Unable to locate credentials (boto3 / DynamoDB)
TL;DR — boto3/botocore walked its whole credential provider chain — env vars, shared ~/.aws/credentials, config profile, container/instance role — and found nothing. No credentials means it can't sign the DynamoDB request. Give the chain a credential source it can find: aws configure, env vars, a profile, or an IAM role.
What it means
botocore.exceptions.NoCredentialsError: Unable to locate credentialsBefore any DynamoDB call, the SDK must resolve an access key + secret to sign the request with SigV4. This error is raised at that step: no credential provider returned anything. It happens before the request is sent — it isn't a permissions denial (that would be AccessDeniedException), it's the absence of any identity at all.
Why it happens
- No credentials configured —
aws configurewas never run and no~/.aws/credentialsexists. - Env vars missing —
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYaren't set in the process's environment (common in cron jobs, containers, CI). - Wrong or missing profile — you referenced
--profile foo(orAWS_PROFILE=foo) but that profile isn't in the credentials/config file. - No instance/container role — on EC2/ECS/Lambda without an attached IAM role, so the metadata provider returns nothing.
- Different user's home — running as a service account whose
~/.awsdoesn't hold the file you edited. - Session token expired/absent for a temporary-credentials setup.
How to fix it
- Configure a profile for local dev:
aws configure # writes ~/.aws/credentials + ~/.aws/config - Or set env vars for the process:
export AWS_ACCESS_KEY_ID=... export AWS_SECRET_ACCESS_KEY=... export AWS_DEFAULT_REGION=us-east-1 - On EC2/ECS/Lambda, attach an IAM role — the SDK picks it up automatically from instance/container metadata; don't bake keys in.
- Verify the identity resolves before running your code:
aws sts get-caller-identity - Point at the right profile — pass
profile_nametoboto3.Session(...)or setAWS_PROFILE. - Against DynamoDB Local, any placeholder keys work — pass dummy
aws_access_key_id/aws_secret_access_keyso the chain isn't empty.
Related errors
- The security token included in the request is invalid — credentials were found but AWS rejected them.
- AccessDeniedException — valid identity, but no IAM permission for the action.
- Missing region in config