aws-vault vs Granted: A Comparison of Tools for Securely Managing AWS Credentials on macOS
# aws-vault vs Granted: AWSクレデンシャル管理ツール徹底比較
## はじめに
AWSのマルチアカウント運用では、クレデンシャルの安全な管理が重要課題です。本記事では **aws-vault** と **Granted** の2つのツールを、macOS Keychain統合・セットアップ・ワークフローの観点から比較します。
---
## ツール概要
### aws-vault
99designs社が開発したOSSで、AWSクレデンシャルをOSのキーチェーン(macOS Keychain / Linux Secret Service等)に安全に保存し、一時的な環境変数としてコマンドに渡すツールです。
```
# 基本的な使い方
aws-vault exec my-profile -- aws s3 ls
```
### Granted
Common Fate社が開発したOSSで、aws-vaultの思想を継承しつつ、マルチアカウント運用の**UX改善**に特化しています。ブラウザの複数プロファイル同時起動など、開発者体験を重視した機能が特徴です。
```
# 基本的な使い方
assume my-profile
```
---
## macOS Keychain統合の比較
### aws-vault のKeychain統合
aws-vaultはデフォルトでmacOS Keychainを使用します。
```bash
# バックエンドの確認・指定
aws-vault --backend=keychain exec my-profile -- aws sts get-caller-identity
# Keychainに保存されたクレデンシャルの確認
aws-vault list
```
**保存の仕組み:**
```
macOS Keychain
└── aws-vault (キーチェーン項目)
├── profile: production
│ ├── aws_access_key_id: AKIA...
│ └── aws_secret_access_key: ****
└── profile: staging
├── aws_access_key_id: AKIA...
└── aws_secret_access_key: ****
```
利用可能なバックエンド:
| バックエンド | 対応OS | 特徴 |
|-------------|--------|------|
| keychain | macOS | デフォルト、Touch ID対応 |
| secret-service | Linux | GNOME Keyring等 |
| kwallet | Linux | KDE向け |
| wincred | Windows | Windows Credential Manager |
| pass | Linux/macOS | GPGベース |
| file | 全OS | 暗号化ファイル(非推奨) |
### Granted のKeychain統合
GrantedはAWSクレデンシャル自体は `~/.aws/credentials` の標準管理に委ね、**セッショントークンやキャッシュの管理**にKeychainを活用します。
```bash
# Grantedのセキュアストレージ確認
granted credentials list
# Keychainアクセスの設定
granted settings set --keychain-backend keychain
```
**保存の仕組み:**
```
~/.aws/credentials # 長期クレデンシャル(標準管理)
macOS Keychain
└── granted (キーチェーン項目)
├── session_token_cache
│ ├── profile: production (有効期限付き)
│ └── profile: staging (有効期限付き)
└── sso_token_cache
└── sso-session: my-sso
```
### Keychain統合の比較まとめ
| 項目 | aws-vault | Granted |
|------|-----------|---------|
| 長期クレデンシャル保存場所 | Keychain | ~/.aws/credentials |
| セッショントークン保存 | Keychain | Keychain |
| Touch ID対応 | ✅ | ✅ |
| credentials管理の透明性 | 低(全てKeychain) | 高(標準ファイル併用) |
| 既存設定との互換性 | 要移行 | 高い |
---
## セットアップ手順
### aws-vault セットアップ
**1. インストール**
```bash
# Homebrew
brew install aws-vault
# または直接ダウンロード
# https://github.com/99designs/aws-vault/releases
```
**2. クレデンシャルの追加**
```bash
# 対話形式でKeychainに保存
aws-vault add my-profile
# Enter Access Key ID: AKIAIOSFODNN7EXAMPLE
# Enter Secret Access Key: ****
# 確認
aws-vault list
```
**3. ~/.aws/config の設定**
```ini
[profile my-profile]
region = ap-northeast-1
[profile production]
source_profile = my-profile
