macOS
Homebrew
已验证 · 100%
brew install awscli
local Homebrew formula metadata
安装
使用 Automic Vault 安装
Automic Vault
sudo av install brew:awscliLinux
Debian apt
已验证 · 92%
sudo apt install awscli
Debian stable package indexes · awscli · 来源: deb.debian.org
Nix
已验证 · 92%
nix profile install nixpkgs#awscli
nixpkgs package indexes · pkgs/by-name/aw/awscli/package.nix · 来源: api.github.com
Fedora dnf
已验证 · 92%
sudo dnf install aws
Fedora Rawhide package metadata · aws · 来源: dl.fedoraproject.org
Windows
Chocolatey
已验证 · 92%
choco install awscli
Chocolatey community package catalog · awscli · 来源: community.chocolatey.org
Scoop
已验证 · 92%
scoop install main/aws
Scoop official bucket manifest trees · bucket/aws.json · 来源: api.github.com
软件包管理器来源
平台说明
- Homebrew publishes bottles for current macOS and Linux targets.
- The examples directory is installed under $HOMEBREW_PREFIX/share/awscli/examples.
概览
软件包摘要
Automic Vault 根据本地软件包数据发布 awscli 的安装路径、可执行文件事实和安全元数据。
主页
命令和别名
- aws
- aws_completer
来源摘要
Official Amazon AWS command-line interface
radioisotope
Plain Text Secrets
`aws` stores credentials as plaintext at ~/.aws/credentials. Our isotope securely locks them in the macOS keychain such that only the root-controlled `aws` launcher running isolated Python can retrieve them through AWS' native credential_process protocol. External AWS CLI legacy plugins are disabled because they can run inside that credential-approved process. Explicit `aws config export-credentials` output is approval gated.
风险分类器
orange 风险 · high 置信度 · infrastructure
原因
- cloud infrastructure mutation tool
信号
- override:awscli
安装行为
- No Homebrew post-install hook is recorded in formula metadata.
- Homebrew bottle metadata is available for 6 platform targets.
- 安装时包含 2 个运行时依赖。
- 构建元数据列出 1 个构建依赖。
本地 README 摘录
Automic Vault aws-cli Isotope
The isotope now uses AWS' native credential_process protocol instead of placing AWS secrets in the aws process environment.
Implementation
Migration moves plain text keys from ~/.aws/credentials to the Keychain and installs this non-secret config in ~/.aws/config:
[default]
credential_process = /usr/local/bin/av credential-helper awsThe installed /opt/awscli/bin/aws launcher runs AWS Python in isolated mode and mints a short-lived AUTOMIC_VAULT_CREDENTIAL_HELPER_TOKEN for the AWS process. The helper only answers when that token is present and the parent process is the root-controlled AWS launcher path running under isolated Python, so unrelated processes cannot call the helper directly to retrieve credentials and cannot use PYTHONPATH/sitecustomize injection to make AWS Python call it. The isotope also disables AWS CLI legacy external plugins because those plugins run as Python code inside the credential-approved AWS process.
aws config export-credentials is approval gated before it can print the credential-process result, including invocations with AWS global options before the config command.
Detection also treats aws login cache files under ~/.aws/login/cache as plain text credentials. Migration warns when those files are present because this isotope cannot safely migrate the result of aws login.
Caveats
We assume a single profile and user. If you have more complex credential requirements you should use brew:aws-vault-binary instead. It’s more cumbersome but also more capable.
AWS CLI legacy external plugins configured under [plugins] are intentionally disabled. If your workflow depends on them, use non-isotoped brew:awscli or a dedicated credential manager.
来源: data/radioisotopes/aws-cli/README.md
覆盖来源
Caveats
- We only support console allocated key/secret pairs.
- We do not support `aws login` derived creds (PR welcome!). Note that if you authenticate in this manner we will continue to (correctly) report it as a secrets-hazard.
- We do not support multiple profiles (use `brew:aws-vault-binary`)
- We disable AWS CLI legacy external plugins configured under `[plugins]`.
审批门
Human review metadata for risky commands
The local approval-gate seed includes 8 rules for awscli. Covered entrypoints: aws. Severity labels: critical, high. Coverage: partial, 已审查 2026-05-21.
受控操作示例
- Export AWS credentials to stdout or process environment formats.
- Assume an AWS role and receive temporary credentials.
- Read and print a secret from AWS Secrets Manager.
- Delete S3 objects or buckets.
- Recursively mutate S3 objects.
- Create, update, or delete IAM access keys.
- Create, update, deploy, or delete CloudFormation stacks.
可执行文件
已安装的可执行文件
| 命令 | 类型 | 暴露范围 | 备注 |
|---|---|---|---|
aws | cli | global executable | Primary AWS command-line interface. |
aws_completer | completion helper | Homebrew executable; excluded from Automic Vault stubs | Shell completion helper for aws. |
新鲜度
版本和新鲜度
这些信号区分页生成时间、软件包管理器活动和上游发布比较。只有存在证据 URL 和可比较版本时,才会提示版本落后。
页面生成时间2026-05-26
管理器版本2.34.53
管理器更新时间2026-05-22
本地数据ok
上游current
检测到的最新版本2.34.53
https://github.com/aws/aws-cli
- ok没有生成新鲜度警告。
安装元数据
软件包元数据
| 软件包键 | brew:awscli |
|---|---|
| 版本 | 2.34.53 |
| 软件包管理器 | Homebrew |
| 软件包管理器页面 | https://formulae.brew.sh/formula/awscli |
| 主页 | https://aws.amazon.com/cli/ |
| 仓库 | https://github.com/aws/aws-cli |
| 上游文档 | https://docs.aws.amazon.com/cli/ |
| 许可证 | Apache-2.0 |
| 源码归档 | https://github.com/aws/aws-cli/archive/refs/tags/2.34.53.tar.gz |
| 更新 | 2026-05-22T22:50:32Z |
| 已验证 | 2026-05-23 |
| Pulse | updated |
| 依赖 | openssl@3, python@3.14 |
| 构建依赖 | cmake |
| macOS 提供的库 | libffi, mandoc |
| Bottle | 可用 (arm64_tahoe, arm64_sequoia, arm64_sonoma, sonoma, arm64_linux, x86_64_linux) |
| Homebrew post-install | 未定义 |
| 服务 | 未声明 |
| Caveats | The examples directory has been installed to $HOMEBREW_PREFIX/share/awscli/examples. |
来源线索
由仓库数据生成
此页面由 scripts/generate-pkg-pages.py 写入。如果 www/pkg/ 相对于本地软件包数据已过期,部署会拒绝发布。
使用的来源
- Geiger risk classifier
- Nucleus package database
- approval-gate seed metadata
- cross-ecosystem install command graph
- local isotope README
- package relationship graph
- package version freshness
- package-page enrichment
- package-page supplement data/pkg-pages/brew/awscli.json
- radioisotope security manifest