Like k9s, but for your cloud.
Browse, inspect, and manage 62 AWS resource types from your terminal. a9s gives you a real-time, keyboard-driven interface to your AWS infrastructure -- no clicking through the console, no memorizing CLI flags.
Read-only by design. a9s never makes write calls to AWS. Safe to use in production. Write operations are on the roadmap only after the project has proven itself as a trusted tool (10k+ stars).
No credential storage. a9s never reads ~/.aws/credentials. Authentication is delegated entirely to the AWS SDK's credential chain.
No telemetry. a9s never phones home.
Try without AWS. Run a9s --demo to explore the full UI with synthetic data — no AWS account needed.
- 62 AWS resource types across 12 service categories
- Real-time resource browsing with vim-style keyboard navigation
- YAML detail view for any resource (full AWS API response)
- Multi-profile and multi-region support
- Categorized menu (Compute, Storage, Database, Network, Security, CI/CD, and more)
- Column sorting by name, ID, or date
- Filter/search within resource lists
- Horizontal scrolling for wide tables
- Clipboard support (copy resource IDs and YAML)
- Tokyo Night Dark color theme
- Child view drill-downs (Listeners, Log Streams, Invocations, Tasks, Events, and more)
- 2,100+ unit tests
brew install k2m30/a9s/a9sscoop bucket add a9s https://github.com/k2m30/scoop-a9s.git
scoop install a9sgo install github.com/k2m30/a9s/v3/cmd/a9s@latestDownload the latest release for your platform from GitHub Releases.
Available platforms:
- macOS: Intel (amd64) and Apple Silicon (arm64)
- Linux: amd64 and arm64
- Windows: amd64 and arm64
Windows note: Downloaded binaries may trigger a Microsoft Defender SmartScreen warning because they are not code-signed. Click "More info" → "Run anyway" to proceed, or install via Scoop to avoid this. Windows support is new and has been verified via cross-compilation and CI only — the maintainer does not have a Windows machine. If you encounter any issues, please open an issue.
# Demo mode (no AWS credentials needed)
docker run --rm -it ghcr.io/k2m30/a9s:latest --demo
# Real AWS access
docker run --rm -it -v ~/.aws/config:/home/a9s/.aws/config:ro ghcr.io/k2m30/a9s:latestRequires Go 1.26+.
git clone https://github.com/k2m30/a9s.git
cd a9s
make build
./a9sa9s uses the standard AWS credential chain. Any of these work:
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) - AWS config file (
~/.aws/config) — a9s never reads~/.aws/credentials - EC2 instance metadata / ECS task role / SSO
a9s # use default profile
a9s -p production # use a specific profile
a9s -r eu-west-1 # override region
a9s --version # print version| Category | Resource Types |
|---|---|
| Compute | EC2 Instances, ECS Services, ECS Clusters, ECS Tasks, Lambda Functions, Auto Scaling Groups, Elastic Beanstalk |
| Containers | EKS Clusters, EKS Node Groups |
| Networking | Load Balancers, Target Groups, Security Groups, VPCs, Subnets, Route Tables, NAT Gateways, Internet Gateways, Elastic IPs, VPC Endpoints, Transit Gateways, Network Interfaces |
| Databases & Storage | DB Instances, S3 Buckets, ElastiCache Redis, DB Clusters, DynamoDB Tables, OpenSearch Domains, Redshift Clusters, EFS File Systems, RDS Snapshots, DocDB Snapshots |
| Monitoring | CloudWatch Alarms, CloudWatch Log Groups, CloudTrail Trails |
| Messaging | SQS Queues, SNS Topics, SNS Subscriptions, EventBridge Rules, Kinesis Streams, MSK Clusters, Step Functions |
| Secrets & Config | Secrets Manager, SSM Parameters, KMS Keys |
| DNS & CDN | Route 53 Hosted Zones, CloudFront Distributions, ACM Certificates, API Gateways |
| Security & IAM | IAM Roles, IAM Policies, IAM Users, IAM Groups, WAF Web ACLs |
