Unable to locate credentials (boto3 / DynamoDB)

TL;DR — boto3/botocore walked its whole credential provider chain — env vars, shared ~/.aws/credentials, config profile, container/instance role — and found nothing. No credentials means it can't sign the DynamoDB request. Give the chain a credential source it can find: aws configure, env vars, a profile, or an IAM role.

What it means

botocore.exceptions.NoCredentialsError: Unable to locate credentials

Before any DynamoDB call, the SDK must resolve an access key + secret to sign the request with SigV4. This error is raised at that step: no credential provider returned anything. It happens before the request is sent — it isn't a permissions denial (that would be AccessDeniedException), it's the absence of any identity at all.

Why it happens

  • No credentials configuredaws configure was never run and no ~/.aws/credentials exists.
  • Env vars missingAWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY aren't set in the process's environment (common in cron jobs, containers, CI).
  • Wrong or missing profile — you referenced --profile foo (or AWS_PROFILE=foo) but that profile isn't in the credentials/config file.
  • No instance/container role — on EC2/ECS/Lambda without an attached IAM role, so the metadata provider returns nothing.
  • Different user's home — running as a service account whose ~/.aws doesn't hold the file you edited.
  • Session token expired/absent for a temporary-credentials setup.

How to fix it

  1. Configure a profile for local dev:
    aws configure     # writes ~/.aws/credentials + ~/.aws/config
  2. Or set env vars for the process:
    export AWS_ACCESS_KEY_ID=...
    export AWS_SECRET_ACCESS_KEY=...
    export AWS_DEFAULT_REGION=us-east-1
  3. On EC2/ECS/Lambda, attach an IAM role — the SDK picks it up automatically from instance/container metadata; don't bake keys in.
  4. Verify the identity resolves before running your code:
    aws sts get-caller-identity
  5. Point at the right profile — pass profile_name to boto3.Session(...) or set AWS_PROFILE.
  6. Against DynamoDB Local, any placeholder keys work — pass dummy aws_access_key_id/aws_secret_access_key so the chain isn't empty.

Trabalhe com o DynamoDB sem o Console

O DynoTable é um cliente desktop rápido para o DynamoDB — navegue pelas tabelas, execute consultas no estilo SQL e edite itens localmente.