diff --git a/cli/add.go b/cli/add.go
index 0df7fc133..313fe678b 100644
--- a/cli/add.go
+++ b/cli/add.go
@@ -70,7 +70,7 @@ func AddCommand(input AddCommandInput, keyring keyring.Keyring, awsConfigFile *v
 		if accessKeyId, err = prompt.TerminalPrompt("Enter Access Key ID: "); err != nil {
 			return fmt.Errorf(err.Error())
 		}
-		if secretKey, err = prompt.TerminalPrompt("Enter Secret Access Key: "); err != nil {
+		if secretKey, err = prompt.TerminalSecretPrompt("Enter Secret Access Key: "); err != nil {
 			return fmt.Errorf(err.Error())
 		}
 	}
diff --git a/prompt/terminal.go b/prompt/terminal.go
index ceccfaf2c..bb626b356 100644
--- a/prompt/terminal.go
+++ b/prompt/terminal.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"os"
 	"strings"
+
+	"golang.org/x/crypto/ssh/terminal"
 )
 
 func TerminalPrompt(message string) (string, error) {
@@ -19,6 +21,19 @@ func TerminalPrompt(message string) (string, error) {
 	return strings.TrimSpace(text), nil
 }
 
+func TerminalSecretPrompt(message string) (string, error) {
+	fmt.Fprint(os.Stderr, message)
+
+	text, err := terminal.ReadPassword(int(os.Stdin.Fd()))
+	if err != nil {
+		return "", err
+	}
+
+	fmt.Println()
+
+	return strings.TrimSpace(string(text)), nil
+}
+
 func TerminalMfaPrompt(mfaSerial string) (string, error) {
 	return TerminalPrompt(mfaPromptMessage(mfaSerial))
 }