role_arn = arn:aws:iam::123456789012:role/ProductionRole
mfa_serial = arn:aws:iam::000000000000:mfa/username
[profile staging]
source_profile = my-profile
role_arn = arn:aws:iam::987654321098:role/StagingRole
```
**4. MFA設定(オプション)**
```bash
# MFAトークンを都度入力
aws-vault exec production -- aws s3 ls
# Enter MFA code for arn:aws:iam::000000000000:mfa/username: 123456
# セッション時間の延長
aws-vault exec production --duration=8h -- bash
```
**5. AWS SSO対応**
```ini
[profile sso-profile]
sso_start_url = https://my-sso.awsapps.com/start
sso_account_id = 123456789012
sso_role_name = PowerUserAccess
sso_region = ap-northeast-1
```
```bash
aws-vault login sso-profile
```
---
### Granted セットアップ
**1. インストール**
```bash
# Homebrew
brew tap common-fate/granted
brew install granted
# シェル統合のセットアップ(重要)
granted completion -s zsh >> ~/.zshrc # zshの場合
# または
granted completion -s bash >> ~/.bashrc
source ~/.zshrc
```
**2. シェルエイリアスの確認**
Grantedは `assume` コマンドで環境変数を**現在のシェルに直接設定**するため、シェル統合が必須です。
```bash
# 正しく設定されているか確認
which assume
# → /usr/local/bin/assume (シェル関数として設定される)
```
**3. 既存の ~/.aws/config を活用**
```bash
# 既存プロファイルをそのまま利用可能
granted profiles list
# プロファイルの検索(fuzzy finder対応)
assume
# → インタラクティブにプロファイルを選択できる
```
**4. AWS SSO対応**
```bash
# SSO設定ウィザード
granted sso populate
# または手動で ~/.aws/config に記載
```
```ini
[profile dev-account]
sso_start_url = https://my-sso.awsapps.com/start
sso_account_id = 123456789012
sso_role_name = DeveloperAccess
sso_region = ap-northeast-1
region = ap-northeast-1
[sso-session my-sso]
sso_start_url = https://my-sso.awsapps.com/start
sso_region = ap-northeast-1
sso_registration_scopes = sso:account:access
```
```bash
# SSOログイン
assume dev-account
# → ブラウザが開いてSSO認証
```
**5. ブラウザプロファイル設定(Granted独自機能)**
```bash
# ブラウザの設定
granted browser set
# Chromeプロファイルとの紐付け
granted registry add --profile production --chrome-profile "Work"
```
---
## マルチアカウント運用時のワークフロー比較
### シナリオ:開発・ステージング・本番環境の切り替え
**前提となる ~/.aws/config**
```ini
# 共通のベースプロファイル
[profile base]
region = ap-northeast-1
# 開発環境
[profile dev]
source_profile = base
role_arn = arn:aws:iam::111111111111:role/DevRole
role_session_name = developer
# ステージング環境
[profile staging]
source_profile = base
role_arn = arn:aws:iam::222222222222:role/StagingRole
role_session_name = developer
# 本番環境
[profile production]
source_profile = base
role_arn = arn:aws:iam::333333333333:role/ProductionRole
role_session_name = developer
mfa_serial = arn:aws:iam::000000000000:mfa/username
```
---
### aws-vault のワークフロー
```bash
# 単発コマンド実行
aws-vault exec dev -- aws s3 ls
aws-vault exec staging -- terraform plan
