Can I use AWS as a CLI?

Yes. KosmoKrator exposes a AWS CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose AWS through MCP?

Yes. The KosmoKrator MCP gateway can expose selected AWS tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are AWS credentials stored?

AWS credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for AWS MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

AWS CLI for AI Agents

Use the AWS CLI from KosmoKrator to call AWS tools headlessly, return JSON, inspect schemas, and automate workflows from coding agents, scripts, and CI.

AWS CLI Setup

AWS can be configured headlessly with `kosmokrator integrations:configure aws`.

Install, configure, and verify

# Install KosmoKrator first if it is not available on PATH.
curl -fsSL https://raw.githubusercontent.com/OpenCompanyApp/kosmokrator/main/install.sh | bash

# Configure and verify this integration.
kosmokrator integrations:configure aws --set access_token="$AWS_ACCESS_TOKEN" --enable --read allow --write ask --json
kosmokrator integrations:doctor aws --json
kosmokrator integrations:status --json

Credentials

Authentication type: Bearer token bearer_token. Configure credentials once, then reuse the same stored profile from scripts, coding CLIs, Lua, and MCP.

Key	Env var	Type	Required	Label
`access_token`	`AWS_ACCESS_TOKEN`	Secret `secret`	yes	Access Token
`base_url`	`AWS_BASE_URL`	URL `url`	no	Base URL

Command Patterns

The generic command is stable across every integration. The provider shortcut is shorter for humans.

Generic CLI call

kosmo integrations:call aws.aws_list_s3_buckets '{"region":"example_region"}' --json

Provider shortcut

kosmo integrations:aws aws_list_s3_buckets '{"region":"example_region"}' --json

Discovery

These commands return structured output for coding agents that need to inspect capabilities before choosing a function.

Discovery commands

kosmo integrations:docs aws --json
kosmo integrations:docs aws.aws_list_s3_buckets --json
kosmo integrations:schema aws.aws_list_s3_buckets --json
kosmo integrations:search "AWS" --json
kosmo integrations:list --json

Automation Contexts

The same configured command surface works in these environments. The command does not change unless the host wrapper, credentials, or permissions change.

CI Run integration calls from CI jobs with JSON output, explicit credentials, and predictable exit status. Cron Jobs Schedule repeatable integration workflows from cron while keeping credentials in KosmoKrator config. Shell Scripts Call integration functions from shell scripts with stable JSON input and output. Headless Automation Use KosmoKrator as a non-interactive integration runtime for local automations and wrappers. Coding Agents Let coding agents discover schemas and execute integration functions through CLI commands or MCP.

CLI Functions

Every function below can be called headlessly. Commands are highlighted, copyable, and scroll horizontally when payloads are long.

`aws.aws_list_s3_buckets`

List all S3 buckets in the AWS account. Returns bucket names, creation dates, and regions.

Read read

Parameters: region

Generic call

kosmo integrations:call aws.aws_list_s3_buckets '{"region":"example_region"}' --json

Shortcut

kosmo integrations:aws aws_list_s3_buckets '{"region":"example_region"}' --json

`aws.aws_list_ec2_instances`

Describe EC2 instances in the AWS account. Returns instance IDs, types, states, and metadata. Supports filtering by instance IDs, states, or tags.

Read read

Parameters: instance_ids, filters, region

Generic call

kosmo integrations:call aws.aws_list_ec2_instances '{"instance_ids":"example_instance_ids","filters":"example_filters","region":"example_region"}' --json

Shortcut

kosmo integrations:aws aws_list_ec2_instances '{"instance_ids":"example_instance_ids","filters":"example_filters","region":"example_region"}' --json

`aws.aws_list_lambda_functions`

List all Lambda functions in the AWS account. Returns function names, runtimes, descriptions, and configuration.

Read read

Parameters: max_items, region

Generic call

kosmo integrations:call aws.aws_list_lambda_functions '{"max_items":1,"region":"example_region"}' --json

Shortcut

kosmo integrations:aws aws_list_lambda_functions '{"max_items":1,"region":"example_region"}' --json

`aws.aws_invoke_lambda`

Invoke an AWS Lambda function with an optional payload. Supports synchronous (RequestResponse) and asynchronous (Event) invocation modes.

Write write

Parameters: function_name, payload, invocation_type, region

Generic call

kosmo integrations:call aws.aws_invoke_lambda '{"function_name":"example_function_name","payload":"example_payload","invocation_type":"example_invocation_type","region":"example_region"}' --json

Shortcut

kosmo integrations:aws aws_invoke_lambda '{"function_name":"example_function_name","payload":"example_payload","invocation_type":"example_invocation_type","region":"example_region"}' --json

`aws.aws_list_dynamodb_tables`

List all DynamoDB tables in the AWS account. Returns table names and can be used with pagination to enumerate all tables.

Read read

Parameters: limit, exclusive_start_table_name, region

Generic call

kosmo integrations:call aws.aws_list_dynamodb_tables '{"limit":1,"exclusive_start_table_name":"example_exclusive_start_table_name","region":"example_region"}' --json

Shortcut

kosmo integrations:aws aws_list_dynamodb_tables '{"limit":1,"exclusive_start_table_name":"example_exclusive_start_table_name","region":"example_region"}' --json

`aws.aws_get_cloudwatch_metrics`

Get CloudWatch metric data for AWS resources. Supports querying metrics by namespace, metric name, dimensions, and time range with configurable statistics and periods.

