awscli

Local README excerpt

Automic Vault aws-cli Isotope

The isotope now uses AWS' native credential_process protocol instead of placing AWS secrets in the aws process environment.

Implementation

Migration moves plain text keys from ~/.aws/credentials to the Keychain and installs this non-secret config in ~/.aws/config:

[default]
    credential_process = /usr/local/bin/av credential-helper aws

The installed /opt/awscli/bin/aws launcher runs AWS Python in isolated mode and mints a short-lived AUTOMIC_VAULT_CREDENTIAL_HELPER_TOKEN for the AWS process. The helper only answers when that token is present and the parent process is the root-controlled AWS launcher path running under isolated Python, so unrelated processes cannot call the helper directly to retrieve credentials and cannot use PYTHONPATH/sitecustomize injection to make AWS Python call it. The isotope also disables AWS CLI legacy external plugins because those plugins run as Python code inside the credential-approved AWS process.

aws config export-credentials is approval gated before it can print the credential-process result, including invocations with AWS global options before the config command.

Detection also treats aws login cache files under ~/.aws/login/cache as plain text credentials. Migration warns when those files are present because this isotope cannot safely migrate the result of aws login.

Caveats

We assume a single profile and user. If you have more complex credential requirements you should use brew:aws-vault-binary instead. It’s more cumbersome but also more capable.

AWS CLI legacy external plugins configured under [plugins] are intentionally disabled. If your workflow depends on them, use non-isotoped brew:awscli or a dedicated credential manager.

Source: data/radioisotopes/aws-cli/README.md