aws-vault exec production -- aws ec2 describe-instances
# サブシェルで作業(環境変数が設定されたシェルに入る)
aws-vault exec dev -- bash
# → このシェル内では全コマンドがdevプロファイルで実行
$ aws s3 ls
$ terraform apply
$ exit # シェルを抜けると環境変数がクリアされる
# 複数ウィンドウでの並行作業
# ターミナルタブ1: aws-vault exec dev -- bash
# ターミナルタブ2: aws-vault exec staging -- bash
# ターミナルタブ3: aws-vault exec production -- bash
# 現在のアイデンティティ確認
aws-vault exec dev -- aws sts get-caller-identity
```
**aws-vaultのサブシェル内の環境変数:**
```bash
aws-vault exec dev -- env | grep AWS
# AWS_VAULT=dev
# AWS_DEFAULT_REGION=ap-northeast-1
# AWS_ACCESS_KEY_ID=ASIA...(一時クレデンシャル)
# AWS_SECRET_ACCESS_KEY=****
# AWS_SESSION_TOKEN=****
# AWS_CREDENTIAL_EXPIRATION=2024-01-01T12:00:00Z
```
---
### Granted のワークフロー
```bash
# assumeでプロファイルを現在のシェルに設定
assume dev
# ✅ Assumed role: arn:aws:iam::111111111111:role/DevRole
# 現在のシェルで直接コマンド実行(サブシェル不要)
aws s3 ls
terraform plan
# 別プロファイルに切り替え
assume staging
# ✅ Assumed role: arn:aws:iam::222222222222:role/StagingRole
# プロファイルの解除
unassume
# インタラクティブ選択(fzf統合)
assume
# → fuzzy finderでプロファイルを検索・選択
# プロファイル確認
assume -d # 現在のプロファイルを表示
```
**Grantedの環境変数:**
```bash
assume dev && env | grep AWS
# AWS_PROFILE=dev
# AWS_DEFAULT_REGION=ap-northeast-1
# AWS_ACCESS_KEY_ID=ASIA...
# AWS_SECRET_ACCESS_KEY=****
# AWS_SESSION_TOKEN=****
# GRANTED_ALIAS=dev
```
---
### ブラウザ複数アカウント同時アクセス(Granted独自機能)
Grantedの最大の差別化機能として、**複数AWSアカウントのコンソールを同時にブラウザで開く**機能があります。
```bash
# AWSコンソールをブラウザで開く
granted console dev
# → Chrome/Firefoxのdev専用プロファイルでコンソールが開く
granted console staging
# → 別のブラウザプロファイルでコンソールが開く
# 同時に複数アカウントのコンソールを開いても
# セッションが混在しない!
```
```bash
# ~/.granted/config での設定例
[browser]
default = CHROME
[profiles]
[profiles.dev]
browser_profile = "AWS Dev"
[profiles.production]
browser_profile = "AWS Prod"
```
---
### Terraform運用での比較
**aws-vault の場合:**
```bash
# terraform実行
aws-vault exec production -- terraform init
aws-vault exec production -- terraform plan -out=tfplan
aws-vault exec production -- terraform apply tfplan
# Makefileへの統合
# Makefile
VAULT_CMD = aws-vault exec $(AWS_PROFILE) --
tf-plan:
$(VAULT_CMD) terraform plan
tf-apply:
$(VAULT_CMD) terraform apply
```
**Granted の場合:**
```bash
# assumeしてからterraform実行
assume production
terraform init
terraform plan -out=tfplan
terraform apply tfplan
# 環境変数が設定されているのでシームレスに実行
# CI/CD環境では assume --no-input オプションを使用
```
---
### CI/CD環境での利用
**aws-vault(GitHub Actions):**
```yaml
# .github/workflows/deploy.yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
aws-region: ap-northeast-1
# aws-vaultはCI環境では通常不要
# OIDC + IAM Roles for Service Accountsを推奨
```
**Granted(ローカル→CI移行):**
```bash