Read read

Parameters: namespace, metric_name, statistics, start_time, end_time, period, dimensions, region

Generic call

kosmo integrations:call aws.aws_get_cloudwatch_metrics '{"namespace":"example_namespace","metric_name":"example_metric_name","statistics":"example_statistics","start_time":"example_start_time","end_time":"example_end_time","period":1,"dimensions":"example_dimensions","region":"example_region"}' --json

Shortcut

kosmo integrations:aws aws_get_cloudwatch_metrics '{"namespace":"example_namespace","metric_name":"example_metric_name","statistics":"example_statistics","start_time":"example_start_time","end_time":"example_end_time","period":1,"dimensions":"example_dimensions","region":"example_region"}' --json

`aws.aws_list_sns_topics`

List all SNS notification topics in the AWS account. Returns topic ARNs and names.

Read read

Parameters: next_token, region

Generic call

kosmo integrations:call aws.aws_list_sns_topics '{"next_token":"example_next_token","region":"example_region"}' --json

Shortcut

kosmo integrations:aws aws_list_sns_topics '{"next_token":"example_next_token","region":"example_region"}' --json

`aws.aws_get_current_user`

Get the current IAM user identity. Returns user ARN, account ID, and user ID. Useful for verifying credentials and understanding which AWS account is being accessed.

Read read

Parameters: none

Generic call

kosmo integrations:call aws.aws_get_current_user '{}' --json

Shortcut

kosmo integrations:aws aws_get_current_user '{}' --json

Function Schemas

Use these parameter tables when building CLI payloads without calling integrations:schema first.

aws.aws_list_s3_buckets 1 parameters

Schema command

kosmo integrations:schema aws.aws_list_s3_buckets --json

Parameter	Type	Required	Description
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

aws.aws_list_ec2_instances 3 parameters

Schema command

kosmo integrations:schema aws.aws_list_ec2_instances --json

Parameter	Type	Required	Description
`instance_ids`	array	no	List of specific instance IDs to describe (e.g., ["i-1234567890abcdef0"]). Omit to list all instances.
`filters`	array	no	Filters to apply (e.g., [{"Name": "instance-state-name", "Values": ["running"]}]).
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

aws.aws_list_lambda_functions 2 parameters

Schema command

kosmo integrations:schema aws.aws_list_lambda_functions --json

Parameter	Type	Required	Description
`max_items`	integer	no	Maximum number of functions to return (default: 50).
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

aws.aws_invoke_lambda 4 parameters

Schema command

kosmo integrations:schema aws.aws_invoke_lambda --json

Parameter	Type	Required	Description
`function_name`	string	yes	The name or ARN of the Lambda function to invoke.
`payload`	object	no	JSON payload to pass to the Lambda function.
`invocation_type`	string	no	Invocation type: "RequestResponse" (sync, default), "Event" (async), or "DryRun" (validate only).
`region`	string	no	AWS region (e.g., "us-east-1"). Defaults to the configured region.

aws.aws_list_dynamodb_tables 3 parameters

Schema command

kosmo integrations:schema aws.aws_list_dynamodb_tables --json

Parameter	Type	Required	Description
`limit`	integer	no	Maximum number of table names to return (default: 100).
`exclusive_start_table_name`	string	no	The first table name that this operation will evaluate. Use for pagination.
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

aws.aws_get_cloudwatch_metrics 8 parameters

Schema command

kosmo integrations:schema aws.aws_get_cloudwatch_metrics --json

Parameter	Type	Required	Description
`namespace`	string	yes	The CloudWatch namespace (e.g., "AWS/EC2", "AWS/Lambda", "AWS/DynamoDB").
`metric_name`	string	yes	The name of the metric (e.g., "CPUUtilization", "Invocations", "ReadThrottleEvents").
`statistics`	array	yes	Statistics to retrieve (e.g., ["Average", "Maximum", "Sum"]).
`start_time`	string	yes	Start time for the query (ISO 8601, e.g., "2026-01-01T00:00:00Z").
`end_time`	string	yes	End time for the query (ISO 8601, e.g., "2026-01-02T00:00:00Z").
`period`	integer	no	The granularity in seconds for the returned data points (e.g., 60, 300, 3600). Default: 300.
`dimensions`	array	no	Dimensions to filter by (e.g., [{"Name": "InstanceId", "Value": "i-1234567890abcdef0"}]).
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

aws.aws_list_sns_topics 2 parameters

Schema command

kosmo integrations:schema aws.aws_list_sns_topics --json

Parameter	Type	Required	Description
`next_token`	string	no	Pagination token from a previous response to get the next page of results.
`region`	string	no	AWS region to query (e.g., "us-east-1"). Defaults to the configured region.

aws.aws_get_current_user 0 parameters

Schema command

kosmo integrations:schema aws.aws_get_current_user --json

Parameter	Type	Required	Description
No parameters.

Permissions

Headless calls still follow the integration read/write permission policy. Configure read/write defaults with integrations:configure. Add --force only for trusted automation that should bypass that policy.