QuickStart currently shows manually setting permanent Access Key and Secret in the configuration of AWS Vault, misguiding that it is acceptable having (non-admin) developers manually handle permanent access keys.

The work this team has done to enable SSO through Amazon IAM Identity Center is incredible! You should make that effort more visible because it is also a security best practice by avoiding ever generating Access Keys in the first place.

Simply show SSO as the FIRST method for how to configure, with maybe a warning about storing access keys, especially since this option is enabled for local file storage (not necessarily a keystore).

Doing this would be a huge help in guiding people towards far more secure authentication methods. Thank you for your hard work!

@evbo do you have any working config for terraform?
For me it works with aws-vault exec --json $profile_name
But I have a problem with terraform aws provider when using the profile option

...
Error: failed to refresh cached credentials, the SSO session has expired or is invalid: failed to read cached SSO token file, open /home/***/.aws/sso/cache/1eb8e7cd905c72f5ab427dc21b373543b2247e3e.json: no such file or directory