Skip to content

Latest commit



142 lines (100 loc) · 4.94 KB

File metadata and controls

142 lines (100 loc) · 4.94 KB



aws-pass is a password manager built in Rust and ontop of AWS SecretsManager. It is heavily inspired by the Linux tool pass.

NOTE: Setting this tool up requires an AWS IAM User's credentials to be saved locally in a way similar to how you store your usual AWS credentials. Please make sure these additional credentials have the minimum required access (only access to SecretsManager under MFA).

Quick Start


To install aws-pass you can download this source repository and build it via

cargo build

The built executable will be located in target/release/aws-pass.


aws-pass requires some minor setup. You will need an AWS Account that includes an MFA-enabled IAM User for which you have credentials (to be provided to aws-pass in initialization) with the following policy attached.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": "*",
            "Condition": {
                "NumericLessThanEquals": {
                    "aws:MultiFactorAuthAge": "30"
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "true"


aws-pass has seven commands: init, list, show, insert, edit, generate, and remove. Each of these commands will ask for an MFA token code.


aws-pass init

The init command should be run only once and with your MFA-enabled IAM User credentials and MFA token serial handy. The init command will ask for the AWS Access Key Id and AWS Secret Key and save them to $PASSWORD_STORE_DIR/.credentials. $PASSWORD_STORE_DIR is $HOME/.aws-pass by default.

The credentials stored in this credentials file will be used for making calls to AWS SecretsManager under MFA.


aws-pass list [--prefix <prefix>]

The list command lists the passwords in your store, optionally filtering by the provided prefix.


aws-pass show --name <name>

The show command prints the password's value to stdout for the provided password name.


aws-pass insert --name <name>

The insert command inserts as password into the store under the provided name and with a value collected from stdin. Collecting the value from stdin ensures that the password is not saved to command history.


aws-pass edit --name <name>

The edit command edits the value of the password for the given name. Editing the password takes place in the editor specified by $EDITOR by opening a temporary file that is deleted once closed (this functionality provided by the edit crate).


aws-pass generate \
  [--exclude-chars <exclude-chars>] \
  [--length <length] \
  --name <name>

The generate command generates and inserts a password into the store with the provided name. Optionally allows characters to be excluded when generating and optionally allows specifying the generated value length.


aws-pass remove --name <name>

The remove command removes the password for the provided name from the store.


The following is a list of improvements for the tool for which I welcome help implementing.

  • Hide the password as it's being entered into stdin. Ask for it twice to confirm the value.
  • Allow copying a password's value to the clipboard without showing it on stdout. Auto-clearing the clipboard after 30 seconds.
  • Adding an interactive session so that re-entering an MFA token is not required between commands.

About and Motivation

I wrote aws-pass because I was tired of attempting to use the Linux tool pass on multiple different computers and needing to export and import my gpg key. With aws-pass, I'm able to access my passwords from anywhere as long as I have my MFA token.

Additionally, I used this project in order to learn Rust which I am still very much a novice at writing. If you are a more seasoned Rustacean, please feel free to make suggestions on how to improve the code.

Crab On! 🦀