{"id":47809078,"url":"https://github.com/byteness/aws-vault","last_synced_at":"2026-04-03T18:01:52.380Z","repository":{"id":295685570,"uuid":"988616604","full_name":"ByteNess/aws-vault","owner":"ByteNess","description":"A vault for securely storing and accessing AWS credentials in development environments","archived":false,"fork":false,"pushed_at":"2026-03-31T20:44:50.000Z","size":10514,"stargazers_count":280,"open_issues_count":13,"forks_count":17,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-03-31T22:27:18.360Z","etag":null,"topics":["aws","aws-vault","cli","credentials","iam","keychain","mfa","temporary-credentials"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"99designs/aws-vault","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ByteNess.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-22T20:15:33.000Z","updated_at":"2026-03-31T20:58:23.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ByteNess/aws-vault","commit_stats":null,"previous_names":["byteness/aws-vault"],"tags_count":183,"template":false,"template_full_name":null,"purl":"pkg:github/ByteNess/aws-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Faws-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Faws-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Faws-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Faws-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ByteNess","download_url":"https://codeload.github.com/ByteNess/aws-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ByteNess%2Faws-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31368156,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T17:53:18.093Z","status":"ssl_error","status_checked_at":"2026-04-03T17:53:17.617Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-vault","cli","credentials","iam","keychain","mfa","temporary-credentials"],"created_at":"2026-04-03T18:01:48.109Z","updated_at":"2026-04-03T18:01:52.368Z","avatar_url":"https://github.com/ByteNess.png","language":"Go","readme":"# AWS Vault\n\n[![Downloads](https://img.shields.io/github/downloads/byteness/aws-vault/total)](https://github.com/byteness/aws-vault/releases)\n[![Continuous Integration](https://github.com/byteness/aws-vault/workflows/Continuous%20Integration/badge.svg)](https://github.com/byteness/aws-vault/actions)\n\n\u003e [!NOTE]\n\u003e This is a maintained fork of https://github.com/99designs/aws-vault which is an abandoned project.\n\u003e Contributions are welcome and preferably please open an [issue](https://github.com/ByteNess/aws-vault/issues) first.\n\nAWS Vault is a tool to securely store and access AWS credentials in a development environment.\n\nAWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your [profiles and configuration in `~/.aws/config`](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-config-files).\n\nCheck out the [announcement blog post](https://99designs.com.au/tech-blog/blog/2015/10/26/aws-vault/) for more details.\n\n## Installing\n\nYou can install AWS Vault:\n- by downloading the [latest release](https://github.com/byteness/aws-vault/releases/latest)\n- using [Homebrew](https://formulae.brew.sh/formula/aws-vault): `brew install aws-vault`\n- on Windows with [Chocolatey](https://chocolatey.org/packages/aws-vault): `choco install aws-vault` ([repo](https://github.com/gusztavvargadr/aws-vault-chocolatey) by [Gusztáv Varga](https://github.com/gusztavvargadr))\n- on [NixOS](https://search.nixos.org/packages?channel=unstable\u0026query=aws-vault) (currently only available on the unstable channel): `nix-env -iA nixos.aws-vault`\n\n## Documentation\n\nConfig, usage, tips and tricks are available in the [USAGE.md](./USAGE.md) file.\n\n## Vaulting Backends\n\nThe supported vaulting backends are:\n\n* [macOS Keychain](https://support.apple.com/en-au/guide/keychain-access/welcome/mac)\n* [Windows Credential Manager](https://support.microsoft.com/en-au/help/4026814/windows-accessing-credential-manager)\n* Secret Service ([Gnome Keyring](https://wiki.gnome.org/Projects/GnomeKeyring), [KWallet](https://kde.org/applications/system/org.kde.kwalletmanager5))\n* [KWallet](https://kde.org/applications/system/org.kde.kwalletmanager5)\n* [Pass](https://www.passwordstore.org/)\n* [Passage](https://github.com/FiloSottile/passage)\n* Encrypted file\n* [1Password Connect](https://developer.1password.com/docs/connect/)\n* [1Password Service Accounts](https://developer.1password.com/docs/service-accounts)\n* [1Password Desktop App](https://developer.1password.com/docs/sdks/desktop-app-integrations/)\n\nUse the `--backend` flag or `AWS_VAULT_BACKEND` environment variable to specify.\n\n## Quick start\n\n```shell\n# Store AWS credentials for the \"jonsmith\" profile\n$ aws-vault add jonsmith\nEnter Access Key Id: ABDCDEFDASDASF\nEnter Secret Key: ****************************************\nEnter MFA Device ARN (If MFA is not enabled, leave this blank): arn:aws:iam::123456789012:mfa/jonsmith\nAdded credentials to profile \"jonsmith\" in vault\n\n# Execute a command (using temporary credentials)\n$ aws-vault exec jonsmith -- aws s3 ls\nbucket_1\nbucket_2\n\n# open a browser window and login to the AWS Console\n$ aws-vault login jonsmith\n\n# List credentials\n$ aws-vault list\nProfile                  Credentials              Sessions\n=======                  ===========              ========\njonsmith                 jonsmith                 -\n\n# Start a subshell with temporary credentials\n$ aws-vault exec jonsmith\nStarting subshell /bin/zsh, use `exit` to exit the subshell\n$ aws s3 ls\nbucket_1\nbucket_2\n```\n\n## How it works\n\n`aws-vault` uses Amazon's STS service to generate [temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) via the `GetSessionToken` or `AssumeRole` API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.