Can I use AWS as a CLI?

Yes. KosmoKrator exposes a AWS CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose AWS through MCP?

Yes. The KosmoKrator MCP gateway can expose selected AWS tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are AWS credentials stored?

AWS credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for AWS MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

other

AWS CLI for AI Agents

Use the AWS CLI from KosmoKrator to call AWS tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

8 functions 7 read 1 write Bearer token auth

Submit AWS feedback View package source

AWS CLI Setup

AWS can be configured headlessly with `kosmokrator integrations:configure aws`.

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure aws --set access_token="$AWS_ACCESS_TOKEN" --enable --read allow --write ask --json
kosmokrator integrations:doctor aws --json
kosmokrator integrations:status --json

Credentials

Authentication type: Bearer token bearer_token. Configure credentials once, then use the same stored profile from scripts, coding CLIs, Lua code mode, and the MCP gateway.

Key	Env var	Type	Required	Label
`access_token`	`AWS_ACCESS_TOKEN`	Secret `secret`	yes	Access Token
`base_url`	`AWS_BASE_URL`	URL `url`	no	Base URL

Call AWS Headlessly

Use the generic call form when another coding CLI or script needs a stable universal interface.

kosmo integrations:call aws.aws_list_s3_buckets '{
  "region": "example_region"
}' --json

Use the provider shortcut form for shorter human-facing commands.

kosmo integrations:aws aws_list_s3_buckets '{
  "region": "example_region"
}' --json

Agent Discovery Commands

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

kosmo integrations:docs aws --json
kosmo integrations:docs aws.aws_list_s3_buckets --json
kosmo integrations:schema aws.aws_list_s3_buckets --json
kosmo integrations:search "AWS" --json
kosmo integrations:list --json

All CLI Functions

Every function below can be called headlessly. The generic form is stable across all integrations; the provider shortcut is shorter but specific to AWS.

`aws.aws_list_s3_buckets`

Read read

List all S3 buckets in the AWS account. Returns bucket names, creation dates, and regions.

Parameters: region

Generic CLI call

kosmo integrations:call aws.aws_list_s3_buckets '{"region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_list_s3_buckets '{"region":"example_region"}' --json

`aws.aws_list_ec2_instances`

Read read

Describe EC2 instances in the AWS account. Returns instance IDs, types, states, and metadata. Supports filtering by instance IDs, states, or tags.

Parameters: instance_ids, filters, region

Generic CLI call

kosmo integrations:call aws.aws_list_ec2_instances '{"instance_ids":"example_instance_ids","filters":"example_filters","region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_list_ec2_instances '{"instance_ids":"example_instance_ids","filters":"example_filters","region":"example_region"}' --json

`aws.aws_list_lambda_functions`

Read read

List all Lambda functions in the AWS account. Returns function names, runtimes, descriptions, and configuration.

Parameters: max_items, region

Generic CLI call

kosmo integrations:call aws.aws_list_lambda_functions '{"max_items":1,"region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_list_lambda_functions '{"max_items":1,"region":"example_region"}' --json

`aws.aws_invoke_lambda`

Write write

Invoke an AWS Lambda function with an optional payload. Supports synchronous (RequestResponse) and asynchronous (Event) invocation modes.

Parameters: function_name, payload, invocation_type, region

Generic CLI call

kosmo integrations:call aws.aws_invoke_lambda '{"function_name":"example_function_name","payload":"example_payload","invocation_type":"example_invocation_type","region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_invoke_lambda '{"function_name":"example_function_name","payload":"example_payload","invocation_type":"example_invocation_type","region":"example_region"}' --json

`aws.aws_list_dynamodb_tables`

Read read

List all DynamoDB tables in the AWS account. Returns table names and can be used with pagination to enumerate all tables.

Parameters: limit, exclusive_start_table_name, region

Generic CLI call

kosmo integrations:call aws.aws_list_dynamodb_tables '{"limit":1,"exclusive_start_table_name":"example_exclusive_start_table_name","region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_list_dynamodb_tables '{"limit":1,"exclusive_start_table_name":"example_exclusive_start_table_name","region":"example_region"}' --json

`aws.aws_get_cloudwatch_metrics`

Read read

Get CloudWatch metric data for AWS resources. Supports querying metrics by namespace, metric name, dimensions, and time range with configurable statistics and periods.

Parameters: namespace, metric_name, statistics, start_time, end_time, period, dimensions, region

Generic CLI call

kosmo integrations:call aws.aws_get_cloudwatch_metrics '{"namespace":"example_namespace","metric_name":"example_metric_name","statistics":"example_statistics","start_time":"example_start_time","end_time":"example_end_time","period":1,"dimensions":"example_dimensions","region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_get_cloudwatch_metrics '{"namespace":"example_namespace","metric_name":"example_metric_name","statistics":"example_statistics","start_time":"example_start_time","end_time":"example_end_time","period":1,"dimensions":"example_dimensions","region":"example_region"}' --json

`aws.aws_list_sns_topics`

Read read

List all SNS notification topics in the AWS account. Returns topic ARNs and names.

