v2.33.9: Permission denied on ~/.aws/config when running as non-root user after initialization

[seanuleh]

Describe the bug

AWS CLI v2.33.9 creates ~/.aws directory with root ownership when aws --version is executed with elevated privileges. This causes "Permission denied" errors for non-root users attempting to run subsequent AWS CLI commands. This is a regression from v2.33.8 where aws --version had no side effects.

Environment

• AWS CLI Version: 2.33.9 (broken) vs 2.33.8 (working)
• Platform: Linux (ARM64)
• OS: Ubuntu 22.04
• User Context: AWS CLI installed and verified as root, but run as non-root user
• Installation Method: Any method that verifies installation with sudo aws --version

Issue Description

When aws --version is executed with root privileges (e.g., sudo aws --version or during installation verification), AWS CLI v2.33.9 creates the ~/.aws/cli/cache/ directory structure with root ownership. This prevents non-root users from running any AWS CLI commands that need to write to ~/.aws/config or ~/.aws/credentials.

Critical Finding: aws --version should be a read-only operation with zero side effects. In v2.33.8 it was. In v2.33.9 it creates directories and files.

Error messages:

[Errno 13] Permission denied: '/home/runner/.aws/config'
[Errno 13] Permission denied: '/home/runner/.aws/credentials'

This issue does NOT occur with AWS CLI v2.33.8.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

After running sudo aws --version:

$ ls -la ~/ | grep .aws
# No output - no .aws directory created ✅

After running aws configure set region us-east-2 --profile test as non-root user:

$ ls -la ~/.aws/
drwxr-xr-x. 2 user user  20 Jan 29 00:53 .
-rw-------. 1 user user  34 Jan 29 00:53 config

• aws --version has zero side effects - no directories created ✅
• ~/.aws directory created only when needed, owned by the actual user ✅
• No cache subdirectories created during simple operations
• All subsequent AWS CLI commands succeed

Current Behavior

After running sudo aws --version:

$ ls -la ~/.aws/
drwxr-xr-x. 3 root root    17 Jan 29 00:50 .
drwxr-xr-x. 3 root root    19 Jan 29 00:50 cli

$ ls -la ~/.aws/cli/
drwxr-xr-x. 3 root root 19 Jan 29 00:50 .
drwx------. 2 root root 24 Jan 29 00:50 cache

After running aws configure set region us-east-2 --profile test as non-root user:

[Errno 13] Permission denied: '/home/user/.aws/config'

Reproduction Steps

Simple Reproduction

# As root, run version check (simulating installation verification)
sudo -E aws --version

# As non-root user, try to configure AWS CLI
aws configure set region us-east-2 --profile test
# Result: [Errno 13] Permission denied: '/home/youruser/.aws/config'

GitHub Actions Reproduction

- name: Install AWS CLI
  run: |
    curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64-2.33.9.zip" -o "awscliv2.zip"
    unzip awscliv2.zip
    sudo ./aws/install
    # Installation verification runs: sudo aws --version
    # This creates /home/runner/.aws/cli/cache/ as root:root

- name: Configure AWS CLI
  run: |
    # This fails because ~/.aws is now owned by root
    aws configure set region us-east-2 --profile test

Possible Solution

No response

Additional Information/Context

PR #10013 triggers cache/history initialization too eagerly. Even running aws --version now creates the ~/.aws/cli/cache/ directory structure. This is problematic because:

1. aws --version is commonly run as root during installation verification
2. When run with elevated privileges, it creates ~/.aws/cli/cache/ with root ownership
3. The cache directory gets restrictive 0o700 permissions
4. When the actual user tries to use AWS CLI, they cannot write to their own ~/.aws/ directory

CLI version used

2.33.9

Environment details (OS name and version, etc.)

Github Actions - arm64 runner