aws-vault

Add credentials to the secure keystore

$ aws-vault add [profile]

$ aws-vault exec [profile] -- [aws s3 ls]

$ aws-vault login [profile]

$ aws-vault list

$ aws-vault rotate [profile]

$ aws-vault remove [profile]

aws-vault [options] command [arguments]
aws-vault exec [profile] [--] command [arguments]
aws-vault add profile
aws-vault ls
aws-vault rotate profile

exec [--] []
    Executes a specified command with temporary AWS credentials fetched for the given profile. This is the primary way to use aws-vault.

add
    Interactively prompts for AWS access keys (Access Key ID and Secret Access Key) and securely stores them for the specified profile.

remove
    Removes the stored credentials for the specified profile from the secure vault.

ls
    Lists all AWS profiles for which credentials are currently stored within the vault.

rotate
    Rotates the access keys for a given profile, prompting for the new access key ID and secret access key. It ensures the old keys are removed after rotation.

clear
    Clears all cached session tokens, forcing new authentication (e.g., MFA prompt) on the next use of credentials for any profile.

--profile=
    A global option to explicitly specify the AWS profile to operate on for commands that support it.

--duration=
    (For exec) Sets the duration for the temporary credentials before they expire (e.g., '1h' for one hour, '30m' for thirty minutes).

--session-ttl=
    (For exec) Sets the Time-To-Live (TTL) for the assumed role session within the vault's cache. This is typically longer than the credential duration.

--no-session
    (For exec) Disables caching of session tokens, forcing aws-vault to prompt for MFA or re-authenticate every time credentials are requested.

aws-vault is a command-line tool designed to securely store and manage AWS credentials on your local machine. Unlike storing credentials in plain text files (e.g., ~/.aws/credentials) or directly in environment variables, aws-vault encrypts them within your operating system's native keystore (such as macOS Keychain, Linux Secret Service/pass, or Windows Credential Manager). It provides temporary credentials on demand, prompting for MFA tokens when required, and automatically handles refreshing expired tokens. This approach significantly enhances security by minimizing the exposure of long-lived access keys and streamlining the use of IAM roles and multi-factor authentication for AWS CLI operations.

aws-vault relies on the operating system's native keyring/credential manager for secure storage. On Linux, this may require a working desktop environment's keyring service (like GNOME Keyring or KWallet) or a CLI-based alternative like 'pass'.
While enhancing security, it introduces an additional dependency and step for credential management, which might require adjustments for automated scripts or CI/CD pipelines (though the export command can mitigate this).

aws-vault manages the AWS access key ID and secret access key securely. However, it still relies on your ~/.aws/config file for other profile-specific configurations, such as the default region, output format, role_arn for IAM role assumption, and mfa_serial for multi-factor authentication device details.

For scenarios requiring credentials outside of a direct command execution (e.g., within a shell script that needs to set environment variables), aws-vault offers the export command. For example, eval $(aws-vault export --format=json profile | jq -r 'to_entries|map("export AWS_" + .key + "=\"" + .value + "\"")|.[]') can be used to set the temporary credentials as environment variables in the current shell session. Note that `jq` is often needed for parsing the JSON output effectively.

aws-vault was developed and open-sourced by 99designs (now part of Canva) to address the need for a more secure and convenient way to manage AWS credentials, especially in environments where users frequently switch IAM roles or require Multi-Factor Authentication (MFA). It quickly gained traction in the AWS community as a robust solution to a common security challenge, providing a secure alternative to storing plaintext credentials or relying on environment variables alone.

aws(1), pass(1), keyctl(1)