#AWS

Call any AWS API. Multi-account = multi-IAM-user across orgs and roles.

#Get a token

Generate a Access Key ID + Secret Access Key at https://console.aws.amazon.com/iam/home#/security_credentials.

#Recommended scopes

• Read-only managed policies are a safe default.
• Per-account IAM user for multi-account orgs.

#Add it to the vault

bash
mcpvault add aws

Example session:

text
$ mcpvault add aws
Label: prod
Access key ID: AKIA••••
Secret access key: ••••
Region: us-east-1
✓ Format valid
✓ Saved.

#Tools exposed

• see upstream — every AWS service. SSO supported.

#Notes

• Validation is format-only (proper SigV4 validation needs aws-sdk dep). Upstream server fails loudly on first bad request.

#Switch to this account

In any chat client wired to mcpvault, ask:

Switch to my <label> AWS account.

The vault server's activate_account tool flips the active label. Wrappers re-read it on the next call — no restart.