aws-vault

aws-vault stores AWS IAM credentials in your operating system's secure keystore (macOS Keychain, Windows Credential Manager, Linux secret service) and generates temporary credentials via STS when needed. It never writes long-term credentials to disk (~/.aws/credentials), eliminating a common credential theft vector. aws-vault supports MFA prompting, role assumption chains, credential rotation, and session duration configuration. It integrates with any CLI tool that uses AWS environment variables, making it a transparent security layer. For offensive security, it enables safe management of multiple AWS profiles during cloud penetration testing.