A simple tool to help you manage multiple AWS profiles, with SSO support and easy account access.
- 🔐 SSO integration: Full support for AWS SSO authentication
- 🚀 Easy profile access: Use any configured profile with a single command
- 🎯 Interactive picker: Run
kee usewith no arguments to pick a profile with fuzzy search - 🐚 Sub-shell isolation: Each profile runs in its own sub-shell with proper credential isolation
- ⚙️ One-shot commands: Run a single command with a profile's credentials via
kee runorkee aws - 🌐 Open the console:
kee consoleopens the AWS Management Console in your browser for the chosen profile - 📝 Custom aliases: Use friendly names for your AWS profiles
- 🔍 Profile management: Easily list, add, update, and remove profiles
- 🚫 No stored credentials: No AWS credentials are stored anywhere - uses AWS SSO tokens
- 🎨 Shell integration: Shows current profile in your shell prompt
- ⚡ Auto-refresh: Proactively refreshes tokens on every use and keeps sessions alive in the background
- 🚨 Production safety: Mark accounts as production to get a visible warning banner
- No credential storage:
Keenever stores AWS access keys or secrets - SSO token management: Uses AWS CLI's built-in SSO token caching
- Sub-shell isolation: Each profile's session is isolated in its own shell
- Automatic cleanup: Environment variables are cleared when exiting sub-shells
- 🚀 Performance: Compiled binary, faster startup times
- ⛑️ Memory safety: No runtime errors, guaranteed memory safety
- 🌍 Cross-platform: Single binary works across platforms
- ⚡️ Concurrent: Built-in concurrency support for future enhancements
- Rust 1.86+ (install from rustup.rs) (On Mac with brew:
brew install rust) - AWS CLI v2 installed and configured
- Configured AWS SSO account access
cargo install keeAfter install, set up shell completions in one command:
kee completions installThis auto-detects your shell (bash, zsh, or fish), drops the script in
the right place, and edits your shell config to load it. Restart your
terminal or source the relevant rc file to pick up completions.
Clone this repository:
git clone https://github.com/keecli/kee.rs.git ~/.keeOption 1: Automated (recommended)
cd ~/.kee
./install.shThis script will build an optimized
Keebinary, install it (in~/.cargo/bin), and add the folder to yourPATH. It will also install Kee's auto completions.
Option 2: Manual
cd ~/.kee
# Install the binary
cargo install --path .
# Add Cargo's bin directory to your PATH
echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.zshrc # For zsh (macOS default)
# OR
echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc # For bash
# Reload your shell configuration
source ~/.zshrc # or ~/.bashrcOption 3: Direct copy
cd ~/.kee
# Build and copy to a directory already in PATH
cargo build --release
cp target/release/kee ~/.local/bin/ # Make sure ~/.local/bin is in your PATHkee add mycompany.devThis will:
- Run
aws configure sso --profile mycompany.dev - Prompt you for your SSO configuration (start URL, region, etc.)
- Open your browser for SSO authentication
- Let you select your AWS account and role interactively
- Automatically save the configuration to
Kee
Tip: A session can be liked to multiple profiles. When prompted for a 'session name', use something generic, like your company name.
Pick interactively:
kee useOr jump straight to one by name:
kee use mycompany.devEither path will:
- Check if SSO credentials are valid
- Automatically run
aws sso loginif needed - Start a sub-shell with AWS credentials configured
- Update your shell prompt to show the active profile
Inside the sub-shell, all AWS CLI commands will use the selected profile's credentials:
aws:mycompany.dev $ aws s3 ls
aws:mycompany.dev $ aws ec2 describe-instances
aws:mycompany.dev $ exit # Terminate the session and return to your main shellThese flags work with any command:
-v,--verbose: Print diagnostic detail to stderr (AWS CLI errors, refresh outcomes, cache parsing issues). Useful when something silently fails.-V,--version: Print the installed version and exit.-h,--help: Show help. Works on subcommands too (e.g.,kee use --help).
keeWith no arguments, Kee shows the current active profile if you are inside a session, or prints help text otherwise.
kee add PROFILE_NAMEInteractively configure a new AWS profile with SSO settings. You'll be asked whether this is a production account — production profiles display a warning banner when active.
kee use # Pick interactively with fuzzy search
kee use PROFILE_NAME # Skip the pickerUse a profile and start a sub-shell with its AWS credentials. With no name, Kee opens a fuzzy picker over your configured profiles. Every kee use proactively refreshes the token to give you the maximum session window.
Use kee aws for AWS CLI commands (the common case):
kee aws PROFILE_NAME ARGS...kee aws mycompany.dev s3 ls
kee aws mycompany.dev sts get-caller-identityFor anything else, use kee run:
kee run PROFILE_NAME -- CMD ARGS...kee run mycompany.dev -- terraform plan
kee run mycompany.dev -- ./deploy.sh
kee run mycompany.dev -- aws s3 ls # works too, just longerBoth run a single command with the profile's credentials and exit. No sub-shell, no prompt change. The wrapped command's exit code is propagated. Kee's own status messages go to stderr so they don't pollute the wrapped command's stdout. Production profiles still print a warning banner to stderr.
The -- separator in kee run is recommended any time the wrapped command starts with a flag, so Kee doesn't try to interpret it.
kee console # Use the active session, or pick interactively
kee console PROFILE_NAME # Open the console for a specific profileFederates your temporary credentials with AWS and opens the console in your default browser, already signed in to the chosen account and role. No more flipping accounts in the console picker.
The destination region matches the profile's SSO region. You can navigate to other regions from inside the console as usual.
