Auth & Identity.

Stores AWS IAM access keys in the OS keychain (macOS Keychain, Windows Credential Manager, Secret Service on Linux) — keys never touch disk in plaintext. Supports MFA prompts, role chaining, and multiple profiles. aws-vault exec profile -- aws s3 ls is the replacement for sourcing credentials into the environment.

Multi-account AWS role switcher designed for IAM Identity Center (SSO) orgs. assume role-name picks up the profile and optionally opens a browser tab with a distinct background colour per account — so staging and production are visually distinct. More SSO-native than aws-vault; the two tools solve the same UX problem from different eras of AWS auth.

Log into AWS from any SAML 2.0 identity provider (Okta, Azure AD, Google Workspace, Ping, ADFS) and get STS credentials written to ~/.aws/credentials or exported to the environment. The missing CLI bridge for orgs that run SAML-based SSO but need aws CLI access without manual copy-paste from the console.

Encrypts secrets files in-place — YAML, JSON, .env, binary — while keeping structure readable in diffs. Backends: AWS KMS, GCP KMS, Azure Key Vault, age, PGP. The canonical answer to "how do we store secrets in the same repo as config without exposing them." Works with Helm secrets, Flux, ArgoCD, and most GitOps stacks.

Simple, modern file encryption: age -r <recipient> secret.txt > secret.age. No config files, no key servers, no web of trust. Uses X25519 keys, SSH keys, or passphrase. Used as sops' most ergonomic key backend — if you're setting up sops for the first time, age is the right choice unless you specifically need KMS.

Read/write/exec against AWS SSM Parameter Store. chamber exec service -- ./myapp injects all parameters under /service/ as environment variables. The lightweight alternative to HashiCorp Vault for teams already on AWS that want secrets injection without running extra infrastructure.