Keep long-term AWS access keys out of ~/.aws/credentials (plaintext on disk) by storing them in your desktop keyring via libsecret, and letting the AWS CLI/SDKs fetch them on demand with credential_process.
Works with anything that uses the standard AWS credential chain: aws CLI, boto3, Go/JS/Rust SDKs, Terraform, Pulumi, etc.
libsecretand its CLI (secret-tool) — packagelibsecreton Arch,libsecret-toolson Debian/Ubuntu.- A running Secret Service keyring (GNOME Keyring, KWallet ≥ 5.97, or KeePassXC with Secret Service integration), unlocked with your session.