Scripts2026年7月15日·1 分钟阅读

aws-vault — Securely Store and Access AWS Credentials

A CLI tool that stores AWS credentials in your operating system's secure keystore and generates temporary credentials for shell sessions.

Agent 就绪

这个资产会安全暂存

这个资产会先安全暂存。复制的指令会要求 Agent 读取暂存文件,并在激活脚本、MCP 配置或全局配置前先确认。

Stage only · 29/100策略:需暂存
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Stage only
信任
信任等级:Established
入口
aws-vault Overview
安全暂存命令
npx -y tokrepo@latest install 4857d478-808e-11f1-9bc6-00163e2b0d79 --target codex

先暂存文件;激活前需要读取暂存 README 和安装计划。

Introduction

aws-vault is a tool for securely storing and accessing AWS credentials in development environments. Instead of keeping long-lived access keys in plaintext files like ~/.aws/credentials, aws-vault stores them in your OS keychain (macOS Keychain, Windows Credential Manager, or Linux secret-service) and generates temporary STS credentials on the fly.

What aws-vault Does

  • Stores IAM access keys in the operating system's native secure keystore
  • Generates temporary session credentials using AWS STS AssumeRole or GetSessionToken
  • Injects credentials into shell sessions, subprocesses, or environment variables
  • Supports MFA token prompting during credential generation
  • Provides a local credential server for tools that don't support environment variables

Architecture Overview

aws-vault reads your ~/.aws/config to understand profiles, role chains, and MFA requirements. When you run aws-vault exec profile -- command, it retrieves the master credentials from the OS keychain, calls STS to generate short-lived session tokens, and passes them as environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) to the subprocess. A built-in credential server can also serve credentials via the EC2 instance metadata endpoint for compatibility with SDKs that expect that interface.

Self-Hosting & Configuration

  • Install via Homebrew (macOS/Linux), Chocolatey (Windows), or download the binary from GitHub releases
  • Run aws-vault add <profile> to store access keys in the keychain
  • Configure role_arn and source_profile in ~/.aws/config for cross-account access
  • Set mfa_serial in the config to enable MFA prompting
  • Use --duration flag to control session credential lifetime (default: 1 hour)

Key Features

  • Never stores credentials in plaintext on disk
  • Cross-platform: macOS Keychain, Windows Credential Manager, GNOME Keyring, KWallet
  • Supports IAM role chaining and cross-account assume-role workflows
  • MFA integration with automatic prompting
  • Login command generates a pre-signed AWS Console URL for browser-based access

Comparison with Similar Tools

  • ~/.aws/credentials — The default plaintext file; aws-vault replaces it with keychain-backed storage
  • aws-sso — AWS's built-in SSO credential flow; aws-vault predates it and supports non-SSO setups
  • saml2aws — Focused on SAML-based federation; aws-vault handles IAM key + STS workflows
  • granted — Newer alternative with a similar approach plus a browser-based SSO flow

FAQ

Q: Can I use aws-vault with AWS SSO? A: Yes. Configure SSO profiles in ~/.aws/config and aws-vault will handle the SSO login flow and credential caching.

Q: Where are my credentials actually stored? A: In your OS keychain (macOS Keychain, Windows Credential Manager, or a Linux keyring like GNOME Keyring). Never in plaintext files.

Q: Does it work with Terraform and other IaC tools? A: Yes. Use aws-vault exec profile -- terraform plan to inject credentials into any subprocess.

Q: What license does aws-vault use? A: MIT License.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产