Credential access
Reads AWS profiles, SSO cache, credential files, and environment credentials.
brew / protected-tool coverage / approval gates
Official Amazon AWS command-line interface. Version 2.35.16 via Homebrew; verified 2026-07-06.
agent safety
awscli is a cloud-control CLI for AWS accounts, so agent runs should treat it as high-authority infrastructure access.
Reads AWS profiles, SSO cache, credential files, and environment credentials.
Can create, delete, and reconfigure AWS resources across many services.
Can upload artifacts, deploy functions, and change release infrastructure.
Use protected AWS credential helpers and approval gates for mutating commands.
Permit read-only inspection by default; require human approval for writes, deletes, credential export, and deploys.
install
brew install awsclilocal Homebrew formula metadata
sudo apt install awscliDebian stable package indexes · awscli · source: deb.debian.org
sudo dnf install awscli2Fedora Rawhide package metadata · awscli2 · source: dl.fedoraproject.org
nix profile install nixpkgs#awsclinixpkgs package indexes · pkgs/by-name/aw/awscli/package.nix · source: api.github.com
sudo zypper install aws-cliopenSUSE Tumbleweed package metadata · aws-cli · source: download.opensuse.org
choco install awscliChocolatey community package catalog · awscli · source: community.chocolatey.org
scoop install main/awsScoop official bucket manifest trees · bucket/aws.json · source: api.github.com
overview
Official Amazon AWS command-line interface
history
AWS CLI is Amazon Web Services' official command-line interface, packaging AWS service APIs behind a single `aws` executable for shell use, automation, and repeatable cloud operations. For package-manager users, the modern `awscli` formula tracks AWS CLI v2, while the legacy v1 line is packaged separately as `awscli@1`.
The public `aws/aws-cli` repository was created in November 2012 and the 1.0.0 tag was cut in September 2013. Version 1 established the familiar Python-based command structure, shared AWS config and credentials files, profiles, output formats, and generated service commands that made AWS automation feel like a regular Unix tool.
AWS CLI v2 was previewed publicly with the `2.0.0dev0` tag in November 2018 and tagged 2.0.0 in February 2020. The v2 package became the preferred install target for the main AWS CLI docs and Homebrew formula, while v1 continued as a compatibility line for workflows pinned to the Python package ecosystem or older behavior.
The AWS CLI became infrastructure plumbing because it is the AWS-native denominator shared by developers, CI jobs, shell scripts, and operational runbooks. Its adoption tracks both AWS service growth and package-manager culture: Homebrew, Linux distro packages, Chocolatey, Scoop, Nix, and vendor installers all expose an `aws` command that users expect to be available on fresh machines.
AWS announced a v1 maintenance transition in 2024: v1 enters maintenance mode on February 1, 2026, reaches end-of-support on July 31, 2027, and users are directed toward v2 for ongoing feature work. That split is why package collections commonly carry both `awscli` and an explicit v1 package.
Common usage is interactive and scripted: configure credentials with `aws configure`, select profiles with `--profile` or `AWS_PROFILE`, call service subcommands such as `aws s3`, `aws ec2`, and `aws sts`, and pipe JSON output through tools like `jq`. The shared config file normally lives at `~/.aws/config`, while long-lived credentials and session material normally live at `~/.aws/credentials`.
The CLI also serves as an authentication substrate for other tools in this batch. awscurl, awslogs, and AWSume all either read the same shared files or help produce/export credentials used by the AWS CLI and SDK credential chain.
AWS CLI is a packaging stress test: it has high release velocity, a large generated command surface, platform-specific installers, shell completion, and a v1/v2 compatibility split. Package maintainers care about it because many downstream tools assume the `aws` executable exists, while users care about whether their package manager delivers v2, legacy v1, or both.
It is also one of the clearest examples of cloud vendors turning APIs into package-manager-distributed command-line infrastructure. Installing `awscli` is often the first step in bootstrapping an AWS workstation or CI image.
protected-tool coverage
`aws` stores credentials as plaintext at ~/.aws/credentials. Our isotope securely locks them in the macOS keychain such that only the root-controlled `aws` launcher running isolated Python can retrieve them through AWS' native credential_process protocol. External AWS CLI legacy plugins are detected and blocked before AWS CLI starts because they can run inside that credential-approved process. Explicit `aws configure export-credentials` output and other AWS commands that can print credentials, authentication tokens, private keys, decrypted secrets, or signed capability URLs are approval gated in the launcher before AWS CLI code runs. Both `aws configure export-credentials` and the shorter `aws config export-credentials` spelling are gated.
