The 1pass CLI is great! However if you aren’t using 1password as your secrets vault, I’m building an open source, vault-agnostic alternative called RunSecret (https://github.com/runsecret/rsec)
I agree RunSecret adds a level of indirection at this stage that op doesn’t (if you are using 1pass). This is something I plan to polish up once more vaults are supported. You’ve given me some ideas on how to do that here.
And thanks for the advice on doing a Show HN, planning to do so once a few more rough edges are smoothed out.
Vantage engineer who worked on this feature here. The security posture of MCP servers is still in its early stages (see “The ‘S’ in MCP Stands for Security” from three weeks ago [https://elenacross7.medium.com/%EF%B8%8F-the-s-in-mcp-stands...]). The recommendations above to use something like the 1Password CLI wrapper when invoking an MCP server seem sound.
That being said, an easier-to-distribute user experience would be to leverage short-lived OAuth tokens that LLM clients such as Claude or Goose ultimately manage for the user. We’re exploring these avenues as we develop the server.
If your service is running in AWS, use the native IAM identity loading from ECS, EKS, EC2, etc. If it's your laptop, set AWS_PROFILE and let the SDK load the temporary creds from ~/.aws.
If you really really really need to use static creds on your laptop, use aws-vault to export them, or ephemeral creds generated from them, into your environment.