Parameters: next_token, region

Generic CLI call

kosmo integrations:call aws.aws_list_sns_topics '{"next_token":"example_next_token","region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_list_sns_topics '{"next_token":"example_next_token","region":"example_region"}' --json

`aws.aws_get_current_user`

Read read

Get the current IAM user identity. Returns user ARN, account ID, and user ID. Useful for verifying credentials and understanding which AWS account is being accessed.

Parameters: none

Generic CLI call

kosmo integrations:call aws.aws_get_current_user '{}' --json

Provider shortcut

kosmo integrations:aws aws_get_current_user '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

`aws.aws_list_s3_buckets`

List all S3 buckets in the AWS account. Returns bucket names, creation dates, and regions.

Operation: Read read
Schema command: kosmo integrations:schema aws.aws_list_s3_buckets --json

Parameter	Type	Required	Description
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

`aws.aws_list_ec2_instances`

Describe EC2 instances in the AWS account. Returns instance IDs, types, states, and metadata. Supports filtering by instance IDs, states, or tags.

Operation: Read read
Schema command: kosmo integrations:schema aws.aws_list_ec2_instances --json

Parameter	Type	Required	Description
`instance_ids`	array	no	List of specific instance IDs to describe (e.g., ["i-1234567890abcdef0"]). Omit to list all instances.
`filters`	array	no	Filters to apply (e.g., [{"Name": "instance-state-name", "Values": ["running"]}]).
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

`aws.aws_list_lambda_functions`

List all Lambda functions in the AWS account. Returns function names, runtimes, descriptions, and configuration.

Operation: Read read
Schema command: kosmo integrations:schema aws.aws_list_lambda_functions --json

Parameter	Type	Required	Description
`max_items`	integer	no	Maximum number of functions to return (default: 50).
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

`aws.aws_invoke_lambda`

Invoke an AWS Lambda function with an optional payload. Supports synchronous (RequestResponse) and asynchronous (Event) invocation modes.

Operation: Write write
Schema command: kosmo integrations:schema aws.aws_invoke_lambda --json

Parameter	Type	Required	Description
`function_name`	string	yes	The name or ARN of the Lambda function to invoke.
`payload`	object	no	JSON payload to pass to the Lambda function.
`invocation_type`	string	no	Invocation type: "RequestResponse" (sync, default), "Event" (async), or "DryRun" (validate only).
`region`	string	no	AWS region (e.g., "us-east-1"). Defaults to the configured region.

`aws.aws_list_dynamodb_tables`

List all DynamoDB tables in the AWS account. Returns table names and can be used with pagination to enumerate all tables.

Operation: Read read
Schema command: kosmo integrations:schema aws.aws_list_dynamodb_tables --json

Parameter	Type	Required	Description
`limit`	integer	no	Maximum number of table names to return (default: 100).
`exclusive_start_table_name`	string	no	The first table name that this operation will evaluate. Use for pagination.
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

`aws.aws_get_cloudwatch_metrics`

Get CloudWatch metric data for AWS resources. Supports querying metrics by namespace, metric name, dimensions, and time range with configurable statistics and periods.

Operation: Read read
Schema command: kosmo integrations:schema aws.aws_get_cloudwatch_metrics --json

Parameter	Type	Required	Description
`namespace`	string	yes	The CloudWatch namespace (e.g., "AWS/EC2", "AWS/Lambda", "AWS/DynamoDB").
`metric_name`	string	yes	The name of the metric (e.g., "CPUUtilization", "Invocations", "ReadThrottleEvents").
`statistics`	array	yes	Statistics to retrieve (e.g., ["Average", "Maximum", "Sum"]).
`start_time`	string	yes	Start time for the query (ISO 8601, e.g., "2026-01-01T00:00:00Z").
`end_time`	string	yes	End time for the query (ISO 8601, e.g., "2026-01-02T00:00:00Z").
`period`	integer	no	The granularity in seconds for the returned data points (e.g., 60, 300, 3600). Default: 300.
`dimensions`	array	no	Dimensions to filter by (e.g., [{"Name": "InstanceId", "Value": "i-1234567890abcdef0"}]).
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

`aws.aws_list_sns_topics`

List all SNS notification topics in the AWS account. Returns topic ARNs and names.

Operation: Read read
Schema command: kosmo integrations:schema aws.aws_list_sns_topics --json

Parameter	Type	Required	Description
`next_token`	string	no	Pagination token from a previous response to get the next page of results.
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

`aws.aws_get_current_user`

Get the current IAM user identity. Returns user ARN, account ID, and user ID. Useful for verifying credentials and understanding which AWS account is being accessed.

Operation: Read read
Schema command: kosmo integrations:schema aws.aws_get_current_user --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.