Assume

Local-first cloud access manager

Cloud credentials, one click away.

Assume generates short-lived credentials for AWS, Azure, and LocalStack on demand — and rotates them before they go stale. Your long-lived keys never touch disk in plaintext.

Download for macOS

v0.15.4 · macOS (Apple Silicon) · Windows & Linux soon

Works withAmazon Web ServicesMicrosoft AzureLocalStack

How it works

From zero to a live session in three moves.

01

Connect

Sign in once — AWS SSO device flow, IAM credentials, federated roles, or Azure AD. Assume maps every account and role you can reach.

02

Assume

Click a session. Short-lived credentials are generated on the spot, written where your tools expect them, and rotated before they expire.

03

Work anywhere

Terminal, SDK, IDE, or the cloud console in your browser — every surface sees valid credentials, never your long-lived keys.

Every AWS access pattern, first-class

IAM users, federated roles, chained roles, and AWS SSO via the OIDC device flow. Import an SSO portal once and every account and role appears as a ready-to-start session.

  • IAM User
  • IAM Role Federated
  • IAM Role Chained
  • AWS SSO
  • Azure
  • LocalStack

An encrypted local vault

Your workspace is AES-256 encrypted on disk, with secrets held in the OS keychain. Nothing syncs to anyone's cloud — including ours.

~/.assume · AES-256 · keychain-backed

Rotation on autopilot

Active sessions refresh themselves before credentials expire. No more half-dead terminals at the worst moment.

Multi-console browsing

The Chrome extension opens several cloud consoles side by side — one tab per session, no sign-out roulette.

Scriptable by design

Everything the app does, the assume CLI does headlessly — start, stop, and switch sessions from scripts and CI.

Security model

Your keys stay home.

Assume is built on a simple rule: long-lived secrets are liabilities. Generate short-lived ones instead, keep them local, and encrypt everything at rest.

AES-256
Workspace encrypted at rest. Plaintext never hits disk.
OS keychain
Secrets live in macOS Keychain, guarded by the system.
Short-lived
Sessions use temporary credentials, rotated automatically.

One core, three surfaces

Desktop, terminal, and browser.

Desktop app

The home base — manage integrations, start sessions, and watch credential timers tick from the tray.

CLI @assume/cli

The same engine in your terminal. Pair it with the desktop app and script every session you own.

Browser extension

Open multiple cloud consoles at once, each bound to a different session — prod and staging, side by side.

Stop pasting credentials into terminals.

Download for macOSor read the quickstart