Can I use AWS as a CLI?

Yes. KosmoKrator exposes a AWS CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose AWS through MCP?

Yes. The KosmoKrator MCP gateway can expose selected AWS tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are AWS credentials stored?

AWS credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for AWS MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

other

AWS MCP Integration for LangGraph

Connect AWS to LangGraph through the local KosmoKrator MCP gateway with scoped tools, credentials, and write policy.

8 functions 7 read 1 write Bearer token auth

Submit AWS feedback View package source

Connect AWS to LangGraph

Run KosmoKrator integration calls from LangGraph nodes while preserving local credentials and permissions.

Use a graph node that calls the KosmoKrator CLI for deterministic steps or an MCP client for dynamic tool selection. The gateway is local, scoped to this integration, and starts with --write=deny so LangGraph can inspect read-capable tools without receiving write access by default.

AWS MCP Config for LangGraph

Headless CLI calls fit repeatable graph edges; MCP fits exploratory agent nodes.

{
  "mcpServers": {
    "kosmokrator-aws": {
      "type": "stdio",
      "command": "kosmo",
      "args": [
        "mcp:serve",
        "--integration=aws",
        "--write=deny"
      ]
    }
  }
}

Run the Gateway Manually

kosmokrator mcp:serve --integration=aws --write=deny

Why Use KosmoKrator Here

Scoped tools

Expose only AWS instead of a broad multi-service tool list.

Local credentials

Reuse credentials already configured for the KosmoKrator CLI and Lua runtime.

Write policy

Start read-only, then opt into ask or allow for trusted workspaces.

AWS Tools Visible to LangGraph

LangGraph sees stable MCP tool names generated from the AWS integration catalog.

MCP tool	Source function	Type	Description
`integration__aws__aws_list_s3_buckets`	`aws.aws_list_s3_buckets`	Read	List all S3 buckets in the AWS account. Returns bucket names, creation dates, and regions.
`integration__aws__aws_list_ec2_instances`	`aws.aws_list_ec2_instances`	Read	Describe EC2 instances in the AWS account. Returns instance IDs, types, states, and metadata. Supports filtering by instance IDs, states, or tags.
`integration__aws__aws_list_lambda_functions`	`aws.aws_list_lambda_functions`	Read	List all Lambda functions in the AWS account. Returns function names, runtimes, descriptions, and configuration.
`integration__aws__aws_invoke_lambda`	`aws.aws_invoke_lambda`	Write	Invoke an AWS Lambda function with an optional payload. Supports synchronous (RequestResponse) and asynchronous (Event) invocation modes.
`integration__aws__aws_list_dynamodb_tables`	`aws.aws_list_dynamodb_tables`	Read	List all DynamoDB tables in the AWS account. Returns table names and can be used with pagination to enumerate all tables.
`integration__aws__aws_get_cloudwatch_metrics`	`aws.aws_get_cloudwatch_metrics`	Read	Get CloudWatch metric data for AWS resources. Supports querying metrics by namespace, metric name, dimensions, and time range with configurable statistics and periods.
`integration__aws__aws_list_sns_topics`	`aws.aws_list_sns_topics`	Read	List all SNS notification topics in the AWS account. Returns topic ARNs and names.
`integration__aws__aws_get_current_user`	`aws.aws_get_current_user`	Read	Get the current IAM user identity. Returns user ARN, account ID, and user ID. Useful for verifying credentials and understanding which AWS account is being accessed.

Related AWS Pages

AWS CLIUse direct JSON commands instead of MCP discovery. AWS MCPFull gateway reference and MCP tool names. KosmoKrator for LangGraphClient-level gateway setup.