Automic VaultAutomic Vault

brew / protected-tool coverage / approval gates

Install awscli with Homebrew, chocolatey, apt, dnf, Nix, zypper, scoop

Official Amazon AWS command-line interface. Version 2.35.16 via Homebrew; verified 2026-07-06.

agent safety

Agent safety answer

awscli is a cloud-control CLI for AWS accounts, so agent runs should treat it as high-authority infrastructure access.

Credential access

Reads AWS profiles, SSO cache, credential files, and environment credentials.

Remote mutation

Can create, delete, and reconfigure AWS resources across many services.

Publish/artifact risk

Can upload artifacts, deploy functions, and change release infrastructure.

Recommended control

Use protected AWS credential helpers and approval gates for mutating commands.

Agent-use guidance

Permit read-only inspection by default; require human approval for writes, deletes, credential export, and deploys.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install awscli

local Homebrew formula metadata

Linux

Debian aptverified · 92%
sudo apt install awscli

Debian stable package indexes · awscli · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install awscli2

Fedora Rawhide package metadata · awscli2 · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#awscli

nixpkgs package indexes · pkgs/by-name/aw/awscli/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install aws-cli

openSUSE Tumbleweed package metadata · aws-cli · source: download.opensuse.org

overview

Package summary

Official Amazon AWS command-line interface

Commands and aliases

  • aws
  • aws_completer

history

Project history and usage

AWS CLI is Amazon Web Services' official command-line interface, packaging AWS service APIs behind a single `aws` executable for shell use, automation, and repeatable cloud operations. For package-manager users, the modern `awscli` formula tracks AWS CLI v2, while the legacy v1 line is packaged separately as `awscli@1`.

Project history

The public `aws/aws-cli` repository was created in November 2012 and the 1.0.0 tag was cut in September 2013. Version 1 established the familiar Python-based command structure, shared AWS config and credentials files, profiles, output formats, and generated service commands that made AWS automation feel like a regular Unix tool.

AWS CLI v2 was previewed publicly with the `2.0.0dev0` tag in November 2018 and tagged 2.0.0 in February 2020. The v2 package became the preferred install target for the main AWS CLI docs and Homebrew formula, while v1 continued as a compatibility line for workflows pinned to the Python package ecosystem or older behavior.

Adoption history

The AWS CLI became infrastructure plumbing because it is the AWS-native denominator shared by developers, CI jobs, shell scripts, and operational runbooks. Its adoption tracks both AWS service growth and package-manager culture: Homebrew, Linux distro packages, Chocolatey, Scoop, Nix, and vendor installers all expose an `aws` command that users expect to be available on fresh machines.

AWS announced a v1 maintenance transition in 2024: v1 enters maintenance mode on February 1, 2026, reaches end-of-support on July 31, 2027, and users are directed toward v2 for ongoing feature work. That split is why package collections commonly carry both `awscli` and an explicit v1 package.

How it is used

Common usage is interactive and scripted: configure credentials with `aws configure`, select profiles with `--profile` or `AWS_PROFILE`, call service subcommands such as `aws s3`, `aws ec2`, and `aws sts`, and pipe JSON output through tools like `jq`. The shared config file normally lives at `~/.aws/config`, while long-lived credentials and session material normally live at `~/.aws/credentials`.

The CLI also serves as an authentication substrate for other tools in this batch. awscurl, awslogs, and AWSume all either read the same shared files or help produce/export credentials used by the AWS CLI and SDK credential chain.

Why package nerds care

AWS CLI is a packaging stress test: it has high release velocity, a large generated command surface, platform-specific installers, shell completion, and a v1/v2 compatibility split. Package maintainers care about it because many downstream tools assume the `aws` executable exists, while users care about whether their package manager delivers v2, legacy v1, or both.

It is also one of the clearest examples of cloud vendors turning APIs into package-manager-distributed command-line infrastructure. Installing `awscli` is often the first step in bootstrapping an AWS workstation or CI image.

Timeline

  • 2012: Public GitHub repository `aws/aws-cli` created.
  • 2013: AWS CLI 1.0.0 tag cut.
  • 2018: AWS CLI v2 developer preview tag `2.0.0dev0` published.
  • 2020: AWS CLI v2 2.0.0 tag cut.
  • 2026: AWS CLI v1 scheduled to enter maintenance mode on February 1.
  • 2027: AWS CLI v1 scheduled to reach end-of-support on July 31.

