ScriptsJul 15, 2026·3 min read

aws-vault — Securely Store and Access AWS Credentials

A CLI tool that stores AWS credentials in your operating system's secure keystore and generates temporary credentials for shell sessions.

Agent ready

Safe staging for this asset

This asset is staged first. The copied prompt tells the agent to inspect the staged files and ask before activating scripts, MCP config, or global config.

Stage only · 29/100Policy: stage
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Stage only
Trust
Trust: Established
Entrypoint
aws-vault Overview
Safe staging command
npx -y tokrepo@latest install 4857d478-808e-11f1-9bc6-00163e2b0d79 --target codex

Stages files first; activation requires review of the staged README and plan.

Introduction

aws-vault is a tool for securely storing and accessing AWS credentials in development environments. Instead of keeping long-lived access keys in plaintext files like ~/.aws/credentials, aws-vault stores them in your OS keychain (macOS Keychain, Windows Credential Manager, or Linux secret-service) and generates temporary STS credentials on the fly.

What aws-vault Does

  • Stores IAM access keys in the operating system's native secure keystore
  • Generates temporary session credentials using AWS STS AssumeRole or GetSessionToken
  • Injects credentials into shell sessions, subprocesses, or environment variables
  • Supports MFA token prompting during credential generation
  • Provides a local credential server for tools that don't support environment variables

Architecture Overview

aws-vault reads your ~/.aws/config to understand profiles, role chains, and MFA requirements. When you run aws-vault exec profile -- command, it retrieves the master credentials from the OS keychain, calls STS to generate short-lived session tokens, and passes them as environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) to the subprocess. A built-in credential server can also serve credentials via the EC2 instance metadata endpoint for compatibility with SDKs that expect that interface.

Self-Hosting & Configuration

  • Install via Homebrew (macOS/Linux), Chocolatey (Windows), or download the binary from GitHub releases
  • Run aws-vault add <profile> to store access keys in the keychain
  • Configure role_arn and source_profile in ~/.aws/config for cross-account access
  • Set mfa_serial in the config to enable MFA prompting
  • Use --duration flag to control session credential lifetime (default: 1 hour)

Key Features

  • Never stores credentials in plaintext on disk
  • Cross-platform: macOS Keychain, Windows Credential Manager, GNOME Keyring, KWallet
  • Supports IAM role chaining and cross-account assume-role workflows
  • MFA integration with automatic prompting
  • Login command generates a pre-signed AWS Console URL for browser-based access

Comparison with Similar Tools

  • ~/.aws/credentials — The default plaintext file; aws-vault replaces it with keychain-backed storage
  • aws-sso — AWS's built-in SSO credential flow; aws-vault predates it and supports non-SSO setups
  • saml2aws — Focused on SAML-based federation; aws-vault handles IAM key + STS workflows
  • granted — Newer alternative with a similar approach plus a browser-based SSO flow

FAQ

Q: Can I use aws-vault with AWS SSO? A: Yes. Configure SSO profiles in ~/.aws/config and aws-vault will handle the SSO login flow and credential caching.

Q: Where are my credentials actually stored? A: In your OS keychain (macOS Keychain, Windows Credential Manager, or a Linux keyring like GNOME Keyring). Never in plaintext files.

Q: Does it work with Terraform and other IaC tools? A: Yes. Use aws-vault exec profile -- terraform plan to inject credentials into any subprocess.

Q: What license does aws-vault use? A: MIT License.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets