explaingit

99designs/aws-vault

8,970GoAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A command-line tool that stores your AWS access keys in your operating system's secure keychain and generates short-lived temporary credentials for each command, preventing accidental key leaks. Note: the original repo is abandoned, an active fork exists.

Mindmap

mindmap
  root((repo))
    What it does
      Secure AWS credentials
      Short-lived temp keys
    How it works
      OS keychain storage
      Injects env vars
      Credentials expire
    Keystore Backends
      macOS Keychain
      Windows Credential Manager
      Linux Gnome KWallet
      Pass encrypted file
    Features
      Multi-account chaining
      MFA support
      Console login command
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Stop storing long-lived AWS keys in a plain text file, move them to macOS Keychain or Windows Credential Manager with one command.

USE CASE 2

Prefix any AWS CLI command with `aws-vault exec profilename --` to run it with auto-expiring temporary credentials.

USE CASE 3

Open the AWS web console in your browser already logged in to a specific account without typing credentials.

USE CASE 4

Handle multi-account AWS setups where you chain role assumptions and need MFA prompts automated.

Tech stack

Go

Getting it running

Difficulty · easy Time to first run · 5min

Available via Homebrew, Chocolatey, Scoop, and Linux package managers. Requires an existing AWS account with access keys.

No license information is mentioned in the explanation.

In plain English

AWS Vault is a command-line tool that helps developers work with Amazon Web Services more safely on their own computers. The core problem it addresses is that long-lived AWS access keys stored in a plain text file (the default approach) are easy to accidentally leak through logs, environment dumps, or copied config files. AWS Vault stores those keys in your operating system's built-in secure keystore instead, and then generates short-lived temporary credentials each time you actually need them. Note: the README states the project has been abandoned, and points to an active fork maintained by a different team. The way it works in practice is straightforward. You add a named AWS profile to the vault once, providing your access key ID and secret. After that, when you want to run any AWS-related command, you prefix it with aws-vault exec profilename -- and the tool fetches temporary credentials from Amazon's security service, injects them as environment variables for that single command, and then they expire on their own. The temporary credentials typically last a short period, so even if they were captured they would soon be useless. The tool can also open your browser directly to the AWS web console, logged into a specific account or role, using the login command. This avoids having to manually type credentials into a browser form. For teams that use multiple AWS accounts or permission roles, the tool reads your existing AWS configuration file and understands how to chain through profiles. You can set up a profile that starts with your base credentials and then assumes a role in a different account. Multi-factor authentication is supported too: if your AWS setup requires a one-time code from an authenticator app before assuming a role, the tool will prompt for it at the right moment. The secure keystore backends it supports include macOS Keychain, Windows Credential Manager, Gnome Keyring and KWallet on Linux, the Pass password manager, and an encrypted file option. It is available through most major package managers on macOS, Windows, and Linux, including Homebrew, Chocolatey, Scoop, and several Linux package systems.

Copy-paste prompts

Prompt 1
Show me how to add an AWS profile to aws-vault and then run `aws s3 ls` using temporary credentials from that profile.
Prompt 2
How do I configure aws-vault to assume a cross-account IAM role and prompt me for an MFA code before running a command?
Prompt 3
How do I open the AWS console in my browser for a specific aws-vault profile using the `aws-vault login` command?
Prompt 4
Set up aws-vault on Linux to use the Pass password manager as the keystore backend instead of Gnome Keyring.
Open on GitHub → Explain another repo

← 99designs on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.