# ローカルでの動作確認
assume dev
aws sts get-caller-identity
# CI環境では環境変数を直接設定
# GRANTED_SSO_START_URL等の変数も活用可能
```
---
## 機能比較マトリクス
| 機能 | aws-vault | Granted |
|------|-----------|---------|
| **セキュリティ** | | |
| Keychainへの長期クレデンシャル保存 | ✅ | ❌(標準credentialsファイル) |
| 一時クレデンシャルの自動生成 | ✅ | ✅ |
| MFA対応 | ✅ | ✅ |
| **使いやすさ** | | |
| 現在のシェルへの環境変数設定 | ❌(サブシェル) | ✅ |
| インタラクティブプロファイル選択 | ❌ | ✅(fzf) |
| シェル補完 | ✅ | ✅ |
| **マルチアカウント機能** | | |
| 複数ブラウザプロファイル対応 | ❌ | ✅ |
| AWSコンソール起動 | ✅(limited) | ✅(高機能) |
| **SSO対応** | | |
| AWS SSO/IAM Identity Center | ✅ | ✅ |
| SSOセッション自動更新 | 手動 | ✅(自動) |
| **互換性** | | |
| 既存credentialsとの互換性 | 要設定 | 高い |
| Docker/コンテナ連携 | ✅(--server mode) | 限定的 |
| **プラットフォーム** | | |
| macOS | ✅ | ✅ |
| Linux | ✅ | ✅ |
| Windows | ✅ | ✅ |
---
## ユースケース別の選び方
### aws-vault を選ぶべきケース
**1. セキュリティを最優先する場合**
```bash
# 長期クレデンシャルをKeychainに完全隔離
# ~/.aws/credentialsファイルには何も残らない
aws-vault add high-security-profile
# → Keychainにのみ保存、ファイルシステムに痕跡なし
```
```
適したケース:
- セキュリティ監査を受ける環境
- 規制業種(金融・医療等)
- 共有PCでの作業
- SOC2/ISO27001準拠が必要な場合
```
**2. コンテナ/Docker環境との連携**
```bash
# aws-vaultのサーバーモード
aws-vault exec dev --server -- docker-compose up
# → コンテナ内からEC2メタデータエンドポイントとして
# クレデンシャルを提供(169.254.169.254互換)
# docker-compose.yml
# services:
# app:
# environment:
# AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: /...
```
**3. スクリプト/自動化での確実な実行**
```bash
#!/bin/bash
# 毎回クリーンな環境でコマンドを実行
aws-vault exec production -- ./deploy.sh
aws-vault exec production -- ./verify.sh
# サブシェルなので環境汚染のリスクがない
```
---
### Granted を選ぶべきケース
**1. 多数のアカウントを頻繁に切り替える場合**
```bash
# インタラクティブ選択で素早く切り替え
assume
# ↓ fzfによる検索UI
# > dev-account-ap-northeast-1
# dev-account-us-east-1
# staging-account
# production-account-jp
# production-account-us
# ...(大量のプロファイルも素早く選択)
```
**2. AWSコンソールを複数アカウントで同時作業**
```bash
# 複数アカウントのコンソールを同時に開く
granted console dev # Chromeプロファイル"Dev"で開く
granted console staging # Chromeプロファイル"Staging"で開く
granted console production # Chromeプロファイル"Prod"で開く
# → 3つのアカウントを同時に確認・操作可能
# → セッションの混在なし
```
**3. AWS SSOを中心とした運用**
```bash
# SSO設定の一括インポート
granted sso populate --sso-start-url https://my-sso.awsapps.com/start
# → 利用可能な全アカウント・ロールを自動で ~/.aws/config に追記
# → 手動でconfig編集不要
# 自動でSSOセッションを更新
assume production
# → セッション切れの場合、自動でブラウザ認証を起動
```
**4. チーム開発・オンボーディング重視**
```bash
# 設定の共有が容易
# ~/.aws/config を共有リポジトリで管理
# 新メンバーのセットアップ
brew install granted
git clone company-aws-config
cp company-aws-config/config ~/.aws/config
granted sso login
# → すぐに全環境を利用可能
```
---
### 判断フローチャート
```
AWSクレデンシャル管理ツール選択
│
├─ 長期クレデンシャルをファイルシステムから
│ 完全に隔離したい?
│ └─ YES → aws-vault 一択
│
├─ コンテナ/Dockerとの統合が重要?
│ └─ YES → aws-vault(--serverモード)
│
├─ AWS SSO/IAM Identity Center を主に使用?
│ └─ YES → Granted(SSO体験が優秀)
│
├─ ブラウザで複数アカウントを
│ 同時に操作したい?
│ └─ YES → Granted 一択
│
├─ 既存の ~/.aws/config 設定を
│ 活かしたい?
│ └─ YES → Granted(互換性が高い)
│
└─ 上記以外・セキュリティ重視
└─ aws-vault
```
---
### 両方を併用するアプローチ
実は両ツールは排他的ではなく、**役割を分けて併用**することも可能です。
```bash
# aws-vault: 長期クレデンシャルの安全な保管
aws-vault add base-profile
# Granted: プロファイル切り替えのUX向上
# GrantedがAWS_PROFILEを設定 → aws CLIが
# ~/.aws/configのsource_profileを参照 → aws-vaultが処理
# .zshrcでのエイリアス設定例
alias av="aws-vault exec"
alias assume-secure="aws-vault exec $1 -- bash"
```
---
## まとめ
| | aws-vault | Granted |
|--|-----------|---------|
| **一言で** | セキュリティ特化 | 開発者体験特化 |
| **向いている人** | セキュリティ要件が厳しい・スクリプト自動化重視 | 多アカウントを日常的に操作・SSO中心 |
| **学習コスト** | 低〜中 | 低(既存設定を流用可) |
| **コミュニティ** | 成熟・大規模 | 成長中 |
どちらも優れたツールですが、**セキュリティ要件が厳しい環境ではaws-vault**、**マルチアカウントのUXを重視するならGranted**という使い分けが基本指針です。AWS SSOへの移行が進んでいる現代の開発環境では、Grantedのシームレスなフローが特に価値を発揮します。
2026.06.28
This page has been translated by machine translation. View original
Introduction
When developing with AWS, are you storing your access keys in plain text in ~/.aws/credentials? This poses a high security risk, and if the file is ever leaked, your AWS account could be used fraudulently.
This article compares two tools for securely managing AWS credentials on macOS — aws-vault and Granted — and covers everything from setup procedures to everyday usage and multi-account operation workflows.
Why Plain Text Credentials Are Dangerous
When you run the default aws configure, your access keys are stored in plain text in ~/.aws/credentials.
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
This file is at risk of leaking through the following channels:
- Accidental commits to a dotfiles repository
- File reading by malware
- Leakage from disk backups
- Access by other users on shared devices
Both aws-vault and Granted solve this problem by encrypting and storing credentials in the OS keychain and generating temporary credentials with STS.
Prerequisites and Environment
- macOS (with Keychain Access support)
- Homebrew installed
- AWS CLI installed
- IAM user access keys (with MFA configured)
aws-vault
Overview
aws-vault is a Go-based CLI tool developed by 99designs. It encrypts and stores AWS credentials in the OS keychain, and uses STS GetSessionToken and AssumeRole to generate temporary credentials.
Installation
brew install --cask aws-vault
Initial Setup
1. Storing Credentials
aws-vault add my-profile
You will be prompted to enter your access key ID and secret key. The entered information is encrypted and stored in the macOS Keychain.
Key point: It is not saved to
~/.aws/credentials. You can verify it in Keychain Access.app as the "aws-vault" keychain.
2. Configuring ~/.aws/config
[profile my-profile]
region = ap-northeast-1
[profile my-profile-admin]
source_profile = my-profile
role_arn = arn:aws:iam::123456789012:role/AdminRole
mfa_serial = arn:aws:iam::123456789012:mfa/your.name
region = ap-northeast-1
source_profile: Specify the profile name saved in aws-vaultrole_arn: The ARN of the role to AssumeRole intomfa_serial: The ARN of the MFA device (found in the "Security credentials" tab of the IAM console)
3. Verification
aws-vault exec my-profile-admin -- aws sts get-caller-identity
You will be prompted to enter an MFA token, and upon success you will get output like the following:
{
"UserId": "AROA3XFRBF23EXAMPLE:session-name",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AdminRole/session-name"
}
How macOS Keychain Integration Works
- Dedicated keychain: Credentials saved with
aws-vault addare stored not in the login keychain, but in a dedicated "aws-vault" keychain - Code signing: macOS release builds are code-signed, preventing repeated password prompts when accessing the Keychain
- Temporary credentials: Temporary credentials are generated via
GetSessionTokenfrom the stored long-term credentials (valid for 1 hour by default). Only temporary credentials are passed to applications - How to verify: Open Keychain Access.app and check the stored information from the "aws-vault" keychain in the sidebar
Commonly Used Commands
| Command | Description |
|---|---|
aws-vault add <profile> |
Save credentials to the Keychain |
aws-vault exec <profile> -- <cmd> |
Execute a single command with temporary credentials |
aws-vault exec <profile> |
Open a subshell with temporary credentials |
aws-vault list |
Display profile list and session expiration |
aws-vault login <profile> |
Log in to the AWS console in a browser |
aws-vault rotate <profile> |
Automatically rotate access keys |
aws-vault remove <profile> |
Delete saved credentials |
aws-vault clear <profile> |
Clear cached sessions |
Common Troubleshooting
"already in subshell" Error
aws-vault: error: exec: running in an existing aws-vault subshell
This occurs when you are already inside an aws-vault subshell. Either exit the subshell with exit and re-run, or check your current session with echo $AWS_VAULT.
exit # Exit the subshell
aws-vault exec my-profile-admin # Run again
exitis not an aws-vault-specific command; it is a shell built-in. Because aws-vault'sexeclaunches a nested shell process, runningexitterminates that shell and returns you to the parent shell.
Session Expiration
# If a command fails due to session expiration
aws-vault clear my-profile-admin # Clear the cache
aws-vault exec my-profile-admin # Obtain a new session (re-enter MFA)
Granted
Overview
Granted is a Go-based CLI tool developed by Common Fate. Like aws-vault, it encrypts and stores credentials in the Keychain, but its greatest feature is that it can switch credentials directly in the current shell without using a subshell.
Installation
brew tap common-fate/granted
brew install granted
After installation, verify the version.
granted -v
On first run, you will be prompted to add an alias to your shell profile. This enables the assume command. After configuration, restart your terminal.
Initial Setup
Since Granted reads ~/.aws/config, the same configuration file used with aws-vault can be used as-is.
1. Secure Storage of IAM Credentials
Granted can also store credentials in the keychain.
granted credentials import
This command migrates plain text credentials from ~/.aws/credentials to the system keychain.
2. Configuring ~/.aws/config
The same configuration used with aws-vault works as-is.
[profile my-profile]
region = ap-northeast-1
[profile my-profile-admin]
source_profile = my-profile
role_arn = arn:aws:iam::123456789012:role/AdminRole
mfa_serial = arn:aws:iam::123456789012:mfa/your.name
region = ap-northeast-1
3. Verification
assume my-profile-admin
Running assume without specifying a profile lets you select a profile using an interactive fuzzy search.
assume
# → Profile list is displayed with fuzzy search
Commonly Used Commands
| Command | Description |
|---|---|
assume |
Interactively select a profile and AssumeRole |
assume <profile> |
AssumeRole with the specified profile (exports environment variables to the current shell) |
assume -c <profile> |
Open the AWS console in a browser (can be logged into multiple accounts simultaneously) |
granted credentials import |
Import from ~/.aws/credentials to the keychain |
granted sso populate |
Automatically generate profiles from SSO configuration |
aws-vault vs Granted Comparison
Basic Comparison
| Item | aws-vault | Granted |
|---|---|---|
| Developer | 99designs | Common Fate |
| Language | Go | Go |
| Credential storage | macOS Keychain | macOS Keychain |
| Temporary credentials | STS GetSessionToken / AssumeRole | STS GetSessionToken / AssumeRole |
| Shell behavior | Spawns a subshell | Exports environment variables to the current shell |
| SSO support | Basic (manual configuration required) | First-class support |
| Profile selection | Enter profile name exactly | Interactive selection with fuzzy search |
Multi-Account Operation Comparison
When handling multiple projects × environments (stg/prod), there is a significant difference in workflow.
