Aws Vault

A vault for securely storing and accessing AWS credentials in development environments
Alternatives To Aws Vault
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Aws Cli14,3062,71033714 hours ago1,766August 02, 2023525otherPython
Universal Command Line Interface for Amazon Web Services
Aws Sdk Go8,4245,10012,070a day ago1,859August 04, 202350apache-2.0Go
AWS SDK for the Go programming language.
Aws Vault7,71715a month ago103March 20, 202350mitGo
A vault for securely storing and accessing AWS credentials in development environments
Aws Sdk Ruby3,46620,4621,486a day ago1,207September 01, 202124apache-2.0Ruby
The official AWS SDK for Ruby.
Wal G2,712
8 hours ago62March 16, 2022248otherGo
Archival and Restoration for databases in the Cloud
Rusoto2,5951644279 months ago26April 25, 2022255mitRust
AWS SDK for Rust
Components2,305133810 months ago509January 19, 2022151apache-2.0JavaScript
The Serverless Framework's new infrastructure provisioning technology — Build, compose, & deploy serverless apps in seconds...
Amazon Ecr Credential Helper2,27452404 days ago7March 24, 202282apache-2.0Go
Automatically gets credentials for Amazon ECR on docker push/docker pull
6066 months ago109October 11, 201776otherScala
Manage an S3 website: sync, deliver via CloudFront, benefit from advanced S3 website features.
Configure Aws Credentials2,028
4 days ago15mitTypeScript
Configure AWS credential environment variables for use in other GitHub Actions.
Alternatives To Aws Vault
Select To Compare

Alternative Project Comparisons

AWS Vault

Downloads Continuous Integration

AWS Vault is a tool to securely store and access AWS credentials in a development environment.

AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your profiles and configuration in ~/.aws/config.

Check out the announcement blog post for more details.


You can install AWS Vault:

  • by downloading the latest release
  • on macOS with Homebrew Cask: brew install --cask aws-vault
  • on macOS with MacPorts: port install aws-vault
  • on Windows with Chocolatey: choco install aws-vault
  • on Windows with Scoop: scoop install aws-vault
  • on Linux with Homebrew on Linux: brew install aws-vault
  • on Arch Linux: pacman -S aws-vault
  • on Gentoo Linux: emerge --ask app-admin/aws-vault (enable Guru first)
  • on FreeBSD: pkg install aws-vault
  • on OpenSUSE: enable devel:languages:go repo then zypper install aws-vault
  • with Nix: nix-env -i aws-vault
  • with asdf-vm: asdf plugin-add aws-vault && asdf install aws-vault <version>


Config, usage, tips and tricks are available in the file.

Vaulting Backends

The supported vaulting backends are:

Use the --backend flag or AWS_VAULT_BACKEND environment variable to specify.

Quick start

# Store AWS credentials for the "jonsmith" profile
$ aws-vault add jonsmith
Enter Secret Key: %%%

# Execute a command (using temporary credentials)
$ aws-vault exec jonsmith -- aws s3 ls

# open a browser window and login to the AWS Console
$ aws-vault login jonsmith

# List credentials
$ aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
jonsmith                 jonsmith                 -

# Start a subshell with temporary credentials
$ aws-vault exec jonsmith
Starting subshell /bin/zsh, use `exit` to exit the subshell
$ aws s3 ls

How it works

aws-vault uses Amazon's STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.

AWS Vault then exposes the temporary credentials to the sub-process in one of two ways

  1. Environment variables are written to the sub-process. Notice in the below example how the AWS credentials get written out
    $ aws-vault exec jonsmith -- env | grep AWS
  2. Local metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible.
    $ aws-vault exec --server jonsmith -- env | grep AWS

The default is to use environment variables, but you can opt-in to the local instance metadata server with the --server flag on the exec command.

Roles and MFA

Best-practice is to create Roles to delegate permissions. For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.

First you'll need to create the users and roles in IAM, as well as setup an MFA device. You can then set up IAM roles to enforce MFA.

Here's an example configuration using roles and MFA:

region = us-east-1

[profile jonsmith]
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile foo-readonly]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/ReadOnly

[profile foo-admin]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/Administrator
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role1]
source_profile = jonsmith
role_arn = arn:aws:iam::333333333333:role/Role1
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role2]
source_profile = bar-role1
role_arn = arn:aws:iam::333333333333:role/Role2
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

Here's what you can expect from aws-vault

Command Credentials Cached MFA
aws-vault exec jonsmith --no-session Long-term credentials No No
aws-vault exec jonsmith session-token session-token Yes
aws-vault exec foo-readonly role No No
aws-vault exec foo-admin session-token + role session-token Yes
aws-vault exec foo-admin --duration=2h role role Yes
aws-vault exec bar-role2 session-token + role + role session-token Yes
aws-vault exec bar-role2 --no-session role + role role Yes


The macOS release builds are code-signed to avoid extra prompts in Keychain. You can verify this with:

$ codesign --verify --verbose $(which aws-vault)

If you are developing or compiling the aws-vault binary yourself, you can generate a self-signed certificate by accessing Keychain Access > Certificate Assistant > Create Certificate -> Certificate Type: Code Signing. You can then sign your binary with:

$ go build .
$ codesign --sign <Name of certificate created above> ./aws-vault

References and Inspiration

Popular Credentials Projects
Popular Amazon Web Services Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.