wingetCollections
  • Auto
  • Search
  • Awesome Collections
  • Awesome Programs
  • My Favorite Collections
  • My Collections
  • Account / Settings
  • Terms of Service
  • Privacy
  • About

© 2025 winget.ragerworks.com

Loading...
Install aws-vault using Winget - wingetCollections
  1. Go back
  2. Packages
  3. aws-vault
aws-vault logo

aws-vault 99designs

aws
Use this command to install aws-vault:
winget install --id=99designs.aws-vault -e

A vault for securely storing and accessing AWS credentials in development environments

aws-vault is a tool designed to securely manage AWS credentials in development environments by storing IAM credentials securely and generating temporary credentials for use with AWS services.

Key Features:

  • Secure Credential Storage: Stores IAM credentials securely using your operating system's keystore, ensuring sensitive information is protected.
  • Temporary Credentials Generation: Utilizes Amazon's STS service to generate temporary credentials via GetSessionToken or AssumeRole API calls, reducing the risk of exposure.
  • Integration with AWS CLI Tools: Works seamlessly with existing AWS CLI tools and configurations, maintaining compatibility with profiles and settings in ~/.aws/config.
  • Multiple Vaulting Backends Support: Offers support for various vaulting backends including macOS Keychain, Windows Credential Manager, Secret Service (Gnome Keyring, KWallet), Pass, and encrypted files, allowing flexibility in credential management.
  • Multi-Factor Authentication (MFA) and Role Handling: Supports MFA and role-based access control, enabling users to enforce best practices for security by requiring one-time keys from MFA devices and managing roles effectively.

Audience & Benefit:

Ideal for developers working with AWS in development environments, aws-vault provides a secure and efficient way to manage credentials. By integrating with existing tools and supporting best practices like MFA and role-based access, it ensures compliance with security standards while reducing the risk of credential exposure.

README

AWS Vault

Downloads Continuous Integration

AWS Vault is a tool to securely store and access AWS credentials in a development environment.

AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the AWS CLI tools, and is aware of your profiles and configuration in ~/.aws/config.

Check out the announcement blog post for more details.

Installing

You can install AWS Vault:

  • by downloading the latest release
  • on macOS with Homebrew Cask: brew install --cask aws-vault
  • on macOS with MacPorts: port install aws-vault
  • on Windows with Chocolatey: choco install aws-vault
  • on Windows with Scoop: scoop install aws-vault
  • on Linux with Homebrew on Linux: brew install aws-vault
  • on Arch Linux: pacman -S aws-vault
  • on Gentoo Linux: emerge --ask app-admin/aws-vault (enable Guru first)
  • on FreeBSD: pkg install aws-vault
  • on OpenSUSE: enable devel:languages:go repo then zypper install aws-vault
  • with Nix: nix-env -i aws-vault

Related Programs

AWS Command Line Interface logo

AWS Command Line Interface

Amazon Web Services
The AWS CLI is an open source tool built on top of the AWS SDK for Python (Boto) that provides commands for interacting with AWS services. With
aws.amazon.com
AWS SAM Command Line Interface logo

AWS SAM Command Line Interface

AWS Serverless Applications
The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications.
aws.amazon.com
Secrets OPerationS logo

Secrets OPerationS

Mozilla
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age,
github.com
Session Manager Plugin logo

Session Manager Plugin

Amazon Web Services
Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon Elastic Compute Cloud (Amazon EC2) instances,
docs.aws.amazon.com
Amazon SSM Agent logo

Amazon SSM Agent

Amazon Web Services
AWS Systems Manager Agent (SSM Agent) is Amazon software that runs on Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises
docs.aws.amazon.com
Coder logo

Coder

Coder Technologies, Inc.
Coder is an open source platform for creating and managing developer workspaces on your preferred clouds and servers. By building on top of common
github.com
AWS Command Line Interface logo

AWS Command Line Interface

Amazon Web Services
The AWS CLI is an open source tool built on top of the AWS SDK for Python (Boto) that provides commands for interacting with AWS services. With
aws.amazon.com
AWS SAM Command Line Interface logo

AWS SAM Command Line Interface

AWS Serverless Applications
The AWS Serverless Application Model (SAM) is an open-source framework for building serverless applications.
aws.amazon.com
Secrets OPerationS logo

Secrets OPerationS

Mozilla
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age,
github.com
Session Manager Plugin logo

Session Manager Plugin

Amazon Web Services
Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon Elastic Compute Cloud (Amazon EC2) instances,
docs.aws.amazon.com
Amazon SSM Agent logo

Amazon SSM Agent

Amazon Web Services
AWS Systems Manager Agent (SSM Agent) is Amazon software that runs on Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises
docs.aws.amazon.com
Coder logo

Coder

Coder Technologies, Inc.
Coder is an open source platform for creating and managing developer workspaces on your preferred clouds and servers. By building on top of common
github.com
Versions
7.2.0
7.1.2
Website
github.com
License
Last Updated
7/23/2025
  • with asdf-vm: asdf plugin-add aws-vault https://github.com/karancode/asdf-aws-vault.git && asdf install aws-vault

    • Documentation

    Config, usage, tips and tricks are available in the USAGE.md file.

