AWS

Credentials

Exactly one of the following must be configured:

Mode	Credential field	Description
SSO profile	`sso_creds`	Profile name from `~/.aws/config` after `aws sso login`
Static keys	`access_key_id` + `secret_access_key`	Long-lived IAM access keys

The Providers screen shows set when either sso_creds alone, or both access_key_id and secret_access_key, are present. If neither is configured the provider returns an error rather than falling back to ambient environment credentials.

SSO (recommended)

aws sso login --profile my-profile

Then enter my-profile as the sso_creds credential in the TUI. Any profile in ~/.aws/config containing sso_start_url or sso_session is auto-discovered as a candidate.

What is listed

KeyLedger lists two credential types per IAM user:

IAM access keys (AKIA…)

Listed via iam:ListUsers + iam:ListAccessKeys
Last-used date fetched via iam:GetAccessKeyLastUsed (includes service and region)

Service-specific credentials

Scoped to a single AWS service (Bedrock, CodeCommit, Keyspaces, etc.)
Listed via iam:ListServiceSpecificCredentials
No last-used date available

The scope shows AWSAccountID / IAMUser.

Configuration fields

Field	Default	Description
`profile`	(empty)	AWS profile name from `~/.aws/config`
`region`	`us-east-1`	AWS region
`enumerate_all_users`	`true`	List keys for all IAM users
`exclude_users`	(empty)	Comma-separated IAM user names to skip
`include_inactive_keys`	`true`	Include inactive/disabled access keys
`service_names`	`bedrock.amazonaws.com`	Services to list service-specific credentials for

Required IAM permissions

{
  "Effect": "Allow",
  "Action": [
    "iam:ListUsers",
    "iam:ListAccessKeys",
    "iam:GetAccessKeyLastUsed",
    "iam:ListServiceSpecificCredentials",
    "sts:GetCallerIdentity"
  ],
  "Resource": "*"
}

Key patterns

Pattern ID	Regex	Description
`aws-access-key-id`	`(?:A3T[A-Z0-9]\|AKIA\|ASIA\|ABIA\|ACCA)[A-Z0-9]{16}`	IAM access key ID