github 99designs/aws-vault v6.0.0-rc1

Final call for feedback on these changes


  • Support for AWS SSO #549 docs
  • Support for Yubikey TOTP #558 docs
  • A shell script for adding a Yubikey to IAM #559
  • aws-vault exec --ecs-server starts an ECS credential server offering many advantages over the EC2 metadata server #556 #375 docs
  • Debug http logging for the server #330
  • Support for setting the secret service collection with --secret-service-collection #539
  • Support for assume roles using OpenID Connect tokens #587
  • A native windows prompt wincredui #613
  • A pass MFA provider that reads from pass otp #640
  • aws-vault proxy --stop will stop the ec2 server proxy and remove the network alias. Fixes #548, #360
  • A new command aws-vault clear [<profile>] to remove short-term session credentials and OIDC tokens #644 #591 #412
  • The environment variable AWS_MIN_TTL will enforce a minimum expiry time on credentials #646


  • Ensure all error messages go to stderr #565
  • Using a key with a slash with the file backend
  • Login hang when using an unknown profile #575 #545
  • Shell completion issues #408, #576
  • Parse Windows netsh error messages in German #610
  • The aws-vault executable location should now be detected correctly in more instances. Fixes #596
  • Use the expiry window when retrieving credentials from the key store to enforce a minimum expiry time #608


  • Config variable parent_profile renamed to include_profile. The old parent_profile still works for backwards compatibility #520 #560 docs
  • Credentials created with AssumeRole and MFA are now cached #569 (Fixes #552, #532, #525)
  • Profile names are now case-sensitive #570 #528 7262236
  • The proxy command is now aws-vault proxy. This command is not user facing, but the old server subcommand still works just in case for backwards compatibility #627
  • When secret keys are added with aws-vault add, the secret is no longer echoed back into the terminal #625
  • The --sessions-only flag has been deprecated from the remove command in favour of aws-vault clear. The old flag still works for backwards compatibility
latest releases: v6.2.0, v6.1.0, v6.0.1...
pre-release6 months ago