Automic Vault icon Automic Vault

AWS credential_process under local control

Private AWS CLI credentials

AI agents often need the AWS CLI to debug and operate systems. Automic Vault moves console key pairs out of ~/.aws/credentials and lets AWS retrieve them through a Keychain-backed credential_process helper only while the root-controlled launcher is running.

Last updated: June 4, 2026

Secure AWS CLI credentials for AI agents by replacing plaintext AWS keys with a non-secret credential_process reference. The aws launcher mints a short-lived helper token, runs AWS Python in isolated mode, and gates credential-printing AWS commands before AWS CLI code runs.

Automic Vault AWS credential protection console

AWS risk

The default AWS credential file is easy for agents to find.

~/.aws/credentials is predictable, familiar, and readable by local processes. That makes it convenient for humans and dangerous for autonomous sessions unless the durable secret moves behind a local runtime boundary.

Readable path

Remove direct file access

Cloud credentials should not be available through cat ~/.aws/credentials.

Helper reference

Leave non-secret config behind

~/.aws/config can point at /usr/local/bin/av credential-helper aws without storing the access key itself.

Caller checks

Make direct helper calls fail

The helper validates a per-run token, parent process, command shape, and root-controlled launcher path before returning credentials.

Cloud actions

Gate sensitive AWS output

Commands that can print credentials, tokens, private keys, decrypted secrets, or signed URLs are approval gated before AWS CLI code runs.

Pattern

Keep AWS useful without ambient credentials.

The strongest path is not broad environment injection. It is AWS' native helper protocol: the persisted config contains only a command reference, and the credential crosses the boundary at AWS authentication time.

Before

A readable AWS credentials file exposes access keys to any process with user-level file access.

After migration

Automic Vault saves supported keys in the macOS Keychain and writes credential_process = /usr/local/bin/av credential-helper aws.

At runtime

The installed aws launcher runs isolated Python, mints a short-lived helper token, and lets AWS request credentials through its normal protocol.

With agents

The agent can see the helper reference, but not the key. Sensitive cloud operations still pass through local approval gates.

Helper boundary

The helper is not a general secret printer.

av credential-helper aws prints AWS credential_process JSON only in the expected launcher context. An unrelated process cannot call the helper directly and get the AWS keys back.

Token

Short-lived helper token

The launcher mints a per-run approval token for the AWS process and passes it privately to the helper.

Parent

Expected AWS launcher only

The helper checks that its parent is the Automic Vault-managed /opt/awscli/bin/aws path or the isolated AWS Python it starts.

Isolation

No legacy plugin surprise

The launcher runs AWS Python in isolated mode and disables AWS CLI legacy external plugins that could run inside the credential-approved process.

Limits

Clear AWS coverage

The current isotope focuses on console allocated access key and secret key pairs for one profile. aws login cache and multi-profile setups need a dedicated credential manager.

FAQ

AWS CLI credential questions.

Automic Vault is not a replacement for AWS IAM. It is the local Mac boundary that keeps agent sessions from casually reading or spending AWS credentials.

Plaintext

Why is ~/.aws/credentials risky?

It is a predictable plaintext path. Agents that can browse local files can expose the keys before they run any cloud command.

Helper

How does Vault secure AWS CLI use?

Vault moves supported keys into the macOS Keychain, writes a non-secret credential_process reference, and returns credentials only to the validated AWS launcher.

Validation

What does the helper check?

It checks the helper token, parent executable, parent command, and root-controlled AWS launcher path before returning AWS credential_process JSON.

IAM

Should I still use IAM scopes and roles?

Yes. Least privilege, SSO, roles, and short-lived credentials remain important. Vault controls the local CLI use path.

Provenance

Maintained by Max Howell

This guide is maintained with the public Automic Vault source, security notes, and issue tracker by Max Howell, creator of Homebrew.

Related protections

Keep cloud credentials out of ambient reach.