A simple tool to help you manage multiple AWS profiles, with SSO support and easy account access.
🦀 — There's also Python implementation.
However, this version might not receive updates or new features.
- 🔐 SSO integration: Full support for AWS SSO authentication
- 🚀 Easy profile access: Use any configured profile with a single command
- 🐚 Sub-shell isolation: Each profile runs in its own sub-shell with proper credential isolation
- 📝 Custom aliases: Use friendly names for your AWS profiles
- 🔍 Profile management: Easily list, add, and remove profiles
- 🚫 No stored credentials: No AWS credentials are stored anywhere - uses AWS SSO tokens
- 🎨 Shell integration: Shows current profile in your shell prompt
- ⚡ Auto-refresh: Automatically handles SSO token refresh when needed
- No credential storage:
Keenever stores AWS access keys or secrets - SSO token management: Uses AWS CLI's built-in SSO token caching
- Sub-shell isolation: Each profile's session is isolated in its own shell
- Automatic cleanup: Environment variables are cleared when exiting sub-shells
- 🚀 Performance: Compiled binary, faster startup times
- ⛑️ Memory safety: No runtime errors, guaranteed memory safety
- 🌍 Cross-platform: Single binary works across platforms
- 👌 Zero dependencies: No Python runtime required
- ⚡️ Concurrent: Built-in concurrency support for future enhancements
- Rust 1.80+ (install from rustup.rs) (On Mac with brew:
brew install rust) - AWS CLI v2 installed and configured
- Configured AWS SSO account access
cargo install keeClone this repository:
git clone https://github.com/keecli/kee.rs.git ~/.keeOption 1: Automated (recommended)
cd ~/.kee
./install.shThis script will build an optimized
Keebinary, install it (in~/.cargo/bin), and add the folder to yourPATH. It will also install Kee's auto completions.
Option 2: Manual
cd ~/.kee
# Install the binary
cargo install --path .
# Add Cargo's bin directory to your PATH
echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.zshrc # For zsh (macOS default)
# OR
echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc # For bash
# Reload your shell configuration
source ~/.zshrc # or ~/.bashrcOption 3: Direct copy
cd ~/.kee
# Build and copy to a directory already in PATH
cargo build --release
cp target/release/kee ~/.local/bin/ # Make sure ~/.local/bin is in your PATHkee add mycompany.devThis will:
- Run
aws configure sso --profile company.dev - Prompt you for your SSO configuration (start URL, region, etc.)
- Open your browser for SSO authentication
- Let you select your AWS account and role interactively
- Automatically save the configuration to
Kee
Tip: A session can be liked to multiple profiles. When prompted for a 'session name', use something generic, like your company name.
kee use mycompany.devThis will:
- Check if SSO credentials are valid
- Automatically run
aws sso loginif needed - Start a sub-shell with AWS credentials configured
- Update your shell prompt to show the active profile
Inside the sub-shell, all AWS CLI commands will use the selected profile's credentials:
aws:mycompany.dev $ aws s3 ls
aws:mycompany.dev $ aws ec2 describe-instances
aws:mycompany.dev $ exit # Terminate the session and return to your main shellkee add PROFILE_NAMEInteractively configure a new AWS profile with SSO settings.
kee use PROFILE_NAMEUse a profile and start a sub-shell with its AWS credentials.
kee lsShow a quick overview of all configured profiles.
kee currentDisplay which profile is currently active (if any).
kee rm PROFILE_NAMERemoves a profile configuration from Kee and the AWS config file.
Keestores its configuration in~/.kee/config.json- AWS profiles are created in
~/.aws/config, following the AWS config pattern - No AWS credentials are stored - only SSO configuration
When you use a profile, Kee:
- Validates SSO credentials (refreshes if needed)
- Updates shell prompt to show current profile
- Starts a new shell session
- Cleans up when you exit
When you run kee use, your session is validated automatically. If your SSO access token has expired, Kee will attempt a silent refresh using the cached refresh token — no browser required. If the refresh token is also expired or unavailable, it falls back to the full aws sso login flow.
⠹ Validating session...
[!] Your session has expired. Refreshing...
⠼ Refreshing token...
[✓] Session refreshed.
Kee also prevents you from starting a sub-shell while already in one:
aws:mycompany.dev $ kee use mycompany.prod
You are using a Kee profile: mycompany.dev
Exit the current session first by typing 'exit'Your shell prompt will show the active profile:
(mycompany.dev) user@hostname:When you're using a Kee profile, the following environment variables are set:
AWS_PROFILE- The AWS profile name (e.g.,mycompany.dev)KEE_CURRENT_PROFILE- The currentKeeprofile name (e.g.,mycompany.dev)KEE_ACTIVE_PROFILE- Set to1to indicate an activeKeeprofilePS1- Updated to show the current profile in your prompt (Unix-like systems only)
These variables help Kee manage sessions and prevent nested sub-shells.
{
"profiles": {
"mycompany-prod": {
"profile_name": "mycompany.dev",
"sso_start_url": "https://mycompany.awsapps.com/start",
"sso_region": "ap-southeast-2",
"sso_account_id": "123456789012",
"sso_role_name": "AdministratorAccess",
"session_name": "mycompany"
}
},
"current_account": null
}[profile mycompany.dev]
sso_role_name = AdministratorAccess
sso_session = mycompany
sso_account_id = 123456789098
output = json
[sso-session mycompany]
sso_region = ap-southeast-2
sso_start_url = https://mycompany.awsapps.com/start
sso_registration_scopes = sso:account:accessKee works on:
- macOS: Full support with shell prompt integration
- Linux: Full support with shell prompt integration
- Windows: Full support (prompt integration not available)
If SSO login fails:
# Manual SSO login
aws sso login --profile PROFILE_NAME
# Then try using again
kee use PROFILE_NAMEIf you get "profile not found" errors:
# Check AWS config
cat ~/.aws/config
# Re-add the profile if needed
kee rm PROFILE_NAME
kee add PROFILE_NAMEIf you get permission errors:
# Check AWS credentials
aws sts get-caller-identity --profile PROFILE_NAME
# Refresh SSO login
aws sso login --profile PROFILE_NAME- Async AWS API calls for faster credential validation
- Parallel profile operations for bulk management
- Built-in AWS SDK integration (no AWS CLI dependency)
- Configuration validation at compile time
- Plugin system with dynamic loading
- TUI interface with real-time updates
Binary distribution:
- Single executable file
- No runtime dependencies
- Easy deployment to servers
- Container-friendly
Package managers:
- Cargo:
cargo install kee(when published) - Homebrew:
brew install kee(when published) - Scoop:
scoop install kee(Windows, when published) - APT/YUM: Native packages possible (when published)
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests, if applicable
- Test your changes:
make test - Submit a pull request
There is a utilities script which will set up a
pre-commithook to run some basic checks on your code before you commit.
cd ~/.kee
./utilities/githooks.shWe use semantic versioning. Version bumps are handled with cargo-release.
cargo install cargo-releaseWhen your changes are ready:
cargo release patch # Bug fixes: 1.1.0 → 1.1.1
cargo release minor # New features: 1.1.0 → 1.2.0
cargo release major # Breaking changes: 1.0.0 → 2.0.0This updates Cargo.toml, commits, and tags in one step. Add --execute to apply (without it, it runs in dry-run mode).
MIT License - see LICENSE file for details.
RTFM, then RTFC... If you are still stuck or just need an additional feature, file an issue.