Skip to main content
The AWS SDK for JavaScript v3 reads a set of well-known environment variables at runtime. Setting these variables lets you configure credentials, region, retry behavior, and file paths without changing code.

Credentials

AWS_ACCESS_KEY_ID
string
The AWS access key ID. Must be set together with AWS_SECRET_ACCESS_KEY.Example: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY
string
The AWS secret access key corresponding to AWS_ACCESS_KEY_ID.Example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_SESSION_TOKEN
string
The session token for temporary credentials. Required when using short-lived credentials obtained via STS, SSO, or instance metadata.Example: AQoXnyc4lcK4W4...
AWS_CREDENTIAL_EXPIRATION
string
ISO-8601 timestamp indicating when the credentials in the environment variables expire. When set, the SDK will re-invoke the credential provider before this time.Example: 2026-06-01T00:00:00Z

Region

AWS_REGION
string
The default AWS region for all SDK clients that do not have a region set explicitly in code. Takes precedence over AWS_DEFAULT_REGION.Example: us-east-1
AWS_DEFAULT_REGION
string
Fallback region used when AWS_REGION is not set. Recognized by the AWS CLI and some SDK components.Example: eu-west-1

Profiles and config files

AWS_PROFILE
string
The named profile to load from ~/.aws/credentials and ~/.aws/config. Defaults to default when not set. Overridden by a profile value set directly on a client instance.Example: my-dev-profile
AWS_CONFIG_FILE
string
Path to the shared AWS config file. Defaults to ~/.aws/config.Example: /etc/aws/config
AWS_SHARED_CREDENTIALS_FILE
string
Path to the shared credentials file. Defaults to ~/.aws/credentials.Example: /etc/aws/credentials
AWS_SDK_LOAD_CONFIG
string
When set to any truthy value, instructs the SDK to load configuration from ~/.aws/config in addition to ~/.aws/credentials. Node.js only.Example: 1

Endpoint

AWS_ENDPOINT_URL
string
Override the endpoint for all SDK clients. Useful when pointing to a local emulator such as LocalStack, or a custom VPC endpoint.Example: http://localhost:4566

Retries

AWS_RETRY_MODE
string
The retry mode to use. Accepted values:
  • legacy — original SDK retry behavior
  • standard — exponential backoff with jitter (default)
  • adaptive — standard mode plus a token-bucket rate limiter
Example: standard
AWS_MAX_ATTEMPTS
string
Maximum number of total attempts (initial request plus retries). Must be a positive integer.Example: 5

Local development

Set credentials and region in your shell before running your application: 
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_REGION=us-east-1
For temporary credentials (for example, from aws sts assume-role), also export the session token: 
export AWS_ACCESS_KEY_ID=ASIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=AQoXnyc4lcK4W4...
export AWS_REGION=us-east-1
For local development, consider using ~/.aws/credentials with named profiles instead of exporting credentials into the shell. This avoids accidentally leaking credentials through shell history or environment dumps.

CI/CD systems

Store credentials as encrypted secrets in your CI/CD platform and inject them as environment variables at runtime. Never hard-code credentials in pipeline configuration files.
Store secrets under Settings → Secrets and variables → Actions, then reference them in your workflow:
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Configure AWS credentials
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_REGION: us-east-1
        run: node deploy.js
For GitHub Actions, the official aws-actions/configure-aws-credentials action also supports OIDC-based role assumption without storing long-lived credentials.
Prefer short-lived credentials (role assumption via OIDC) over long-lived access keys in CI/CD pipelines. Long-lived keys are a common source of credential leaks.

Build docs developers (and LLMs) love

Get started for freeTalk to us