Can I use AWS as a CLI?

Yes. KosmoKrator exposes a AWS CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose AWS through MCP?

Yes. The KosmoKrator MCP gateway can expose selected AWS tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are AWS credentials stored?

AWS credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for AWS MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

other

AWS MCP Gateway for AI Agents

Expose AWS tools to Claude Code, Cursor, Codex, and other MCP clients through the local KosmoKrator MCP gateway.

8 functions 7 read 1 write Bearer token auth

Submit AWS feedback View package source

AWS MCP Gateway

Expose AWS to MCP clients with `kosmokrator mcp:serve --integration=aws`.

If the client has never used KosmoKrator before, install it first, then register this integration as a stdio MCP server. The gateway exposes only the selected integration in the example below.

curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

kosmokrator mcp:gateway:install --integration=aws --write=deny --json

{
  "mcpServers": {
    "kosmokrator-aws": {
      "type": "stdio",
      "command": "kosmo",
      "args": [
        "mcp:serve",
        "--integration=aws",
        "--write=deny"
      ]
    }
  }
}

Serve Manually

kosmokrator mcp:serve --integration=aws --write=deny

MCP Tool Names

KosmoKrator exposes integration tools through the gateway with stable names:

MCP tool	Source function	Type
`integration__aws__aws_list_s3_buckets`	`aws.aws_list_s3_buckets`	Read `read`
`integration__aws__aws_list_ec2_instances`	`aws.aws_list_ec2_instances`	Read `read`
`integration__aws__aws_list_lambda_functions`	`aws.aws_list_lambda_functions`	Read `read`
`integration__aws__aws_invoke_lambda`	`aws.aws_invoke_lambda`	Write `write`
`integration__aws__aws_list_dynamodb_tables`	`aws.aws_list_dynamodb_tables`	Read `read`
`integration__aws__aws_get_cloudwatch_metrics`	`aws.aws_get_cloudwatch_metrics`	Read `read`
`integration__aws__aws_list_sns_topics`	`aws.aws_list_sns_topics`	Read `read`
`integration__aws__aws_get_current_user`	`aws.aws_get_current_user`	Read `read`

Write Access

Start with --write=deny for read-only MCP clients. Use --write=ask or --write=allow only when the client and workspace are trusted.