Local README excerpt
aws-cli Protected toolThe protected tool now uses AWS' native credential_process protocol instead of placing AWS secrets in the aws process environment.
Migration moves plain text keys from ~/.aws/credentials to the Keychain and installs this non-secret config in ~/.aws/config:
[default]
credential_process = /usr/local/bin/av credential-helper aws
The installed /opt/awscli/bin/aws launcher runs AWS Python in isolated mode and mints a short-lived AUTOMIC_VAULT_CREDENTIAL_HELPER_TOKEN for the AWS process. The helper only answers when that token is present and the parent process is the root-controlled AWS launcher path running under isolated Python, so unrelated processes cannot call the helper directly to retrieve credentials and cannot use PYTHONPATH/sitecustomize injection to make AWS Python call it. The launcher refuses to run when AWS CLI legacy external plugins are configured because those plugins run as Python code inside the credential-approved AWS process.
Commands that can print credentials, authentication tokens, private keys, decrypted secrets, or signed capability URLs are approval gated in the launcher before AWS CLI code runs. That includes aws configure export-credentials and the shorter aws config export-credentials spelling, temporary-credential APIs such as STS, SSO, IAM, Cognito identity, Lake Formation, S3 Control, and service-specific credential issuers; service login tokens such as ECR, CodeArtifact, RDS, and EKS; decrypted secret reads from Secrets Manager, SSM with --with-decryption, KMS, and ACM; and S3 presigned URLs. The launcher recognizes AWS global options before or between the service and operation tokens.
Detection also treats aws login cache files under ~/.aws/login/cache as plain text credentials. Migration warns when those files are present because this protected tool cannot safely migrate the result of aws login.
We assume a single profile and user. If you have more complex credential requirements you should use brew:aws-vault-binary instead. It’s more cumbersome but also more capable.
AWS CLI legacy external plugins configured under [plugins] are not supported. The detector reports them and the launcher refuses to run until they are removed. If your workflow depends on them, use non-protected toold brew:awscli or a dedicated credential manager.
Source: local coverage notes
Local secret-handling manifest
approval gates
The local approval-gate seed includes 8 rules for awscli. Covered entrypoints: aws. Severity labels: critical, high. Coverage: partial, reviewed 2026-05-21.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
~/.aws/config%USERPROFILE%\.aws\configCredential-bearing paths to review before unattended agent runs.
~/.aws/credentials%USERPROFILE%\.aws\credentialsexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
aws | cli | global executable | |
aws_completer | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/aws/aws-cli
install metadata
| Package key | brew:awscli |
|---|---|
| Version | 2.35.16 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/awscli |
| Homepage | https://aws.amazon.com/cli/ |
| Repository | https://github.com/aws/aws-cli |
| Upstream docs | https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html |
| License | Apache-2.0 |
| Source archive | https://github.com/aws/aws-cli/archive/refs/tags/2.35.16.tar.gz |
| Last updated | 2026-07-06T22:31:05Z |
| Pulse | updated |
| Dependencies | openssl@3, python@3.14 |
| Build dependencies | cmake |
| Uses from macOS | libffi, mandoc |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
| Caveats | The "examples" directory has been installed to: $HOMEBREW_PREFIX/share/awscli/examples |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | awscli |
| Aliases |
|
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
awscli 2.23.6-1
Unified command line interface to Amazon Web Services
https://github.com/aws/aws-cli
sudo apt install awscliawscli
nix profile install nixpkgs#awscliawscli2 2.34.29-2.fc45
Universal Command Line Environment for AWS, version 2
https://github.com/aws/aws-cli/tree/v2
sudo dnf install awscli2aws-cli 1.44.51-1.1
Amazon Web Services Command Line Interface
https://github.com/aws/aws-cli
sudo zypper install aws-cliawscli
choco install awscliaws 26.0.0-4.fc45
The Ada Web Server
https://github.com/AdaCore/aws
sudo dnf install awsaws-devel 26.0.0-4.fc45
Development files for the Ada Web Server
https://github.com/AdaCore/aws
sudo dnf install aws-develaws-doc 26.0.0-4.fc45
Documentation for the Ada Web Server
https://github.com/AdaCore/aws
sudo dnf install aws-docaws-tools 26.0.0-4.fc45
Tools for the Ada Web Server
https://github.com/AdaCore/aws
sudo dnf install aws-toolsmain/aws
scoop install main/awssource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.