aws-vault

Securely manage and access AWS credentials

TLDR

Add credentials to the secure keystore

$ aws-vault add [profile]

Execute a command with AWS credentials in the environment

$ aws-vault exec [profile] -- [aws s3 ls]

Open a browser window and login to the AWS Console

$ aws-vault login [profile]

List profiles, along with their credentials and sessions

$ aws-vault list

Rotate AWS credentials

$ aws-vault rotate [profile]

Remove credentials from the secure keystore

$ aws-vault remove [profile]

SYNOPSIS

aws-vault COMMAND [OPTIONS] [ARGS]
Common commands: add PROFILE | exec PROFILE [-- COMMAND [ARGS]] | remove PROFILE

add PROFILE
    Interactively prompt for AWS credentials and store them encrypted for the named profile.

exec PROFILE [-- SESSION_NAME] [-- COMMAND [ARGS]]
    Execute a command with temporary AWS credentials from the profile set as environment variables.

remove PROFILE
    Delete the credentials for the specified profile from the vault.

server [--listen-address ADDR] [--port PORT] [--session-duration DURATION]
    Start an HTTP server providing temporary AWS credentials for clients like AWS CLI or SDKs.

list-profiles
    List all profiles stored in the vault.

--vault PATH
    Specify a custom vault file instead of the default (~/.aws-vault.json).

--no-session-cache
    Disable caching of unlocked sessions to force password prompt every time.

-u, --unattended
    Run without interactive prompts (for scripts).

--duration DURATION
    Set maximum session duration (e.g., 1h, 12h).

-h, --help
    Display help for the command.

--version
    Show aws-vault version.

DESCRIPTION

aws-vault is an open-source command-line tool designed to securely store and manage AWS access keys, secret keys, and session tokens in your system's native credential storage. On Linux, it integrates with backends like gnome-keyring (via libsecret), KWallet, or the Unix password manager pass. Instead of storing credentials in plaintext files or environment variables, aws-vault encrypts them and prompts for your keychain password only when accessing them.

This minimizes security risks, such as credential leakage from shell history, process lists, or shared environments. Key features include adding profiles interactively, executing commands with temporary AWS environment variables via exec, and running a local credential server for tools like Terraform. It supports MFA, multiple profiles, and assumes roles. Ideal for developers and DevOps workflows, it works seamlessly with the AWS CLI, preventing long-lived credential exposure.

Usage is straightforward: add credentials once, then run commands under a profile without re-entering keys each time. Session caching reduces password prompts during active sessions.

CAVEATS

Requires a supported Linux backend (libsecret/gnome-keyring, kwallet, or pass); install via package managers or binaries. May prompt multiple times without session cache. Not for production credential rotation.

INSTALLATION

On Debian/Ubuntu: sudo apt install aws-vault or download from GitHub releases. For pass backend: install pass and set AWS_VAULT_BACKEND=pass.

EXAMPLES

aws-vault add prod (add profile)
aws-vault exec prod -- aws s3 ls (run with creds)
aws-vault exec prod -- bash (interactive shell)

HISTORY

Created by 99designs in 2015 as a secure alternative to plaintext AWS credential files. Gained popularity for macOS keychain integration, later expanded to Linux and Windows. Actively maintained on GitHub (mitchellh/aws-vault fork dominant), with releases supporting modern AWS features like SSO.