Skip to content
/ timebound-iam Public

An MCP Server that sits between your agent and AWS STS and issues temporary credentials scoped to specific AWS Services

timebound-iam.com

License

Apache-2.0 license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

builder-magic/timebound-iam

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github
.github
 
 
timebound/aws
timebound/aws
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
justfile
justfile
 
 
main.go
main.go
 
 

Repository files navigation

timebound-iam

Timebound
AWS IAM Permissions
for Claude Code

(or any AI agent)

An MCP server that sits between your AI agent and AWS STS, issuing temporary credentials scoped to specific AWS services and access levels on demand.

CI License Apache-2.0

https://timebound-iam.com

Timebound-IAM is an MCP Server that issues short-lived, service-scoped AWS credentials via STS AssumeRole so that AI coding agents (like Claude Code) can access AWS resources without long-lived keys. Credentials are time-bounded (15 minutes to 12 hours), scoped to specific services and access levels (read-only or full), and automatically cleaned up on expiry.

Claude Code using timebound-iam

Install

  • Homebrew (macOS/Linux)

    brew install builder-magic/tap/timebound-iam

  • Go install

    go install github.com/builder-magic/timebound-iam@latest

  • Binary download — Download pre-built binaries from GitHub Releases.

Setup

For the complete installation and setup guide, see https://timebound-iam.com/installation-and-setup.

  1. Configure AWS

    Run the setup wizard to generate the IAM trust policy and inline policy for the broker role:

    bin/timebound-iam setup aws
# or specify a named profile
bin/timebound-iam setup aws --profile my-profile

    Follow the printed instructions to create the timebound-iam-broker IAM role in your account with the generated policies.

  2. Add to Claude Code

    Register the MCP server so Claude Code can request temporary credentials on demand:

    claude mcp add --scope user timebound-iam -- timebound-iam serve

    Restart Claude Code to pick up the new server.

  3. Verify

    Verify that the MCP server is installed and running with the /mcp command:

    Claude Code /mcp command showing timebound-iam connected

    Test the credential flow end-to-end:

    timebound-iam test

    This requests short-lived S3 read-only credentials and writes them to a temporary .env file you can use to verify access.

Contributing

Contributions in any form (suggestions, bug reports, pull requests, and feedback) are welcome. If you've found a bug, you can submit an issue or email me at rsingh@builder-magic.com.

License

This project is licensed under the Apache License, Version 2.0.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be licensed under the Apache License, Version 2.0, without any additional terms or conditions.

Contact: rsingh@builder-magic.com

About

An MCP Server that sits between your agent and AWS STS and issues temporary credentials scoped to specific AWS Services

timebound-iam.com

Topics

golang aws mcp iam aws-iam aws-sts ai-agents mcp-server claude-code

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.3.0 Latest
Feb 16, 2026
+ 2 releases

Packages

No packages published

Languages