I found a reproducible case of this same error while using aws-vault over a remote SSH session into a MacBook: ssh mymacbook.local aws-vault exec ${AWS_CONFIG_PROFILE_NAME_HERE} -- ${SOME_AWS_COMMAND_HERE} This opens a local browser page to AWS SSO auth. I'm able to use VNC to remotely connect to the active display and click to approve the session in the browser window. Then the command returns the following error: Opening the SSO authorization page in your default browser (use Ctrl-C to abort) https://device.sso.us-east-1.amazonaws.com/?user_code=XXXX-XXXX aws-vault: error: exec: Failed to get credentials for ${AWS_CONFIG_PROFILE_NAME_HERE}: User interaction is not allowed. (-25308) This same command works perfectly fine when run locally & directly using the MacBook's keyboard & screen. The -25308 error code and message are 100% reproducible when trying this command over a remotely connected SSH terminal session. I have checked that the login keychain is shown as unlocked in the Keychain Access app. I've also tried running: security unlock-keychain  "${HOME}/Library/Keychains/login.keychain-db" in the remote SSH terminal. Seems like this may have something to do with some other hidden macOS security settings that prevent aws-vault (or other apps, such as the VPN app the OP mentions), from working over a remotely started terminal session?

I checked the system logs while running the aws-vault command to reproduce the error, and sure enough securityd is logging some errors about code signing while aws-vault tries to perform keychain operations: 2022-05-03 16:52:03.461873-0600 0xab0f62   Activity    0xc55614             11605  0    aws-vault: (Security) SecKeychainOpen 2022-05-03 16:52:03.462417-0600 0xab0f62   Activity    0xc55615             11605  0    aws-vault: (Security) SecKeychainOpen 2022-05-03 16:52:03.462836-0600 0xab0f62   Error       0x0                  11605  0    aws-vault: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 45530 of [9ff244ce07] 2022-05-03 16:52:03.462872-0600 0xab0f62   Error       0x0                  11605  0    aws-vault: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:45530: (2) open(/var/db /DetachedSignatures) - No such file or directory 2022-05-03 16:52:03.465167-0600 0xab0f62   Activity    0xc55616             11605  0    aws-vault: (Security) SecTrustEvaluateIfNecessary 2022-05-03 16:52:03.467640-0600 0xab0f62   Activity    0xc55617             11605  0    aws-vault: (Security) SecTrustSettingsXPCRead 2022-05-03 16:52:03.467809-0600 0xab0d8e   Activity    0xc54f18             634    0    trustd: (libsystem_info.dylib) Membership API: translate identifier 2022-05-03 16:52:03.468701-0600 0xab0f62   Activity    0xc55618             11605  0    aws-vault: (Security) SecKeychainAddCallback 2022-05-03 16:52:03.468819-0600 0xab0f62   Activity    0xc55619             11605  0    aws-vault: (Security) SecTrustSettingsXPCRead 2022-05-03 16:52:03.474920-0600 0xab0f62   Activity    0xc5561a             11605  0    aws-vault: (Security) SecTrustEvaluateIfNecessary 2022-05-03 16:52:03.480998-0600 0xab0f62   Activity    0xc5561b             11605  0    aws-vault: (Security) SecItemAdd 2022-05-03 16:52:03.481988-0600 0xab0a65   Default     0x0                  364    0    securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple- signed 2022-05-03 16:52:03.483018-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:KCdb] 0x13626c430(0x13636d7c0) unlocking for makeUnlocked() 2022-05-03 16:52:03.483068-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentConnection] new SecurityAgentConnection(0x16b4eea30) 2022-05-03 16:52:03.483099-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentXPCQuery] new SecurityAgentXPCQuery(0x16b4eea30) 2022-05-03 16:52:03.483417-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple- signed 2022-05-03 16:52:03.483455-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentConnection] activate(0x16b4eea30) 2022-05-03 16:52:03.483517-0600 0xd3b      Default     0x0                  364    0    securityd: (Security) [com.apple.securityd:security_exception] MacOS error: -25337 2022-05-03 16:52:03.483823-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:security_exception] CSSM Exception: 224 unknown error 224=e0 2022-05-03 16:52:03.483940-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentXPCQuery] SecurityAgentXPCQuery(0x16b4eea30) dying 2022-05-03 16:52:03.484082-0600 0xab0f62   Default     0xc5561b             11605  0    aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP _NO_USER_INTERACTION 2022-05-03 16:52:03.483972-0600 0xd3b      Default     0x0                  364    0    securityd: [com.apple.securityd:SecurityAgentConnection] SecurityAgentConnection(0x16b4eea30) dying 2022-05-03 16:52:03.484158-0600 0xab0f62   Default     0xc5561b             11605  0    aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP _NO_USER_INTERACTION 2022-05-03 16:52:03.484829-0600 0xab0b71   Error       0x0                  469    0    analyticsd: [com.apple.analyticsd:xpc] [XPC Server] managed connection recieved connection invalidated : Connection invalid 2022-05-03 16:52:03.485589-0600 0x1058     Default     0x0                  406    0    mDNSResponder: [com.apple.mDNSResponder:Default] [R185837] DNSServiceCreateConnection STOP PID[11605]( aws-vault) 2022-05-03 16:52:03.500952-0600 0xab1038   Default     0x0                  0      0    kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash 2022-05-03 16:52:03.505416-0600 0x12e1     Error       0x0                  628    0    Google Chrome: (QuartzCore) [com.apple.coreanimation:API] cannot add handler to 4 from 4 - dropping 2022-05-03 16:52:03.530880-0600 0xab1055   Default     0x0                  0      0    kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash 2022-05-03 16:52:03.536886-0600 0xab1059   Default     0x0                  0      0    kernel: arm64e_plugin_host: running binary "bash" in keys-off mode due to identity: com.apple.bash Seems like the final error reported by aws-vault is from this line: aws-vault: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147415840 CSSMERR_CSP _NO_USER_INTERACTION Which was caused immediately by the securityd errors just before that: securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple- signed securityd: (Security) [com.apple.securityd:security_exception] MacOS error: -25337 securityd: [com.apple.securityd:security_exception] CSSM Exception: 224 unknown error 224=e0 This overall seems like an issue built-in to macOS, probably for security reasons that presume that all Keychain actions should be attached to an app that has an interactive GUI. Seems very similar to this issue reported on a terminal app using the keyring while under screen or SSH session