    Vaulting Backends

    The supported vaulting backends are:

    • macOS Keychain
    • Windows Credential Manager
    • Secret Service (Gnome Keyring, KWallet)
    • KWallet
    • Pass
    • Encrypted file

    Use the --backend flag or AWS_VAULT_BACKEND environment variable to specify.

    Quick start

    # Store AWS credentials for the "jonsmith" profile
$ aws-vault add jonsmith
Enter Access Key Id: ABDCDEFDASDASF
Enter Secret Key: %%%

# Execute a command (using temporary credentials)
$ aws-vault exec jonsmith -- aws s3 ls
bucket_1
bucket_2

# open a browser window and login to the AWS Console
$ aws-vault login jonsmith

# List credentials
$ aws-vault list
Profile                  Credentials              Sessions
=======                  ===========              ========
jonsmith                 jonsmith                 -

# Start a subshell with temporary credentials
$ aws-vault exec jonsmith
Starting subshell /bin/zsh, use `exit` to exit the subshell
$ aws s3 ls
bucket_1
bucket_2

    How it works

    aws-vault uses Amazon's STS service to generate temporary credentials via the GetSessionToken or AssumeRole API calls. These expire in a short period of time, so the risk of leaking credentials is reduced.

    AWS Vault then exposes the temporary credentials to the sub-process in one of two ways

    1. Environment variables are written to the sub-process. Notice in the below example how the AWS credentials get written out 
      $ aws-vault exec jonsmith -- env | grep AWS
AWS_VAULT=jonsmith
AWS_DEFAULT_REGION=us-east-1
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=%%%
AWS_SECRET_ACCESS_KEY=%%%
AWS_SESSION_TOKEN=%%%
AWS_CREDENTIAL_EXPIRATION=2020-04-16T11:16:27Z
    2. Local metadata server is started. This approach has the advantage that anything that uses Amazon's SDKs will automatically refresh credentials as needed, so session times can be as short as possible. 
      $ aws-vault exec --server jonsmith -- env | grep AWS
AWS_VAULT=jonsmith
AWS_DEFAULT_REGION=us-east-1
AWS_REGION=us-east-1
AWS_CONTAINER_CREDENTIALS_FULL_URI=%%%
AWS_CONTAINER_AUTHORIZATION_TOKEN=%%%

    The default is to use environment variables, but you can opt-in to the local instance metadata server with the --server flag on the exec command.

    Roles and MFA

    Best-practice is to create Roles to delegate permissions. For security, you should also require that users provide a one-time key generated from a multi-factor authentication (MFA) device.

    First you'll need to create the users and roles in IAM, as well as setup an MFA device. You can then set up IAM roles to enforce MFA.

    Here's an example configuration using roles and MFA:

    [default]
region = us-east-1

[profile jonsmith]
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile foo-readonly]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/ReadOnly

[profile foo-admin]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/Administrator
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role1]
source_profile = jonsmith
role_arn = arn:aws:iam::333333333333:role/Role1
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role2]
source_profile = bar-role1
role_arn = arn:aws:iam::333333333333:role/Role2
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

    Here's what you can expect from aws-vault

    CommandCredentialsCachedMFA
    aws-vault exec jonsmith --no-sessionLong-term credentialsNoNo
    aws-vault exec jonsmithsession-tokensession-tokenYes
    aws-vault exec foo-readonlyroleNoNo
    aws-vault exec foo-adminsession-token + rolesession-tokenYes
    aws-vault exec foo-admin --duration=2hroleroleYes
    aws-vault exec bar-role2session-token + role + rolesession-tokenYes
    aws-vault exec bar-role2 --no-sessionrole + roleroleYes

    Development

    The macOS release builds are code-signed to avoid extra prompts in Keychain. You can verify this with:

    $ codesign --verify --verbose $(which aws-vault)

    If you are developing or compiling the aws-vault binary yourself, you can generate a self-signed certificate by accessing Keychain Access > Certificate Assistant > Create Certificate -> Certificate Type: Code Signing. You can then sign your binary with:

    $ go build .
$ codesign --sign  ./aws-vault

    References and Inspiration

    • https://github.com/pda/aws-keychain
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
    • https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users
    • https://github.com/makethunder/awsudo
    • https://github.com/AdRoll/hologram
    • https://github.com/realestate-com-au/credulous
    • https://github.com/dump247/aws-mock-metadata
    • https://boto.readthedocs.org/en/latest/boto_config_tut.html
    Amazon WorkSpaces logo

