Good practice to manage secrets for AWS CLI

I don’t know about you, but we really love AWS CLI. We are far from being scripting experts, but we consider AWS CLIs the simplest way to interact with the AWS services and we are trying to involve these tools as much as possible in our daily work.

Until recently, it was an aspect that we didn’t particularly like it: how AWS CLI manages secrets. Most probably you know that you can create many profiles, each profile having one access key and one secret key, all those information being serialized in a plain text file. So, we could say that it’s not the best security.

But not long ago, we found a very interesting tool that allows us to save secrets in the operating system’s keystore, being developed to be integrated with the AWS CLI. The tool is called AWS Vault and can be found here.

What seemed to us positively:

  • Very easy to install (at least on MacOS)
  • Good documentation
  • Integrating with IAM roles


We think it’s not necessary to add more about this tool. Just the same advice: take a look, install it, play with it and let a comment with your conclusions.

Happy cloud computing!


One thought on “Good practice to manage secrets for AWS CLI

Comments are closed.