Related projects

  • AWS CLI v1 is the legacy major line packaged by Homebrew as `awscli@1`.
  • AWS SDK for Python (Boto3/Botocore) supplies the Python AWS client and model ecosystem that underpins much of the v1-era command generation.
  • awscurl, awslogs, and AWSume are companion command-line tools that reuse AWS credentials, profiles, or service semantics.

protected-tool coverage

Plain Text Secrets

`aws` stores credentials as plaintext at ~/.aws/credentials. Our isotope securely locks them in the macOS keychain such that only the root-controlled `aws` launcher running isolated Python can retrieve them through AWS' native credential_process protocol. External AWS CLI legacy plugins are detected and blocked before AWS CLI starts because they can run inside that credential-approved process. Explicit `aws configure export-credentials` output and other AWS commands that can print credentials, authentication tokens, private keys, decrypted secrets, or signed capability URLs are approval gated in the launcher before AWS CLI code runs. Both `aws configure export-credentials` and the shorter `aws config export-credentials` spelling are gated.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 2 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Local README excerpt

Automic Vault aws-cli Protected tool

The protected tool now uses AWS' native credential_process protocol instead of placing AWS secrets in the aws process environment.

Implementation

Migration moves plain text keys from ~/.aws/credentials to the Keychain and installs this non-secret config in ~/.aws/config:

[default]
credential_process = /usr/local/bin/av credential-helper aws

The installed /opt/awscli/bin/aws launcher runs AWS Python in isolated mode and mints a short-lived AUTOMIC_VAULT_CREDENTIAL_HELPER_TOKEN for the AWS process. The helper only answers when that token is present and the parent process is the root-controlled AWS launcher path running under isolated Python, so unrelated processes cannot call the helper directly to retrieve credentials and cannot use PYTHONPATH/sitecustomize injection to make AWS Python call it. The launcher refuses to run when AWS CLI legacy external plugins are configured because those plugins run as Python code inside the credential-approved AWS process.

Commands that can print credentials, authentication tokens, private keys, decrypted secrets, or signed capability URLs are approval gated in the launcher before AWS CLI code runs. That includes aws configure export-credentials and the shorter aws config export-credentials spelling, temporary-credential APIs such as STS, SSO, IAM, Cognito identity, Lake Formation, S3 Control, and service-specific credential issuers; service login tokens such as ECR, CodeArtifact, RDS, and EKS; decrypted secret reads from Secrets Manager, SSM with --with-decryption, KMS, and ACM; and S3 presigned URLs. The launcher recognizes AWS global options before or between the service and operation tokens.

Detection also treats aws login cache files under ~/.aws/login/cache as plain text credentials. Migration warns when those files are present because this protected tool cannot safely migrate the result of aws login.

Caveats

We assume a single profile and user. If you have more complex credential requirements you should use brew:aws-vault-binary instead. It’s more cumbersome but also more capable.

AWS CLI legacy external plugins configured under [plugins] are not supported. The detector reports them and the launcher refuses to run until they are removed. If your workflow depends on them, use non-protected toold brew:awscli or a dedicated credential manager.

Source: local coverage notes

Coverage source

Local secret-handling manifest

Caveats

  • We only support console allocated key/secret pairs.
  • We do not support `aws login` derived creds (PR welcome!). Note that if you authenticate in this manner we will continue to (correctly) report it as a secrets-hazard.
  • We do not support multiple profiles (use `brew:aws-vault-binary`)
  • We refuse to run AWS CLI while legacy external plugins are configured under `[plugins]`.

approval gates

Human review metadata for risky commands

The local approval-gate seed includes 8 rules for awscli. Covered entrypoints: aws. Severity labels: critical, high. Coverage: partial, reviewed 2026-05-21.

Example gated actions

  • Export AWS credentials to stdout or process environment formats.
  • Assume an AWS role and receive temporary credentials.
  • Read and print a secret from AWS Secrets Manager.
  • Delete S3 objects or buckets.
  • Recursively mutate S3 objects.
  • Create, update, or delete IAM access keys.
  • Create, update, deploy, or delete CloudFormation stacks.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
~/.aws/config
Windows
%USERPROFILE%\.aws\config

