AWS Vault

Automate AWS credential management and MFA sessions

Key Features

• Manage multiple AWS profiles with different roles and MFA serial numbers
• Switch between profiles using a simple command-line interface
• Automatically cache credentials for session tokens
• Support for custom MFA devices

Configuration Example

[default]
region = us-east-1

[profile jonsmith]
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile foo-readonly]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/ReadOnly

[profile foo-admin]
source_profile = jonsmith
role_arn = arn:aws:iam::22222222222:role/Administrator
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role1]
source_profile = jonsmith
role_arn = arn:aws:iam::333333333333:role/Role1
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

[profile bar-role2]
source_profile = bar-role1
role_arn = arn:aws:iam::333333333333:role/Role2
mfa_serial = arn:aws:iam::111111111111:mfa/jonsmith

Commands and Credentials

Command	Credentials	Cached	MFA
aws-vault exec jonsmith --no-session	Long-term credentials	No	No
aws-vault exec jonsmith	Session-token	Session-token	Yes
aws-vault exec foo-readonly	Role	No	No
aws-vault exec foo-admin	Session-token + Role	Session-token	Yes
aws-vault exec foo-admin --duration=2h	Role	Role	Yes
aws-vault exec bar-role2	Session-token + Role + Role	Session-token	Yes
aws-vault exec bar-role2 --no-session	Role + Role	Role	Yes

Development

• macOS release builds are code-signed to avoid extra prompts in Keychain
• Verify the signature with: codesign --verify --verbose $(which aws-vault)
• Generate a self-signed certificate using Keychain Access > Certificate Assistant > Create Certificate
• Sign your binary with: go build . && codesign --sign <Name of certificate> ./aws-vault

> Visit aws vault Website <