Skip to content

An MCP Server that sits between your agent and AWS STS and issues temporary credentials scoped to specific AWS Services

License

Notifications You must be signed in to change notification settings

builder-magic/timebound-iam

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

timebound-iam

Timebound
AWS IAM Permissions
for Claude Code

(or any AI agent)

An MCP server that sits between your AI agent and AWS STS, issuing temporary credentials scoped to specific AWS services and access levels on demand.

CI License Apache-2.0

https://timebound-iam.com

Timebound-IAM is an MCP Server that issues short-lived, service-scoped AWS credentials via STS AssumeRole so that AI coding agents (like Claude Code) can access AWS resources without long-lived keys. Credentials are time-bounded (15 minutes to 12 hours), scoped to specific services and access levels (read-only or full), and automatically cleaned up on expiry.

Claude Code using timebound-iam

Install

  • Homebrew (macOS/Linux)

    brew install builder-magic/tap/timebound-iam
  • Go install

    go install github.com/builder-magic/timebound-iam@latest
  • Binary download — Download pre-built binaries from GitHub Releases.

Setup

For the complete installation and setup guide, see https://timebound-iam.com/installation-and-setup.

  1. Configure AWS

    Run the setup wizard to generate the IAM trust policy and inline policy for the broker role:

    bin/timebound-iam setup aws
    # or specify a named profile
    bin/timebound-iam setup aws --profile my-profile

    Follow the printed instructions to create the timebound-iam-broker IAM role in your account with the generated policies.

  2. Add to Claude Code

    Register the MCP server so Claude Code can request temporary credentials on demand:

    claude mcp add --scope user timebound-iam -- timebound-iam serve

    Restart Claude Code to pick up the new server.

  3. Verify

    Verify that the MCP server is installed and running with the /mcp command:

    Claude Code /mcp command showing timebound-iam connected

    Test the credential flow end-to-end:

    timebound-iam test

    This requests short-lived S3 read-only credentials and writes them to a temporary .env file you can use to verify access.

Contributing

Contributions in any form (suggestions, bug reports, pull requests, and feedback) are welcome. If you've found a bug, you can submit an issue or email me at rsingh@builder-magic.com.

License

This project is licensed under the Apache License, Version 2.0.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be licensed under the Apache License, Version 2.0, without any additional terms or conditions.

Contact: rsingh@builder-magic.com

About

An MCP Server that sits between your agent and AWS STS and issues temporary credentials scoped to specific AWS Services

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published