How to Install AWS-Vault on Windows

by · Published · Updated

AWS-Vault helps you keep AWS access keys out of plaintext files by storing them in Windows Credential Manager and minting short-lived sessions when you need the AWS CLI or Management Console.

This guide shows a clean Windows workflow for installing AWS-Vault, adding a base profile, assuming a role, and testing access. For the broader overview and sibling guides, start with AWS-Vault Guide: Install, Configure and Use It Securely.

Important: the original 99designs repository is marked abandoned. Before you standardise on AWS-Vault, review the current releases or active fork and compare it with IAM Identity Center for your organisation.

Prerequisites

  • A Windows workstation where you can install command-line tools.
  • An AWS IAM user or bootstrap profile that can assume the role you want to use.
  • AWS CLI v2 is installed and available on your path.
  • MFA is enabled for the account if your organisation requires it.

Install AWS-Vault on Windows

The upstream project documents Chocolatey and Scoop as the main Windows package manager options:

choco install aws-vault
scoop install aws-vault

After installation, open a new PowerShell or Command Prompt window and verify the binary is available:

aws-vault --version

Add a base profile

Create a base profile that stores your long-lived access key in Windows Credential Manager instead of a plaintext credentials file:

aws-vault add dev

You will be prompted for the AWS access key ID and secret access key for that bootstrap IAM user.

Configure a role profile

Edit %UserProfile%\.aws\config and add a role profile that points back to the stored base profile:

[profile dev-admin]
source_profile = dev
role_arn = arn:aws:iam::123456789012:role/DeveloperAccess
mfa_serial = arn:aws:iam::123456789012:mfa/your.name
region = eu-west-2

This keeps the reusable long-lived key in the Windows secure store while the role profile uses temporary credentials for day-to-day work.

Test AWS CLI access

Run a simple STS call through AWS-Vault to confirm your role configuration works:

aws-vault exec dev-admin -- aws sts get-caller-identity

If MFA is configured, AWS-Vault will prompt for the token before creating the session.

Open the AWS Management Console

To launch a short-lived console session in your browser, run:

aws-vault login dev-admin

This is useful when you want browser access without manually copying credentials into the console.

Windows-specific tips

  • AWS-Vault uses Windows Credential Manager by default, so protect your local Windows account with a strong password and full-disk encryption.
  • If PowerShell cannot find aws-vault it after installation, close the shell and start a new session so the path updates are picked up.
  • Use aws-vault list to see stored profiles and aws-vault remove dev to delete one you no longer use.

When to choose IAM Identity Center instead

If your organisation already uses Microsoft Entra ID, Okta, or another central identity provider for workforce access, IAM Identity Center is often the better long-term default. AWS-Vault is most useful for local developer and administrator workflows that still rely on IAM-user bootstrap credentials and role assumption.

Related AWS-Vault guides

Post Views: 5
Elsewhere On TurboGeek:  How to Build a MediaWiki Site on AlmaLinux (Fast & Easy)

Tags:

Richard Bailey

Richard Bailey is the founder of TurboGeek and has spent more than a decade working across Windows Server, Linux, virtualization, cloud infrastructure and automation. He writes hands-on technical guides for sysadmins, engineers and IT teams, with a focus on clear instructions, practical troubleshooting and real-world infrastructure work.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »