diff --git a/authmate/authmate.go b/authmate/authmate.go
index 7f4dd5a..a8aa928 100644
--- a/authmate/authmate.go
+++ b/authmate/authmate.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"
 	"math"
+	"os"
 	"strconv"
 	"time"
 
@@ -57,6 +58,7 @@ type (
 		ContextRules          []byte
 		SessionTkn            bool
 		Lifetime              uint64
+		AwsCliCredentialsFile string
 		ContainerPolicies     ContainerPolicies
 	}
 
@@ -241,7 +243,26 @@ func (a *Agent) IssueSecret(ctx context.Context, w io.Writer, options *IssueSecr
 
 	enc := json.NewEncoder(w)
 	enc.SetIndent("", "  ")
-	return enc.Encode(ir)
+	if err = enc.Encode(ir); err != nil {
+		return err
+	}
+
+	if options.AwsCliCredentialsFile != "" {
+		profileName := "authmate_cred_" + address.ObjectID().String()
+		if _, err = os.Stat(options.AwsCliCredentialsFile); os.IsNotExist(err) {
+			profileName = "default"
+		}
+		file, err := os.OpenFile(options.AwsCliCredentialsFile, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600)
+		if err != nil {
+			return fmt.Errorf("couldn't open aws cli credentials file: %w", err)
+		}
+		defer file.Close()
+		if _, err = file.WriteString(fmt.Sprintf("\n[%s]\naws_access_key_id = %s\naws_secret_access_key = %s\n",
+			profileName, accessKeyID, secrets.AccessKey)); err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 // ObtainSecret receives an existing secret access key from NeoFS and
diff --git a/cmd/authmate/main.go b/cmd/authmate/main.go
index 3e562d4..59c5fff 100644
--- a/cmd/authmate/main.go
+++ b/cmd/authmate/main.go
@@ -47,6 +47,7 @@ var (
 	sessionTokenFlag       bool
 	lifetimeFlag           uint64
 	containerPolicies      string
+	awcCliCredFile         string
 )
 
 const (
@@ -209,6 +210,12 @@ func issueSecret() *cli.Command {
 				Required:    false,
 				Destination: &containerPolicies,
 			},
+			&cli.StringFlag{
+				Name:        "aws-cli-credentials",
+				Usage:       "path to the aws cli credential file",
+				Required:    false,
+				Destination: &awcCliCredFile,
+			},
 		},
 		Action: func(c *cli.Context) error {
 			ctx, log := prepare()
@@ -264,6 +271,7 @@ func issueSecret() *cli.Command {
 				ContainerPolicies:     policies,
 				SessionTkn:            sessionTokenFlag,
 				Lifetime:              lifetimeFlag,
+				AwsCliCredentialsFile: awcCliCredFile,
 			}
 
 			if err = agent.IssueSecret(ctx, os.Stdout, issueSecretOptions); err != nil {