Cloud credentials that can't be stolen.
credctl uses your laptop's Secure Enclave to create hardware-bound
device identities that replace long-lived cloud access keys with short-lived
credentials. No plaintext keys on disk. Ever.
brew install credctl/tap/credctl How it works
Create device identity
credctl init generates an ECDSA P-256 key pair in your Mac's
Secure Enclave. The private key never leaves the hardware.
Set up your cloud
credctl setup aws or credctl setup gcp deploys
OIDC federation infrastructure with a single command. Your device becomes a trusted identity provider.
Authenticate
credctl auth signs a JWT with the hardware key and exchanges it
for short-lived STS credentials. Touch ID confirms every request.
Why credctl
Hardware-bound
Credentials are bound to your device's Secure Enclave. The private key is non-exportable — it cannot be copied, stolen, or extracted.
Short-lived
Cloud credentials expire in one hour. No more long-lived access keys sitting on disk. Every request requires a fresh hardware-signed JWT.
Zero infrastructure
No servers to run, no agents to deploy, no SaaS to subscribe to. A single CLI binary that talks directly to your cloud provider.
See it in action
# Create a hardware-bound device identity
$ credctl init
Generating Secure Enclave key pair...
✓ Device identity created (Secure Enclave)
Fingerprint: SHA256:aBcDeFg...
Public key: ~/.credctl/device.pub
# Set up your cloud (one-time setup — pick one or both)
$ credctl setup aws --policy-arn arn:aws:iam::123456789012:policy/MyDevPolicy
✓ AWS setup complete.
$ credctl setup gcp --service-account sa@project.iam.gserviceaccount.com
✓ GCP setup complete.
# Get short-lived credentials (Touch ID required)
$ credctl auth --format env
export AWS_ACCESS_KEY_ID=ASIAI...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
$ credctl auth --provider gcp --format env
export GOOGLE_APPLICATION_CREDENTIALS=~/.credctl/gcp-credentials.json