AWS Vault

June 6, 2026 · View on GitHub

Downloads Continuous Integration

Note

This is a maintained fork of https://github.com/99designs/aws-vault which is an abandoned project. Contributions are welcome and preferably please open an issue first.

AWS Vault is a tool to securely store and access AWS credentials in a development environment.

AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your profiles and configuration in ~/.aws/config.

Check out the announcement blog post for more details.

Installing

You can install AWS Vault:

Documentation

Config, usage, tips and tricks are available in the USAGE.md file.

Vaulting Backends

The supported vaulting backends are:

Internal nameBackendHow it worksPlatforms
keychainmacOS KeychainStores credentials as generic password items in the configured Keychain. Optional biometrics support can use Touch ID to unlock the aws-vault keychain.macOS
wincredWindows Credential ManagerStores credentials as generic credentials under an aws-vault target-name prefix in Windows Credential Manager.Windows
winhelloWindows HelloStores encrypted envelopes in Windows Credential Manager. The encryption key is wrapped by Windows Hello / Passport, so reads require PIN/biometrics.Windows
secret-serviceSecret Service (GNOME Keyring, KWallet, ...)Stores credentials in a Secret Service collection over the desktop session D-Bus. The collection may be unlocked by the desktop keyring service.Linux
kwalletKWalletStores credentials as entries in the configured KWallet folder over the KDE Wallet D-Bus service directly (rather than through the Secret Service API).Linux
keyctlLinux kernel keyringStores credentials in the Linux kernel key retention service, optionally inside a named keyring for the configured service.Linux
passPassStores JSON-encoded credential items in a pass password store, encrypted by GPG and managed through the pass command.macOS, Linux, FreeBSD
passagePassageStores JSON-encoded credential items in a Passage store, encrypted with age and managed through the passage command.macOS, Linux, FreeBSD
fileEncrypted fileStores one encrypted file per credential under AWS_VAULT_FILE_DIR (by default ~/.awsvault/keys/) using passphrase-based JWE encryption.All platforms
op-connect1Password ConnectStores credentials as concealed fields in 1Password items through a 1Password Connect server and token.Windows, macOS, Linux
op1Password Service AccountsStores credentials as concealed fields in 1Password items through the 1Password SDK using a service account token.Windows, macOS, Linux
op-desktop1Password Desktop AppStores credentials as concealed fields in 1Password items through the local 1Password desktop app integration.Windows, macOS, Linux

Use the --backend flag or AWS_VAULT_BACKEND environment variable to specify a backend. Run aws-vault --help to see the backends available in your build and environment.

By default, aws-vault selects the first available backend for the platform: wincred on Windows, keychain on macOS, and secret-service on Linux when Secret Service is available. On Linux, automatic selection then falls back through kwallet, keyctl, pass, passage, and file. The 1Password backends are opt-in and are listed after file, so choose them explicitly with --backend or AWS_VAULT_BACKEND.

Quick start

# Store AWS credentials for the "jonsmith" profile
$ aws-vault add jonsmith
Enter Access Key Id: ABDCDEFDASDASF
Enter Secret Key: ****************************************
Enter MFA Device ARN (If MFA is not enabled, leave this blank): arn:aws:iam::123456789012:mfa/jonsmith
Added credentials to profile "jonsmith" in vault

# Execute a command (using temporary credentials)
$ aws-vault exec jonsmith -- aws s3 ls
bucket_1
bucket_2

# open a browser window and login to the AWS Console
$ aws-vault login jonsmith

# List credentials
$ aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
jonsmith                 jonsmith                 -

# Start a subshell with temporary credentials
$ aws-vault exec jonsmith
Starting subshell /bin/zsh, use `exit` to exit the subshell
$ aws s3 ls
bucket_1
bucket_2

How it works

aws-vault uses Amazon's STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.

AWS Vault then exposes the temporary credentials to the sub-process in one of two ways

  1. Environment variables are written to the sub-process. Notice in the below example how the AWS credentials get written out 
    $ aws-vault exec jonsmith -- env | grep AWS
AWS_VAULT=jonsmith
AWS_DEFAULT_REGION=us-east-1
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=%%%
AWS_SECRET_ACCESS_KEY=%%%
AWS_SESSION_TOKEN=%%%
AWS_CREDENTIAL_EXPIRATION=2020-04-16T11:16:27Z
  2. Local metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible. 
    $ aws-vault exec --server jonsmith -- env | grep AWS
AWS_VAULT=jonsmith
AWS_DEFAULT_REGION=us-east-1
AWS_REGION=us-east-1
AWS_CONTAINER_CREDENTIALS_FULL_URI=%%%
AWS_CONTAINER_AUTHORIZATION_TOKEN=%%%

The default is to use environment variables, but you can opt-in to the local instance metadata server with the --server flag on the exec command.

Roles and MFA

Best-practice is to create Roles to delegate permissions. For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.

First you'll need to create the users and roles in IAM, as well as setup an MFA device. You can then set up IAM roles to enforce MFA.

Here's an example configuration using roles and MFA:

[default]
region = us-east-1

[profile jonsmith]
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile foo-readonly]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/ReadOnly

[profile foo-admin]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/Administrator
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role1]
source_profile = jonsmith
role_arn = arn:aws:iam::333333333333:role/Role1
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role2]
source_profile = bar-role1
role_arn = arn:aws:iam::333333333333:role/Role2
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

Here's what you can expect from aws-vault

CommandCredentialsCachedMFA
aws-vault exec jonsmith --no-sessionLong-term credentialsNoNo
aws-vault exec jonsmithsession-tokensession-tokenYes
aws-vault exec foo-readonlyroleNoNo
aws-vault exec foo-adminsession-token + rolesession-tokenYes
aws-vault exec foo-admin --duration=2hroleroleYes
aws-vault exec bar-role2session-token + role + rolesession-tokenYes
aws-vault exec bar-role2 --no-sessionrole + roleroleYes

Auto-logout

Since v7.3+ aws-vault introduced option to automatically try and do a logout first, before login when executing aws-vault login <profile>.

This behavour can be achieved by using --auto-logout or -a flag! Read more in USAGE.md file.

Development

The macOS release builds are code-signed to avoid extra prompts in Keychain. You can verify this with:

$ codesign --verify --verbose $(which aws-vault)

If you are developing or compiling the aws-vault binary yourself, you can generate a self-signed certificate by accessing Keychain Access > Certificate Assistant > Create Certificate -> Certificate Type: Code Signing. You can then sign your binary with:

$ go build .
$ codesign --sign <Name of certificate created above> ./aws-vault

🧰 Contributing

Report issues/questions/feature requests on in the issues section.

Full contributing guidelines are covered here.

Maintainers

References and Inspiration