Granted uses an open-source library to securely store AWS SSO tokens in a backend service. Apart from pass or the Windows Credentials Manager, Linux Desktop users that leverage Gnome as their desktop environment can use keyring to securely store AWS SSO tokens, and get it unlocked with the default login keychain.


  • Installed Granted CLI tool.
  • Access to AWS SSO tokens.
  • Gnome keyring installed. Tested on Ubuntu 22 with Gnome 40+


Open the Granted configuration file located at ~/.granted/config. Add the following configuration to specify the backend for keyring:

  Backend = "secret-service"
  LibSecretCollectionName = "login"

Next time you run Granted, it will use the secret-service backend to store AWS SSO tokens and it will not ask you to enter your password. It will unlock it with the login keychain instead.

To learn more about how to configure the keyring, check out these settings that are exposed in Granted and the upstream library documentation for further details.