| CI/CD | CloudFormation Stacks, CodePipelines, CodeBuild Projects, ECR Repositories, CodeArtifact Repos |
| Data & Analytics | Glue Jobs, Athena Workgroups |
| Backup | Backup Plans, SES Identities |
| Key | Action |
|---|---|
j / Down |
Move down |
k / Up |
Move up |
g |
Go to top |
G |
Go to bottom |
Enter |
Open / select |
Esc |
Back / close |
h / Left |
Scroll left |
l / Right |
Scroll right |
PgUp / Ctrl+U |
Page up |
PgDn / Ctrl+D |
Page down |
| Key | Action |
|---|---|
d |
Detail view |
y |
YAML view |
x |
Reveal (expand) |
c |
Copy resource ID to clipboard |
/ |
Filter |
: |
Command mode |
? |
Help |
Ctrl+R |
Refresh |
r |
Open Stack Resources (CFN Stacks) |
w |
Toggle line wrap (in YAML view) |
Tab |
Autocomplete (in command mode) |
| Key | Action |
|---|---|
N |
Sort by name |
I |
Sort by ID |
A |
Sort by date |
| Key | Action |
|---|---|
q |
Quit |
Ctrl+C |
Force quit |
Press Enter on a resource to explore its nested children. Press Esc to go back.
| Parent | Child View | Key | Description |
|---|---|---|---|
| Lambda Functions | Invocations | Enter |
Recent invocations with status, duration, memory, cold start |
| Lambda Invocations | Log Lines | Enter |
Full log output for a specific invocation |
| S3 Buckets | Objects | Enter |
Browse bucket contents, drill into folders |
| Route 53 Zones | DNS Records | Enter |
View A, CNAME, MX, and other record types |
| Log Groups | Log Streams | Enter |
Streams sorted by most recent event |
| Log Streams | Log Events | Enter |
Color-coded log lines (ERROR=red, WARN=yellow) |
| Target Groups | Target Health | Enter |
Health status per target (healthy/unhealthy/draining) |
| ECS Services | Service Events | e |
Event timeline (steady state, placement failures, deployments) |
| ECS Services | Tasks | Enter |
Running and stopped tasks with status, health, stopped reason |
| ECS Services | Container Logs | L |
Application logs from CloudWatch |
| CFN Stacks | Stack Events | Enter |
Event timeline showing stack operation progress and status |
| CFN Stacks | Stack Resources | r |
Logical and physical resources in the stack with status |
| Auto Scaling Groups | Scaling Activities | Enter |
Scaling activity history with status, description, cause |
| CloudWatch Alarms | Alarm History | Enter |
State transitions, configuration updates, and action events |
| Load Balancers | Listeners | Enter |
Port, protocol, action, target, SSL policy, certificate |
Press : to enter command mode, then type a command:
| Command | Action |
|---|---|
:q / :quit |
Exit a9s |
:ctx / :profile |
Switch AWS profile |
:region |
Switch AWS region |
:help |
Show help |
:<resource> |
Jump to resource type (e.g., :ec2, :s3, :lambda) |
All resource short names work as commands.
a9s stores view configuration in ~/.a9s/views.yaml (optional — sensible defaults are built-in). AWS profiles and regions are read from ~/.aws/config. a9s never reads ~/.aws/credentials — authentication is delegated to the AWS SDK credential chain.
a9s uses read-only AWS API calls exclusively. The following managed policies provide sufficient access:
ReadOnlyAccess(broad read-only access to all services)- Or individual service policies like
AmazonEC2ReadOnlyAccess,AmazonS3ReadOnlyAccess, etc.
a9s will gracefully handle permission errors -- resources you don't have access to will show an error message instead of crashing.
See ROADMAP.md for planned features and direction.
Contributions are welcome. See CONTRIBUTING.md for development setup and guidelines.
a9s is read-only by design and never makes mutating AWS API calls. See SECURITY.md for our security policy and how to report vulnerabilities.
GPL-3.0-or-later. See LICENSE.
- Built with Bubble Tea, Lipgloss, and Bubbles by Charmbracelet
- Inspired by k9s