AWS CLI Credential Process

Protect your AWS Access Keys with Keeper Secrets Manager


By default, the AWS CLI uses credentials stored in plaintext in ~/.aws/credentials. With this credential process, you can now use the Keeper Vault to store your AWS credentials, removing the need to have them on disk.

Instead, AWS will use this executable to securely fetch your AWS credential from your Vault using the Keeper Secrets Manager (KSM).


  • Use a vaulted AWS Access Key to authenticate to the AWS CLI.


In order to utilize this integration, you will need:



The first step in the setup of the integration is to add you AWS Access Key ID and your Secret Access Key to a record in your Vault. There is no built-in record type for this kind of secret; however, you can create a custom record for this purpose alone.

In order to create new custom Record Types, the user must be in an Administrative role with the "Manage Record Types in Vault" permission activated.

Note: Field names are case-sensitive.

Once you have created your custom field, you can now use it to create a record for your AWS Access Key. This record should be stored in a shared folder that your KSM application has permission to access.

Once safely stored, you can delete the Access Key credentials from your AWS credential file.


The integration expects a KSM Application Configuration file at either .config/keeper/aws-credential-process.json or aws-credential-process.json relative to the user's home directory. It must have access to a Shared Folder containing the required AWS Access key.

For help in obtaining a KSM configuration in JSON format, follow these instructions. After creating a new device get corresponding config.json and copy it into user's home folder as aws-credential-process.json

AWS Config

Download the latest version of the keeper-aws-credential-process executable from the GitHub releases page and store that in a convenient location.

Now in your AWS configuration file, which is usually located at ~/.aws/config, add the following line to any profile you are using via the CLI.

# Add the UID for your AWS Access Key
#credential_process = /path/to/keeper-aws-credential-process --uid <Record UID>
credential_process = /opt/keeper-aws-credential-process-v0.1.1_linux_amd64  --uid <Record UID>

Make sure there's no residual aws cli configuration left on the machine which may be picked up automatically or on credential process misconfiguration.


Once configured as above, the AWS CLI will automatically fetch your authentication credential from the Keeper Vault. You can test that it works by using any CLI command in which you have an appropriate IAM role for, such as:

# List all s3 buckets
aws s3 ls

If the command completes without error, congratulations, you are now fully set up.

Feature Request / Report an Issue

This Credential Process is open source and can be found on GitHub. If you need to report a bug or would like to request a feature to support more authentication use cases, please create a GitHub issue.

Last updated