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.aws/credentials
Windows
%USERPROFILE%\.aws\credentials

executables

Installed executables

CommandKindExposureNote
awscliglobal executable
aws_completercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-07
manager version2.35.16
manager updated2026-07-06
local dataok
upstreamcurrent
latest detected2.35.16

https://github.com/aws/aws-cli

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:awscli
Version2.35.16
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/awscli
Homepagehttps://aws.amazon.com/cli/
Repositoryhttps://github.com/aws/aws-cli
Upstream docshttps://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html
LicenseApache-2.0
Source archivehttps://github.com/aws/aws-cli/archive/refs/tags/2.35.16.tar.gz
Last updated2026-07-06T22:31:05Z
Pulseupdated
Dependenciesopenssl@3, python@3.14
Build dependenciescmake
Uses from macOSlibffi, mandoc
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared
CaveatsThe "examples" directory has been installed to: $HOMEBREW_PREFIX/share/awscli/examples

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameawscli
Aliases
  • awscli@2
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

awscli 2.23.6-1

Unified command line interface to Amazon Web Services

https://github.com/aws/aws-cli

sudo apt install awscli
  • Section: admin
  • Architecture: all
  • 15 dependencies
  • normalized package name match
  • Matched by: Awscli
Debian stable package indexes · deb.debian.org · Debian stable package indexes: awscli from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

awscli

nix profile install nixpkgs#awscli
  • normalized package name match
  • Matched by: Awscli
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/aw/awscli/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
dnf95%

awscli2 2.34.29-2.fc45

Universal Command Line Environment for AWS, version 2

https://github.com/aws/aws-cli/tree/v2

sudo dnf install awscli2
  • License: Apache-2.0 AND MIT
  • Category: Unspecified
  • Architecture: noarch
  • Source Package: awscli2
  • 3 dependencies
  • 6 provides
  • normalized package name match
  • Matched by: Awscli
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: awscli2 from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
zypper95%

aws-cli 1.44.51-1.1

Amazon Web Services Command Line Interface

https://github.com/aws/aws-cli

sudo zypper install aws-cli
  • License: Apache-2.0
  • Category: System/Management
  • Architecture: noarch
  • Source Package: aws-cli
  • 6 dependencies
  • 5 provides
  • normalized package name match
  • Matched by: Awscli
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: aws-cli from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
Chocolatey95%

awscli

choco install awscli
  • normalized package name match
  • Matched by: Awscli
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: awscli from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','autodesk-fusion360'
dnf92%

aws 26.0.0-4.fc45

The Ada Web Server

https://github.com/AdaCore/aws

sudo dnf install aws
  • License: (GPL-3.0-or-later WITH GCC-exception-3.1 OR GPL-3.0-or-later WITH GNAT-exception) AND GPL-2.0-or-later WITH GNAT-exception
  • Category: Unspecified
  • Architecture: i686
  • Source Package: aws
  • 17 dependencies
  • 3 provides
  • installed executable or alias match
  • Matched by: Aws
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: aws from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
dnf92%

aws-devel 26.0.0-4.fc45

Development files for the Ada Web Server

https://github.com/AdaCore/aws

sudo dnf install aws-devel
  • License: (GPL-3.0-or-later WITH GCC-exception-3.1 OR GPL-3.0-or-later WITH GNAT-exception) AND GPL-2.0-or-later WITH GNAT-exception
  • Category: Unspecified
  • Architecture: i686
  • Source Package: aws
  • 11 dependencies
  • 1 provides
  • installed executable or alias match
  • Matched by: Aws
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: aws-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
dnf92%

aws-doc 26.0.0-4.fc45

Documentation for the Ada Web Server

https://github.com/AdaCore/aws

sudo dnf install aws-doc
  • License: AdaCore-doc AND MIT AND BSD-2-Clause AND GPL-3.0-or-later AND LicenseRef-Fedora-Public-Domain AND GPL-1.0-or-later AND (GPL-3.0-or-later WITH GCC-exception-3.1
  • Category: Unspecified
  • Architecture: noarch
  • Source Package: aws
  • 1 dependencies
  • 1 provides
  • installed executable or alias match
  • Matched by: Aws
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: aws-doc from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
dnf92%

aws-tools 26.0.0-4.fc45

Tools for the Ada Web Server

https://github.com/AdaCore/aws

sudo dnf install aws-tools
  • License: GPL-3.0-or-later AND (GPL-3.0-or-later WITH GCC-exception-3.1 OR GPL-3.0-or-later WITH GNAT-exception)
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: aws
  • 21 dependencies
  • 1 provides
  • installed executable or alias match
  • Matched by: Aws
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: aws-tools from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
Scoop92%

main/aws

scoop install main/aws
  • installed executable or alias match
  • Matched by: Aws
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/aws.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Nucleus package database
  • approval-gate seed metadata
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated agent safety answer
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • local coverage README
  • package relationship graph
  • package version freshness
  • package-page enrichment
  • secret-handling manifest