\n\nAWS Vault then exposes the temporary credentials to the sub-process in one of two ways\n\n1. **Environment variables** are written to the sub-process. Notice in the below example how the AWS credentials get written out\n   ```shell\n   $ aws-vault exec jonsmith -- env | grep AWS\n   AWS_VAULT=jonsmith\n   AWS_DEFAULT_REGION=us-east-1\n   AWS_REGION=us-east-1\n   AWS_ACCESS_KEY_ID=%%%\n   AWS_SECRET_ACCESS_KEY=%%%\n   AWS_SESSION_TOKEN=%%%\n   AWS_CREDENTIAL_EXPIRATION=2020-04-16T11:16:27Z\n   ```\n2. **Local metadata server** is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible.\n   ```shell\n   $ aws-vault exec --server jonsmith -- env | grep AWS\n   AWS_VAULT=jonsmith\n   AWS_DEFAULT_REGION=us-east-1\n   AWS_REGION=us-east-1\n   AWS_CONTAINER_CREDENTIALS_FULL_URI=%%%\n   AWS_CONTAINER_AUTHORIZATION_TOKEN=%%%\n   ```\n\nThe default is to use environment variables, but you can opt-in to the local instance metadata server with the `--server` flag on the `exec` command.\n\n## Roles and MFA\n\n[Best-practice](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#delegate-using-roles) is to [create Roles to delegate permissions](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html). For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.\n\nFirst you'll need to create the users and roles in IAM, as well as [setup an MFA device](https://docs.aws.amazon.com/IAM/latest/UserGuide/GenerateMFAConfigAccount.html). You can then [set up IAM roles to enforce MFA](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa).\n\nHere's an example configuration using roles and MFA:\n\n```ini\n[default]\nregion = us-east-1\n\n[profile jonsmith]\nmfa_serial = arn:aws:iam::111111111111:mfa/jonsmith\n\n[profile foo-readonly]\nsource_profile = jonsmith\nrole_arn = arn:aws:iam::22222222222:role/ReadOnly\n\n[profile foo-admin]\nsource_profile = jonsmith\nrole_arn = arn:aws:iam::22222222222:role/Administrator\nmfa_serial = arn:aws:iam::111111111111:mfa/jonsmith\n\n[profile bar-role1]\nsource_profile = jonsmith\nrole_arn = arn:aws:iam::333333333333:role/Role1\nmfa_serial = arn:aws:iam::111111111111:mfa/jonsmith\n\n[profile bar-role2]\nsource_profile = bar-role1\nrole_arn = arn:aws:iam::333333333333:role/Role2\nmfa_serial = arn:aws:iam::111111111111:mfa/jonsmith\n```\n\nHere's what you can expect from aws-vault\n\n| Command                                  | Credentials                 | Cached        | MFA |\n|------------------------------------------|-----------------------------|---------------|-----|\n| `aws-vault exec jonsmith --no-session`   | Long-term credentials       | No            | No  |\n| `aws-vault exec jonsmith`                | session-token               | session-token | Yes |\n| `aws-vault exec foo-readonly`            | role                        | No            | No  |\n| `aws-vault exec foo-admin`               | session-token + role        | session-token | Yes |\n| `aws-vault exec foo-admin --duration=2h` | role                        | role          | Yes |\n| `aws-vault exec bar-role2`               | session-token + role + role | session-token | Yes |\n| `aws-vault exec bar-role2 --no-session`  | role + role                 | role          | Yes |\n\n## Auto-logout\n\nSince v7.3+ `aws-vault` introduced option to automatically try and do a logout first, before login when executing `aws-vault login \u003cprofile\u003e`.\n\nThis behavour can be achieved by using `--auto-logout` or `-a` flag! Read more in [USAGE.md](./USAGE.md) file.\n\n## Development\n\nThe [macOS release builds](https://github.com/byteness/aws-vault/releases) are code-signed to avoid extra prompts in Keychain. You can verify this with:\n```shell\n$ codesign --verify --verbose $(which aws-vault)\n```\n\nIf you are developing or compiling the aws-vault binary yourself, you can [generate a self-signed certificate](https://support.apple.com/en-au/guide/keychain-access/kyca8916/mac) by accessing Keychain Access \u003e Certificate Assistant \u003e Create Certificate -\u003e Certificate Type: Code Signing. You can then sign your binary with:\n```shell\n$ go build .\n$ codesign --sign \u003cName of certificate created above\u003e ./aws-vault\n```\n\n## 🧰 Contributing\n\nReport issues/questions/feature requests on in the [issues](https://github.com/byteness/aws-vault/issues/new) section.\n\nFull contributing [guidelines are covered here](.github/CONTRIBUTING.md).\n\n## Maintainers\n\n* [Marko Bevc](https://github.com/mbevc1)\n* Full [contributors list](https://github.com/byteness/aws-vault/graphs/contributors)\n\n\n## References and Inspiration\n\n * https://github.com/pda/aws-keychain\n * https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html\n * https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users\n * https://github.com/makethunder/awsudo\n * https://github.com/AdRoll/hologram\n * https://github.com/realestate-com-au/credulous\n * https://github.com/dump247/aws-mock-metadata\n * https://boto.readthedocs.org/en/latest/boto_config_tut.html\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbyteness%2Faws-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbyteness%2Faws-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbyteness%2Faws-vault/lists"}