    Amazon WorkSpaces

    Amazon Web Services, Inc
    Amazon WorkSpaces plays nice with everyone. Access your personal Windows environment on Android, iOS, Fire, Mac, PC, Chromebook, and Linux devices.
    clients.amazonworkspaces.com
    Amazon WorkSpaces logo

    Amazon WorkSpaces

    Amazon Web Services, Inc
    Amazon WorkSpaces plays nice with everyone. Access your personal Windows environment on Android, iOS, Fire, Mac, PC, Chromebook, and Linux devices.
    clients.amazonworkspaces.com
    Amazon EC2Launch logo

    Amazon EC2Launch

    Amazon Web Services
    Use the EC2Launch v2 agent to perform tasks during EC2 Windows instance launch
    docs.aws.amazon.com
    Amazon EC2Launch logo

    Amazon EC2Launch

    Amazon Web Services
    Use the EC2Launch v2 agent to perform tasks during EC2 Windows instance launch
    docs.aws.amazon.com
    Amazon CloudWatch Agent logo

    Amazon CloudWatch Agent

    Amazon.com, Inc.
    The Amazon CloudWatch Agent enables you to do the following: - Collect more system-level metrics from Amazon EC2 instances across operating systems.
    docs.aws.amazon.com
    Amazon CloudWatch Agent logo

    Amazon CloudWatch Agent

    Amazon.com, Inc.
    The Amazon CloudWatch Agent enables you to do the following: - Collect more system-level metrics from Amazon EC2 instances across operating systems.
    docs.aws.amazon.com
    Amazon Athena ODBC Driver logo

    Amazon Athena ODBC Driver

    Amazon.com Services LLC
    Use an ODBC connection to connect to Athena from third-party SQL client tools and applications.
    docs.aws.amazon.com
    Amazon Athena ODBC Driver logo

    Amazon Athena ODBC Driver

    Amazon.com Services LLC
    Use an ODBC connection to connect to Athena from third-party SQL client tools and applications.
    docs.aws.amazon.com
    AWS Copilot CLI logo

    AWS Copilot CLI

    Amazon Web Services
    AWS Copilot is an open source command line interface that makes it easy for developers to build, release, and operate production ready containerized
    aws.github.io
    AWS Copilot CLI logo

    AWS Copilot CLI

    Amazon Web Services
    AWS Copilot is an open source command line interface that makes it easy for developers to build, release, and operate production ready containerized
    aws.github.io
    Pulumi logo

    Pulumi

    Pulumi Corp
    Pulumi CLI for managing modern infrastructure as code
    www.pulumi.com
    Pulumi logo

    Pulumi

    Pulumi Corp
    Pulumi CLI for managing modern infrastructure as code
    www.pulumi.com
    Secrets OPerationS logo

    Secrets OPerationS

    SOPS: Secrets OPerationS
    sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age,
    github.com
    Secrets OPerationS logo

    Secrets OPerationS

    SOPS: Secrets OPerationS
    sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age,
    github.com
    S3 Browser logo

    S3 Browser

    Netsdk Software FZE
    S3 Browser is a freeware Windows client for Amazon S3 and Amazon CloudFront. Amazon S3 provides a simple web services interface that can be used to
    s3browser.com
    S3 Browser logo

    S3 Browser

    Netsdk Software FZE
    S3 Browser is a freeware Windows client for Amazon S3 and Amazon CloudFront. Amazon S3 provides a simple web services interface that can be used to
    s3browser.com
    Kube Forwarder logo

    Kube Forwarder

    Pixel Point
    A tool for managing port forwarding configs for kubernetes clusters
    github.com
    Kube Forwarder logo

    Kube Forwarder

    Pixel Point
    A tool for managing port forwarding configs for kubernetes clusters
    github.com
    Kube Forwarder logo

    Kube Forwarder

    Pixel Point
    A tool for managing port forwarding configs for kubernetes clusters
    github.com
    Infracost logo

    Infracost

    Infracost
    Infracost lets engineers see a cost breakdown and understand costs before making changes to their Infrastructure as Code
    www.infracost.io
    Infracost logo

    Infracost

    Infracost
    Infracost lets engineers see a cost breakdown and understand costs before making changes to their Infrastructure as Code
    www.infracost.io
    Infracost logo

    Infracost

    Infracost
    Infracost lets engineers see a cost breakdown and understand costs before making changes to their Infrastructure as Code
    www.infracost.io
    Simba Athena ODBC Driver logo

    Simba Athena ODBC Driver

    Simba Technologies
    Use an ODBC connection to connect to Athena from third-party SQL client tools and applications.
    docs.aws.amazon.com
    Simba Athena ODBC Driver logo

    Simba Athena ODBC Driver

    Simba Technologies
    Use an ODBC connection to connect to Athena from third-party SQL client tools and applications.
    docs.aws.amazon.com
    Simba Athena ODBC Driver logo

    Simba Athena ODBC Driver

    Simba Technologies
    Use an ODBC connection to connect to Athena from third-party SQL client tools and applications.
    docs.aws.amazon.com