99designs
aws-vault
Go

A vault for securely storing and accessing AWS credentials in development environments

Last updated Jul 8, 2026
9.0k
Stars
833
Forks
0
Issues
0
Stars/day
Attention Score
88
Language breakdown
No language data available.
Files click to expand
README

AWS Vault

Downloads Continuous Integration

[!WARNING]
This project has been abandoned and it's not receiving any more updates. If you want to continue to receive updates
or contribute, please feel free to look at the active fork at: https://github.com/ByteNess/aws-vault

AWS Vault is a tool to securely store and access AWS credentials in a development environment.

AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your profiles and configuration in ~/.aws/config.

Check out the announcement blog post for more details.

Installing

You can install AWS Vault:

  • by downloading the latest release
  • on macOS with Homebrew: brew install aws-vault
  • on macOS with MacPorts: port install aws-vault
  • on Windows with Chocolatey: choco install aws-vault
  • on Windows with Scoop: scoop install aws-vault
  • on Linux with Homebrew on Linux: brew install aws-vault
  • on Arch Linux: pacman -S aws-vault
  • on Gentoo Linux: emerge --ask app-admin/aws-vault (enable Guru first)
  • on FreeBSD: pkg install aws-vault
  • on OpenSUSE: enable devel:languages:go repo then zypper install aws-vault
  • with Nix: nix-env -i aws-vault
  • with asdf-vm: asdf plugin-add aws-vault https://github.com/karancode/asdf-aws-vault.git && asdf install aws-vault <version>

Documentation

Config, usage, tips and tricks are available in the USAGE.md file.

Vaulting Backends

The supported vaulting backends are:

Use the --backend flag or AWSVAULTBACKEND environment variable to specify.

Quick start

# Store AWS credentials for the "jonsmith" profile
$ aws-vault add jonsmith
Enter Access Key Id: ABDCDEFDASDASF
Enter Secret Key: %%%

Execute a command (using temporary credentials)

$ aws-vault exec jonsmith -- aws s3 ls bucket_1 bucket_2

open a browser window and login to the AWS Console

$ aws-vault login jonsmith

List credentials

$ aws-vault list Profile Credentials Sessions ======= =========== ======== jonsmith jonsmith -

Start a subshell with temporary credentials

$ aws-vault exec jonsmith Starting subshell /bin/zsh, use exit to exit the subshell $ aws s3 ls bucket_1 bucket_2

How it works

aws-vault uses Amazon's STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.

AWS Vault then exposes the temporary credentials to the sub-process in one of two ways

  • Environment variables are written to the sub-process. Notice in the below example how the AWS credentials get written out
$ aws-vault exec jonsmith -- env | grep AWS
   AWS_VAULT=jonsmith
   AWSDEFAULTREGION=us-east-1
   AWS_REGION=us-east-1
   AWSACCESSKEY_ID=%%%
   AWSSECRETACCESS_KEY=%%%
   AWSSESSIONTOKEN=%%%
   AWSCREDENTIALEXPIRATION=2020-04-16T11:16:27Z
  • Local metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible.
$ aws-vault exec --server jonsmith -- env | grep AWS
   AWS_VAULT=jonsmith
   AWSDEFAULTREGION=us-east-1
   AWS_REGION=us-east-1
   AWSCONTAINERCREDENTIALSFULLURI=%%%
   AWSCONTAINERAUTHORIZATION_TOKEN=%%%

The default is to use environment variables, but you can opt-in to the local instance metadata server with the --server flag on the exec command.

Roles and MFA

Best-practice is to create Roles to delegate permissions. For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.

First you'll need to create the users and roles in IAM, as well as setup an MFA device. You can then set up IAM roles to enforce MFA.

Here's an example configuration using roles and MFA:

[default]
region = us-east-1

[profile jonsmith] mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile foo-readonly] source_profile = jonsmith role_arn = arn:aws:iam::22222222222:role/ReadOnly

[profile foo-admin] source_profile = jonsmith role_arn = arn:aws:iam::22222222222:role/Administrator mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role1] source_profile = jonsmith role_arn = arn:aws:iam::333333333333:role/Role1 mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role2] source_profile = bar-role1 role_arn = arn:aws:iam::333333333333:role/Role2 mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

Here's what you can expect from aws-vault

| Command | Credentials | Cached | MFA | |------------------------------------------|-----------------------------|---------------|-----| | aws-vault exec jonsmith --no-session | Long-term credentials | No | No | | aws-vault exec jonsmith | session-token | session-token | Yes | | aws-vault exec foo-readonly | role | No | No | | aws-vault exec foo-admin | session-token + role | session-token | Yes | | aws-vault exec foo-admin --duration=2h | role | role | Yes | | aws-vault exec bar-role2 | session-token + role + role | session-token | Yes | | aws-vault exec bar-role2 --no-session | role + role | role | Yes |

Development

The macOS release builds are code-signed to avoid extra prompts in Keychain. You can verify this with:

$ codesign --verify --verbose $(which aws-vault)

If you are developing or compiling the aws-vault binary yourself, you can generate a self-signed certificate by accessing Keychain Access > Certificate Assistant > Create Certificate -> Certificate Type: Code Signing. You can then sign your binary with:

$ go build . $ codesign --sign <Name of certificate created above> ./aws-vault

References and Inspiration

* https://github.com/pda/aws-keychain * https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html * https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users * https://github.com/makethunder/awsudo * https://github.com/AdRoll/hologram * https://github.com/realestate-com-au/credulous * https://github.com/dump247/aws-mock-metadata * https://boto.readthedocs.org/en/latest/botoconfigtut.html

🔗 More in this category

© 2026 GitRepoTrend · 99designs/aws-vault · Updated daily from GitHub