AWS CLI Cache
Under ~/.aws/cli/cache, the AWS CLI stores JSON cache files for temporary credentials and selected API response data so repeated commands can reuse STS AssumeRole sessions, SSO-derived tokens, and other short-lived results without reauthenticating every time. Those files speed up role switching and scripted workflows, but they can become stale after permission changes, expired sessions, profile edits, or interrupted writes. Kudu removes the cached credential and response JSON files so the CLI fetches fresh data automatically, without touching your configured profiles, account settings, access keys, or command history.
Why clean AWS CLI Cache?
- Expired STS or SSO-backed cached credentials can make aws commands fail with ExpiredToken or Unauthorized errors until the CLI fetches a fresh session
- Role or policy changes in AWS may not line up with an old cached session, so a command keeps returning AccessDenied even after permissions were fixed
- Switching profiles, start URLs, regions, or role settings can leave mismatched cache entries behind, causing the CLI to appear to use the wrong identity or account
- Interrupted logins or partial writes can leave malformed JSON in ~/.aws/cli/cache, which shows up as credential loading errors or repeated prompts to authenticate again
- Large numbers of old cache files from automation and frequent role assumptions add unnecessary disk clutter and make it harder to inspect current sessions during troubleshooting
- Long-lived cache directories can contain many obsolete session documents, so scripts seem inconsistent because one run reuses stale credentials while the next forces a refresh
- Cached metadata is rewritten over time, and cleaning out fragmented remnants of old JSON responses can simplify debugging when the CLI behaves differently from the current AWS console state
Cache paths Kudu targets
Windows
~/.aws/cli/cache |
macOS
~/.aws/cli/cache |
Linux
~/.aws/cli/cache |
Common questions about AWS CLI Cache
Download Kudu and reclaim your disk space.
Available on Windows, macOS, and Linux. No account required, no feature gates, no telemetry without consent. All cleaning targets are open source and community-auditable.