AWS CLI configuration: List with the AWS CLI
📑 On this page
Part 1129 of AWS from Zero.
What we are learning
aws configure list shows the effective configuration the CLI would use right now: the profile, access key, secret key, and Region, each with the place it was resolved from. Where aws configure get answers "what is written in this file section", list answers the operational question "what will actually happen when I run a command in this shell". For each item it prints four columns: NAME, VALUE, TYPE, and LOCATION. TYPE names the source category, such as env, config-file, shared-credentials-file, or manual for a command-line option, and LOCATION names the specific file path or environment variable.
Two safety properties make this the right default diagnostic. Credential values are masked, showing only the last four characters, so the output is safer than printing a credentials file, although it is still a sensitive diagnostic artifact. For temporary credential methods such as assumed roles or IAM Identity Center sign-in, the command displays temporary cached keys. Resolving those keys can refresh expired credentials, so do not assume this command is always offline merely because it creates no AWS resource.
Before you run it
export AWS_PROFILE="aws-zero-sandbox"
export AWS_REGION="ap-south-1"
aws sts get-caller-identity
aws configure get regionUse an authenticated sandbox profile. configure list has no IAM action of its own, but a role profile can call STS AssumeRole when its cached credentials have expired, and other temporary providers can also refresh. The separate identity check needs valid credentials but AWS documents that GetCallerIdentity itself requires no permission. There is no configuration service quota, regional availability requirement, or service-side eventual consistency. Even though the output masks secrets, the trailing four characters still identify a key, so treat captured output with the same care as any diagnostic artifact.
Cost note:
aws configure listand any credential refresh it triggers have no direct resource charge,aws sts get-caller-identityhas no charge, and nothing in this lab creates a billable resource.
The command
aws configure listThere are no required options; the main input is which profile the resolution runs against, controlled here by the exported AWS_PROFILE. Expect four data rows. In this shell, the profile row should show aws-zero-sandbox, and the region row should show ap-south-1 with type env and location AWS_REGION. The credential rows should show masked values; their type and location identify the provider and may be a file, environment variables, a role, IAM Identity Center, or another configured source.
Inspect the result
aws configure get profile."$AWS_PROFILE".region
echo $?Cross-check the table against the file. If the region row in the table came from env, this qualified get tells you whether the profile section also stores its own Region: a printed value with exit code 0 means the file agrees, while empty output with exit code 1 means the Region exists only in your current shell. That distinction is the difference between behavior that survives a new terminal and behavior that vanishes with it.
One tiny variation
aws configure list --profile "$AWS_PROFILE"The single change is explicit profile selection instead of environment inheritance. The table is the same, but the profile row now reports type manual and location --profile, which is list demonstrating its own core feature: it does not just show values, it shows how each value won the precedence contest. Scripts and CI jobs should prefer this explicit form.
Common mistake
Pointing --profile at a name that does not exist. The command prints the first rows of the table and then fails:
The config profile (aws-zero-missing-profile) could not be foundThe exit code is 255, the AWS CLI's general failure code. Two pieces of evidence make the diagnosis fast: the error names the exact profile string it looked for, and the partial table's profile row shows type manual, proving the bad name came from your option rather than from an environment variable. Confirm with aws configure list-profiles, which prints the names that actually exist; typos and case differences show up immediately. A related habit to avoid: do not parse this human-formatted table in scripts. Use aws configure get for single values, so a future column change cannot break your automation.
Cleanup
aws configure listThe lab is read-only and created no configuration or AWS resources. A final run should show the same profile, Region, types, and locations as the first. Temporary keys may refresh and therefore show different masked suffixes; that rotation is not evidence that the configuration changed. There are no resources to remove and no settings to restore.
Where this goes later
Next: AWS CLI command history from zero: purpose, boundaries, and first CLI inventory.