Question 1

How do I set up aws-vault with MFA on AWS?

Accepted Answer

Configure your AWS profile in ~/.aws/config with mfa_serial and role_arn, then use aws-vault exec with the profile. The README includes an example setup for roles and MFA.

Question 2

Is aws-vault safer than storing AWS keys in environment variables?

Accepted Answer

Yes, because it stores long-term keys securely in OS keystores and generates temporary credentials, reducing leakage risk compared to plain environment variables with static keys.

Question 3

aws-vault vs AWS SDK default credential provider: which is better for development?

Accepted Answer

aws-vault is superior for local security as it manages credential lifecycle, while the SDK provider chain is broader; use aws-vault to feed secure credentials into the SDK via environment variables or metadata server.

Question 4

Can I use aws-vault in a CI/CD pipeline?

Accepted Answer

It's challenging due to its interactive nature; for automation, consider alternatives like IAM roles for CI services or using the encrypted file backend with careful key injection.

Question 5

What happens when aws-vault credentials expire?

Accepted Answer

Short-lived sessions require re-running aws-vault exec, but the --server flag with a local metadata server allows SDKs to auto-refresh credentials for longer workflows.

Question 6

Does aws-vault support cross-account AWS roles?

Accepted Answer

Yes, it handles role chaining as shown in the README's bar-role2 profile example, enabling complex multi-account scenarios.

aws-vault

What is aws-vault?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions