How to Install AWS-Vault on Linux

by · Published · Updated

AWS-Vault helps Linux users avoid leaving AWS access keys in plaintext files by storing credentials in a supported secure backend and then creating short-lived sessions for the AWS CLI or console.

On Linux, the main decision is not just how to install the binary but which backend you want to use for secret storage. This guide covers both parts. For the broader overview and sibling guides, start with AWS-Vault Guide: Install, Configure and Use It Securely.

Important: the original 99designs repository is marked abandoned. Before you standardise on AWS-Vault, review the current releases or active fork and compare it with IAM Identity Center for your organisation.

Prerequisites

  • A Linux workstation or admin host with network access to AWS APIs.
  • An AWS IAM user or bootstrap profile that can assume the roles you need.
  • AWS CLI v2 installed and working.
  • A secure backend such as Secret Service, pass, or another supported Linux keyring option.

Install AWS-Vault on Linux

The upstream project documents several Linux-friendly installation paths. The most common are:

brew install aws-vault
sudo pacman -S aws-vault
sudo zypper install aws-vault
nix-env -i aws-vault

If your distribution does not package AWS-Vault, download the current release binary from the project releases page and place it on your path.

After installation, verify the command is available:

aws-vault --version

Choose the right backend

On desktop Linux systems, AWS-Vault can use a graphical keyring backend such as Secret Service. On headless or minimal systems, many teams prefer pass. If you need to force a backend, export it before running AWS-Vault:

export AWS_VAULT_BACKEND=pass

Make sure the backend you choose is already configured and unlocked for the user running the command.

Add a base profile

Store the bootstrap AWS IAM user in the secure backend:

aws-vault add dev

Configure a role profile

Edit ~/.aws/config and define the role profile you want to use day to day:

[profile dev-admin]
source_profile = dev
role_arn = arn:aws:iam::123456789012:role/DeveloperAccess
mfa_serial = arn:aws:iam::123456789012:mfa/your.name
region = eu-west-2

Test AWS CLI access

Run a simple STS identity call through AWS-Vault:

aws-vault exec dev-admin -- aws sts get-caller-identity

This is the most important validation step because it confirms the profile, role assumption, MFA, and backend are all working together.

Open the AWS Management Console

On a desktop Linux machine, you can also launch a short-lived console session in the browser:

aws-vault login dev-admin

On headless servers, aws-vault exec is usually the more practical workflow.

Linux-specific tips

  • If AWS-Vault cannot talk to your keyring, confirm the backend is installed and unlocked for your login session.
  • If you use pass, make sure the password store is initialised before running AWS-Vault.
  • Use aws-vault list to check stored profiles and aws-vault remove dev to remove one safely.

When to choose IAM Identity Center instead

If you are rolling out access for a larger workforce across multiple AWS accounts, IAM Identity Center is often the cleaner default. AWS-Vault is best treated as a local operator tool for CLI-heavy workflows that still start with IAM-user bootstrap credentials.

Related AWS-Vault guides

Post Views: 5
Elsewhere On TurboGeek:  Boost Security and Productivity with AWS IAM Identity Center

Tags:

Richard Bailey

Richard Bailey is the founder of TurboGeek and has spent more than a decade working across Windows Server, Linux, virtualization, cloud infrastructure and automation. He writes hands-on technical guides for sysadmins, engineers and IT teams, with a focus on clear instructions, practical troubleshooting and real-world infrastructure work.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »