Credentials - baeziy/AWSault GitHub Wiki
Credentials
AWSault uses the standard boto3 credential chain. It does not store, modify, or exfiltrate credentials.
Credential resolution order
When you run AWSault, it looks for credentials in this order (same as the AWS CLI and any boto3-based tool):
| Priority | Source | How to set |
|---|---|---|
| 1 | --profile flag |
awsault --profile myprofile |
| 2 | Environment variables | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN |
| 3 | Default profile | ~/.aws/credentials [default] section |
| 4 | AWS config file | ~/.aws/config |
| 5 | Instance metadata | EC2/ECS instance roles (automatic) |
If you pass --profile, AWSault loads that specific profile from ~/.aws/credentials. Otherwise, it walks the chain above until it finds working credentials.
Setting up credentials
Environment variables
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=FwoGZXIvY... # optional, for temporary credentials
awsault --godeep
AWS credentials file
# ~/.aws/credentials
[default]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[staging]
aws_access_key_id = AKIAI44QH8DHBEXAMPLE
aws_secret_access_key = je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
[prod]
aws_access_key_id = AKIAYRFTO5DKEXAMPLE
aws_secret_access_key = 2v8v8v8v/ExAmPlEkEy/Example12345678
awsault --profile staging
Temporary credentials (STS)
If you have temporary credentials from aws sts assume-role or similar:
export AWS_ACCESS_KEY_ID=ASIAXXX...
export AWS_SECRET_ACCESS_KEY=xxx...
export AWS_SESSION_TOKEN=FwoGZXIvY...
awsault --godeep
Instance roles
If running on an EC2 instance or ECS container with an attached IAM role, AWSault picks up the instance metadata automatically. No configuration needed:
awsault --godeep
Credential validation
Before scanning, AWSault calls sts:GetCallerIdentity to validate the credentials. This API call:
- Works with any valid AWS credentials (it cannot be denied by IAM policy)
- Returns the Account ID, ARN, and User ID of the caller
- Confirms the credentials are active and not expired
If validation fails, AWSault prints what it tried and why it failed, then exits.
Region handling
| Scenario | Region used |
|---|---|
--region us-west-2 |
Uses us-west-2 |
Profile has region set |
Uses profile's region |
| Neither specified | Falls back to us-east-1 |
--all-regions |
Queries EC2 for all enabled regions and sweeps each one |
Security notes
- AWSault never writes credentials to disk
- All API calls are read-only except
secretsmanager:GetSecretValueandssm:GetParameterin--godeepmode, which read (not modify) secret values - Scan results saved to
~/.awsault/last_scan.jsonmay contain sensitive data (secret values, policy documents). Protect this file accordingly - AWSault does not phone home or make any non-AWS network requests
Listing available profiles
To see what profiles are available:
aws configure list-profiles
# or look at
cat ~/.aws/credentials