There is this nice utility which helps you with managing AWS credentials called aws-vault. It is quite nice to use it as it allows ad-hoc login as a specific profile via web browser, without the need for entering your credentials or performing 3 step process to log in, just:

aws-vault login profile

Where “profile” is specific AWS profile, and voila, you’re in.

Besides that, it also keeps your credentials safe in one of the supported backends. Personally I use MacOS keychain which is default on MacOS for saving credentials, but on my personal rigs, which all run linux, I prefer to have credentials in Password Store. That way I can sync credentials accross machines easily as well as manage and track them on the central place as I usually do with all my passwords.

So long story short, here are the few steps how I have it configured. I have following lines in my Bash RC:

AWS_VAULT_PASS_PREFIX=aws-vault
AWS_VAULT_BACKEND=pass

This will use pass as the backend and will assume ~/.password-store/aws-vault as a destination folder. Nothing else is needed, this just works and saves all logins under aws-vault folder in my password store.

There are other options that can be tweaked as well, but this matches my setup.