Cloud credentials that can't be stolen.
credctl uses your laptop's Secure Enclave to create hardware-bound
device identities that replace long-lived cloud access keys with short-lived
credentials. No plaintext keys on disk. Ever.
brew install matzhouse/tap/credctl How it works
Create device identity
credctl init generates an ECDSA P-256 key pair in your Mac's
Secure Enclave. The private key never leaves the hardware.
Set up your cloud
credctl setup aws deploys OIDC federation infrastructure with
a single command. Your device becomes a trusted identity provider.
Authenticate
credctl auth signs a JWT with the hardware key and exchanges it
for short-lived STS credentials. Touch ID confirms every request.
Why credctl
Hardware-bound
Credentials are bound to your device's Secure Enclave. The private key is non-exportable — it cannot be copied, stolen, or extracted.
Short-lived
AWS credentials expire in one hour. No more long-lived access keys sitting
in ~/.aws/credentials. Every request requires a fresh hardware-signed JWT.
Zero infrastructure
No servers to run, no agents to deploy, no SaaS to subscribe to. A single CLI binary that talks directly to AWS STS.
See it in action
# Create a hardware-bound device identity
$ credctl init
Generating Secure Enclave key pair...
✓ Device identity created (Secure Enclave)
Fingerprint: SHA256:aBcDeFg...
Public key: ~/.credctl/device.pub
# Deploy AWS OIDC federation (one-time setup)
$ credctl setup aws --policy-arn arn:aws:iam::123456789012:policy/MyDevPolicy
Deploying CloudFormation stack 'credctl-infra' in us-east-1...
✓ AWS setup complete.
# Get short-lived credentials (Touch ID required)
$ credctl auth --format env
export AWS_ACCESS_KEY_ID=ASIAI...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
# Use AWS normally
$ eval $(credctl auth --format env)
$ aws sts get-caller-identity
{
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/credctl-device-role/credctl-aBcDeFg1"
}