AWS Vault

The aws-vault command line tool is a utility for securely storing and accessing encrypted AWS credentials for local development environments. It makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.

The aws-vault command line tool by 99 Designs is a utility for securely storing and accessing encrypted AWS credentials for use in development environments. This tool makes it extremely easy to work with IAM assumed roles across multiple AWS organizations.


aws-vault has no relationship to the HashiCorp Vault.


  • Encrypted vault for IAM credentials (OSX KeyChain or file)
  • IAM Metadata server (mocks the EC2 API) to simulate instance profiles for local development
  • Prompts for MFA Token
  • Variable-length session TTLs
  • Compatible with ~/.aws/config
  • Automatic logins to AWS Web Console


This has been incorporated into our latest release of geodesic.


You can install aws-vault locally, allowing you to authorize to AWS and perform AWS cli actions.

OSX Installation

brew cask install aws-vault

Linux Installation (binary)

Download the precompiled binary from the GitHub releases page, unless a package exists for your distro.

sudo curl -L -o /usr/local/bin/aws-vault
sudo chmod 755 /usr/local/bin/aws-vault

Local Configuration

We recommend using the file type backend for aws-vault because this is compatible with Linux, which is needed for Geodesic sessions.

Add the following to your ~/.bashrc:

export AWS_VAULT_BACKEND="file"

Then source ~/.bashrc to update your current session.

  1. Generate IAM Access Key ID/Secret on your AWS root account via IAM management page in the AWS Console.


Do not define the source profile in ~/.aws/credentials; we’re going to use aws-vault add for that.

  1. Using the IAM Access Key ID/Secret generated in Step 1, add the source_profile:

    $ aws-vault add example
  2. Add the source_profile created in Step 2 to your ~/.aws/config.

    [profile example]
  3. Setup your ~/.aws/config by adding a profile entry for each AWS account:


    Remember to replace the $aws_account_ids with your account ids and [email protected] with your IAM username below. We recommend using email addresses for all IAM user accounts associated with human users.

    [profile example-staging-admin]
    mfa_serial=arn:aws:iam::$aws_account_id_for_root:mfa/[email protected]
  4. Test that it is all set up properly:

    $ aws-vault login example-staging-admin

This should open a browser and log you into the AWS console as the assumed role example-staging-admin.

Using with Geodesic

aws-vault is available in the geodesic shell. To start the shell, run:


Add your profile to AWS Vault

Now we are ready to configure your AWS credentials. To add your AWS credentials to the encrypted vault run the following command. Remember to replace example with your source profile name.

aws-vault add example


Most problems stem from misconfiguration.

  • Do not define a [default] profile in ~/.aws/credentials or [profile default] in ~/aws/config
  • Do not set AWS_SDK_LOAD_CONFIG

If using --server mode, ensure the following credentials are not exported:


Since running aws-vault using --server binds to the local ip address to mock the AWS metadata server, you can run only one process per host machine. More info can be found here.


Use unset to delete each of the above variables from your environment and ensure they aren’t exported in your ~/.bashrc or ~/.profile.