets manager at runtime so nothing is stored on disk.
- Temporary overrides: point a single terminal session at a different account without changing your config files.
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1Never commit credentials to source control. A secret pushed to a public (or even private) repository can be scraped within minutes. Bots actively scan GitHub for leaked AWS keys. If it happens, assume the key is compromised immediately.
In CI/CD systems (GitHub Actions, GitLab CI, etc.), use OIDC-based role assumption instead of injecting long-lived access keys. OIDC lets your pipeline assume an IAM role with a short-lived token and no stored secrets.
First commands to run after installation
Once the CLI is installed and configured, try these commands to confirm everything is working and start exploring.
# Who am I? Returns your account ID, user ARN, and user ID.
aws sts get-caller-identity
# List S3 buckets in the account (empty list is normal for new accounts)
aws s3 ls
# Show the active profile's settings: region, access key (masked), and source
aws configure listIf aws sts get-caller-identity returns your account details, your
credentials are valid and the CLI is ready. From here you can start running real
commands. See Using the AWS CLI
for command structure and output formatting, or try
uploading files to
S3 with the AWS CLI as a hands-on next step.
Common mistakes
Missing default region. Many commands fail with a confusing error if no region is set. Always specify a region during
aws configureor setAWS_DEFAULT_REGION.Wrong profile active. Running a command in the wrong account can be destructive. Always verify with
aws sts get-caller-identitybefore making changes.Expired SSO session. SSO tokens expire. If you get an
ExpiredTokenorUnauthorizedAccesserror, runaws sso login —profile PROFILE_NAME.Committing access keys to a repository. Secrets in git history are extremely hard to fully remove. Use
.gitignorefor.envfiles, and prefer temporary credentials over long-lived keys.Mixing AWS CLI v1 and v2. Both versions install as
aws. If you installed v1 viapipand v2 via the official installer, the wrong version may win on your PATH. Remove v1 before installing v2, or ensure v2 appears first in your PATH.PATH issues / “command not found”. On macOS and Linux the installer creates a symlink at
/usr/local/bin/aws. If your shell cannot find the command, check that/usr/local/binis in your PATH, or open a new terminal window.
Troubleshooting AWS CLI install and auth issues
”command not found” after installation
Open a new terminal window. If the issue persists, check where the binary was installed:
# macOS / Linux
which aws
# Expected: /usr/local/bin/aws
# Windows (PowerShell)
where.exe awsIf nothing is returned, the installer did not add the binary to your PATH. On Linux,
the installer creates /usr/local/bin/aws as a symlink to
/usr/local/aws-cli/v2/current/bin/aws. Verify the symlink exists and
that /usr/local/bin is in your $PATH.
Wrong version returned
If aws —version shows aws-cli/1.x.x, you have both v1 and
v2 installed. Remove v1:
# If v1 was installed via pip
pip uninstall awscli
# Then confirm v2 is active
aws --version“Access Denied” or “InvalidClientTokenId”
Your credentials are missing, expired, or do not have the required permissions. Run
aws configure list to check which credentials are active, and verify the
IAM user or role has the permissions you need. For a full walkthrough, see
Troubleshooting
Authentication Errors in AWS.
”ExpiredToken” or “The SSO session has expired"
aws sso login --profile PROFILE_NAME"Region not configured"
# Set a default region
aws configure set region us-east-1
# Or pass it per-command
aws s3 ls --region us-east-1"Profile not found”
Check the exact spelling of your profile name:
aws configure list-profilesProfile names are case-sensitive. Make sure —profile matches what is in
~/.aws/config.
Summary
- Install AWS CLI v2 using Homebrew (macOS), the official zip bundle (Linux), or the MSI installer (Windows)
- Verify the install with
aws —versionand open a new terminal if the command is not found - Run
aws configureto set your default credentials, region, and output format - Use named profiles (
—profile) to manage multiple AWS accounts from one machine - Prefer IAM Identity Center (SSO) over long-lived access keys for team and production environments
- Environment variables override config files and are useful for CI/CD, but never commit secrets
- Always run
aws sts get-caller-identityto confirm which account you are targeting
Frequently asked questions
How do I install AWS CLI v2 on macOS, Linux, or Windows?
On macOS, run brew install awscli or download the official .pkg installer. On Linux, download the zip bundle for your architecture (x86_64 or aarch64), unzip it, and run the install script. On Windows, download and run the MSI installer. AWS CLI v2 does not require a separate Python installation.
What does aws configure actually save?
aws configure writes your Access Key ID and Secret Access Key to ~/.aws/credentials, and your default region and output format to ~/.aws/config. These two files control how the CLI authenticates and which region it targets by default.
Should I use long-lived access keys or SSO with the AWS CLI?
Use IAM Identity Center (SSO) or IAM roles with temporary credentials whenever possible. Long-lived access keys never expire on their own and become a serious security risk if leaked. SSO tokens expire automatically and are the recommended approach for teams and production environments.
How do I use multiple AWS accounts from one laptop?
Use named profiles. Run aws configure --profile profile-name for each account. Switch between them with the --profile flag on any command, or set the AWS_PROFILE environment variable for the current terminal session.
Why does aws --version or aws sts get-caller-identity fail after install?
The most common causes are a stale terminal session (close and reopen your terminal), a PATH issue where the system cannot find the aws binary, or having both AWS CLI v1 and v2 installed with v1 taking priority. Run which aws (macOS/Linux) or where aws (Windows) to check which binary your shell resolves.