Remove direct file access
Cloud credentials should not be available through cat ~/.aws/credentials.
AWS credential_process under local control
AI agents often need the AWS CLI to debug and operate systems. Automic Vault moves console key pairs out of ~/.aws/credentials and lets AWS retrieve them through a Keychain-backed credential_process helper only while the root-controlled launcher is running.
Last updated: June 4, 2026
Secure AWS CLI credentials for AI agents by replacing plaintext AWS keys with a non-secret credential_process reference. The aws launcher mints a short-lived helper token, runs AWS Python in isolated mode, and gates credential-printing AWS commands before AWS CLI code runs.
AWS risk
~/.aws/credentials is predictable, familiar, and readable by local processes. That makes it convenient for humans and dangerous for autonomous sessions unless the durable secret moves behind a local runtime boundary.
Cloud credentials should not be available through cat ~/.aws/credentials.
~/.aws/config can point at /usr/local/bin/av credential-helper aws without storing the access key itself.
The helper validates a per-run token, parent process, command shape, and root-controlled launcher path before returning credentials.
Commands that can print credentials, tokens, private keys, decrypted secrets, or signed URLs are approval gated before AWS CLI code runs.
Pattern
The strongest path is not broad environment injection. It is AWS' native helper protocol: the persisted config contains only a command reference, and the credential crosses the boundary at AWS authentication time.
A readable AWS credentials file exposes access keys to any process with user-level file access.
Automic Vault saves supported keys in the macOS Keychain and writes credential_process = /usr/local/bin/av credential-helper aws.
The installed aws launcher runs isolated Python, mints a short-lived helper token, and lets AWS request credentials through its normal protocol.
The agent can see the helper reference, but not the key. Sensitive cloud operations still pass through local approval gates.
Helper boundary
av credential-helper aws prints AWS credential_process JSON only in the expected launcher context. An unrelated process cannot call the helper directly and get the AWS keys back.
The launcher mints a per-run approval token for the AWS process and passes it privately to the helper.
The helper checks that its parent is the Automic Vault-managed /opt/awscli/bin/aws path or the isolated AWS Python it starts.
The launcher runs AWS Python in isolated mode and disables AWS CLI legacy external plugins that could run inside the credential-approved process.
The current isotope focuses on console allocated access key and secret key pairs for one profile. aws login cache and multi-profile setups need a dedicated credential manager.
FAQ
Automic Vault is not a replacement for AWS IAM. It is the local Mac boundary that keeps agent sessions from casually reading or spending AWS credentials.
~/.aws/credentials risky?It is a predictable plaintext path. Agents that can browse local files can expose the keys before they run any cloud command.
Vault moves supported keys into the macOS Keychain, writes a non-secret credential_process reference, and returns credentials only to the validated AWS launcher.
It checks the helper token, parent executable, parent command, and root-controlled AWS launcher path before returning AWS credential_process JSON.
Yes. Least privilege, SSO, roles, and short-lived credentials remain important. Vault controls the local CLI use path.
This guide is maintained with the public Automic Vault source, security notes, and issue tracker by Max Howell, creator of Homebrew.
Related protections