aws-vault: One Shell, One Account
aws-vault exec project-a-stg # Subshell 1
# Do work...
exit # Exit the subshell
aws-vault exec project-b-prod # Subshell 2 (re-enter MFA if expired)
# Do work...
exit
aws-vault exec project-a-stg # Go back (re-enter MFA if expired)
Every time you switch accounts, you need exit → exec, and the shell context (current directory, environment variables, command history) is lost.
Granted: Switch Within the Shell
assume project-a-stg # Set environment variables in the current shell
# Do work...
assume project-b-prod # Simply overwrite the environment variables
# Do work...
assume project-a-stg # Go back, no exit needed
Since no subshell is used, you can switch while maintaining the shell context.
Differences in AWS Console Access
# aws-vault: One account per browser session
aws-vault login project-a-stg # Open console in browser
aws-vault login project-b-prod # Logged out of the above session
# Granted: Can open multiple accounts in the browser simultaneously
assume -c project-a-stg # Tab 1: project-a-stg console
assume -c project-b-prod # Tab 2: project-b-prod console (separate container)
assume -c project-c-dev # Tab 3: project-c-dev console
Granted uses the browser's container feature to allow simultaneous login to multiple AWS accounts. This is extremely convenient for multi-account operations.
Differences in Session Renewal
With an IAM + MFA configuration, behavior differs when a session expires.
| Operation | aws-vault | Granted |
|---|---|---|
| Re-authentication flow | exit subshell → run exec again → enter MFA |
Re-run assume → enter MFA |
| Shell context | Lost (new subshell) | Maintained (same shell) |
| SSO re-authentication | Manual | Automatically opens browser with --auto-login |
Note: Entering an MFA token cannot be skipped with either tool. The difference is whether the shell context is maintained during re-authentication.
About awsume
awsume is a Python-based tool that, like Granted, exports environment variables to the current shell. It has excellent features such as automatic refresh via autoawsume and a plugin system, but for the following reasons this article recommends the two options of aws-vault and Granted:
- Credentials are stored in plain text in
~/.aws/credentials(no Keychain integration) - Python dependency (requires runtime installation and version management)
- Slower CLI startup compared to Go binaries
Which Should You Choose?
Cases Where aws-vault Is a Good Fit
- Simple IAM + MFA configuration managing a small number of accounts
- Your team is already using aws-vault (want to avoid switching costs)
- You prefer a single binary with minimal dependencies
Cases Where Granted Is a Good Fit
- Multi-account operations across multiple projects × multiple environments (stg/prod)
- Using AWS SSO / IAM Identity Center (or planning to migrate)
- Development workflows with frequent account switching
- Want to have multiple AWS account consoles open simultaneously
Regarding Migration
Migrating from aws-vault to Granted is relatively straightforward. The ~/.aws/config settings can be shared as-is, and credentials can be migrated with granted credentials import. It is also possible to have both installed at the same time.
Summary
Both aws-vault and Granted are excellent tools that securely store AWS credentials in the Keychain and allow operation with temporary credentials.
- Security is equivalent: Both use Keychain encryption + STS temporary authentication
- Differences emerge in daily workflow: Subshell approach (aws-vault) vs. environment variable export approach (Granted)
- Granted wins for multi-account use: Ease of account switching, fuzzy search, and simultaneous multi-console login are convenient
If you are setting things up from scratch, Granted is recommended, especially in multi-account environments. If you are already using aws-vault with a single account, there is no pressing need to migrate.