Requires AWS CLI v2.15+ (which provides aws configure export-credentials).
kee ls # Pretty list
kee ls --names # Just the profile names, one per line (handy for scripting)Show a quick overview of all configured profiles.
kee statusShow detailed status of all profiles: session health (active/expired), token expiry countdown, account ID, account alias, and role. Checks run in parallel so the output appears quickly even with many profiles.
kee currentDisplay which profile is currently active (if any).
kee set PROFILE_NAME --production # Mark as production
kee set PROFILE_NAME --no-production # Unmark as productionUpdate settings for an existing profile.
kee rm # Pick interactively
kee rm PROFILE_NAME # Skip the pickerRemoves a profile configuration from Kee and the AWS config file.
kee completions install # Install for the current shell (auto-detected)
kee completions install --shell zsh # Install for a specific shell
kee completions uninstall # Remove for the current shell
kee completions print zsh # Print the script to stdout (no install)Install drops the completion script in the right place and edits your shell config to load it. Supported: bash, zsh, fish. For powershell and elvish, use print and follow your shell's documentation. Edits are idempotent: re-running install is safe.
Keestores its configuration in~/.kee/config.json- AWS profiles are created in
~/.aws/config, following the AWS config pattern - No AWS credentials are stored - only SSO configuration
When you use a profile, Kee:
- Validates SSO credentials (refreshes if needed)
- Updates shell prompt to show current profile
- Starts a new shell session
- Cleans up when you exit
When you run kee use, your session is refreshed proactively — every invocation gives you the maximum session window regardless of how much time was left.
While the sub-shell is active, a background process monitors the token's expiry and refreshes it automatically before it lapses. This means your session stays alive indefinitely as long as the sub-shell is open (limited only by the refresh token registration, typically ~3 months).
If the refresh token is expired or unavailable, Kee falls back to the full aws sso login flow.
⠹ Refreshing session...
[✓] Session refreshed.
Profile: mycompany.dev
Kee is starting a sub-shell...
Type exit to return to your main shell.
Kee also prevents you from starting a sub-shell while already in one:
aws:mycompany.dev $ kee use mycompany.prod
You are using a Kee profile: mycompany.dev
Exit the current session first by typing 'exit'Your shell prompt will show the active profile:
(mycompany.dev) user@hostname:Profiles marked as production display a bold red warning when you enter the sub-shell:
⚠️ PRODUCTION ACCOUNT
Profile: mycompany.prod
Kee is starting a sub-shell...
Type exit to return to your main shell.
Mark a profile as production during kee add or at any time with kee set PROFILE_NAME --production.
When you're using a Kee profile, the following environment variables are set:
AWS_PROFILE- The AWS profile name (e.g.,mycompany.dev)KEE_CURRENT_PROFILE- The currentKeeprofile name (e.g.,mycompany.dev)KEE_ACTIVE_PROFILE- Set to1to indicate an activeKeeprofilePS1- Updated to show the current profile in your prompt (Unix-like systems only)
These variables help Kee manage sessions and prevent nested sub-shells.
{
"profiles": {
"mycompany-prod": {
"profile_name": "mycompany.prod",
"sso_start_url": "https://mycompany.awsapps.com/start",
"sso_region": "ap-southeast-2",
"sso_account_id": "123456789012",
"sso_role_name": "AdministratorAccess",
"session_name": "mycompany",
"production": true
}
},
"current_profile": null
}[profile mycompany.dev]
sso_role_name = AdministratorAccess
sso_session = mycompany
sso_account_id = 123456789098
output = json
[sso-session mycompany]
sso_region = ap-southeast-2
sso_start_url = https://mycompany.awsapps.com/start
sso_registration_scopes = sso:account:accessKee works on:
- macOS: Full support with shell prompt integration
- Linux: Full support with shell prompt integration
- Windows: Full support (prompt integration not available)
If SSO login fails:
# Manual SSO login
aws sso login --profile PROFILE_NAME
# Then try using again
kee use PROFILE_NAMEIf you get "profile not found" errors:
# Check AWS config
cat ~/.aws/config
# Re-add the profile if needed
kee rm PROFILE_NAME
kee add PROFILE_NAMEIf you get permission errors:
# Check AWS credentials
aws sts get-caller-identity --profile PROFILE_NAME
# Refresh SSO login
aws sso login --profile PROFILE_NAME- Built-in AWS SDK integration (no AWS CLI dependency)
- Plugin system with dynamic loading
Package managers:
- Cargo:
cargo install kee - Homebrew:
brew install kee(planned) - Scoop:
scoop install kee(Windows, planned) - APT/YUM: Native packages possible (planned)
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests, if applicable
- Test your changes:
make test - Submit a pull request
There is a utilities script which will set up a
pre-commithook to run some basic checks on your code before you commit.
cd ~/.kee
./utilities/githooks.shCI runs cargo-llvm-cov on Linux and reports line coverage to Codecov. There is no hard threshold: it's a signal to track over time, not a gate.
To check locally:
cargo install cargo-llvm-cov
cargo llvm-cov --all-targetscargo-llvm-cov uses LLVM source-based coverage, which traces cleanly into binaries spawned by assert_cmd in tests/cli_tests.rs. We previously used cargo-tarpaulin, which relied on ptrace and was unstable for subprocess-heavy tests.
Coverage runs on Linux; macOS and Windows users can rely on CI for the report.
We use semantic versioning. Version bumps are handled with cargo-release.
cargo install cargo-releaseWhen your changes are ready:
cargo release patch # Bug fixes: 1.1.0 → 1.1.1
cargo release minor # New features: 1.1.0 → 1.2.0
cargo release major # Breaking changes: 1.0.0 → 2.0.0This updates Cargo.toml, commits, and tags in one step. Add --execute to apply (without it, it runs in dry-run mode).
MIT License - see LICENSE file for details.
RTFM, then RTFC... If you are still stuck or just need an additional feature, file an issue.