AWS devopsagent high security documentation change
Summary
Updated token management instructions with client types (human/agent), added secure storage recommendation for tokens using AWS Secrets Manager, restructured IDE integration steps with explicit security approvals, and added example configurations.
Security assessment
The change explicitly adds security measures by recommending token storage in AWS Secrets Manager and implements environment variable approval controls in Kiro IDE to prevent unauthorized access. This addresses potential credential exposure risks.
Diff
diff --git a/devopsagent/latest/userguide/accessing-devops-agent-connect-to-devops-agent-remote-servers.md b/devopsagent/latest/userguide/accessing-devops-agent-connect-to-devops-agent-remote-servers.md index a30bd567d..3014cb3f3 100644 --- a//devopsagent/latest/userguide/accessing-devops-agent-connect-to-devops-agent-remote-servers.md +++ b//devopsagent/latest/userguide/accessing-devops-agent-connect-to-devops-agent-remote-servers.md @@ -43 +43 @@ Two authentication methods are available for both MCP and A2A endpoints: - * **AWS SigV4** – AWS credential-based authentication. Supports multiple Agent Spaces and integrates with existing AWS identity governance. Handled automatically by [mcp-proxy-for-aws](https://github.com/awslabs/mcp-proxy-for-aws), a local proxy that signs requests using your AWS credentials. + * **AWS SigV4** – AWS credential-based authentication. Supports multiple Agent Spaces and integrates with existing AWS identity governance. Handled automatically by [mcp-proxy-for-aws](https://github.com/aws/mcp-proxy-for-aws), a local proxy that signs requests using your AWS credentials. @@ -78 +78 @@ Two authentication methods are available for both MCP and A2A endpoints: - 2. Choose **Create access token**. + 2. Choose **Generate token**. @@ -88 +88 @@ Two authentication methods are available for both MCP and A2A endpoints: - 5. Set an expiration (1 to 60 days). + 5. Choose a client type: @@ -90 +90,7 @@ Two authentication methods are available for both MCP and A2A endpoints: - 6. Copy the token value and store it in a safe, secure location. You cannot retrieve it again. + * `human` – For IDE and CLI usage (Kiro, Claude Code, Cursor, and other interactive tools). + + * `agent` – For autonomous A2A integrations and programmatic agents. + + 6. Set an expiration (1 to 60 days). + + 7. Copy the token value and store it in a safe, secure location, such as [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html). You cannot retrieve it again. @@ -99 +105 @@ After creating a token, the web app displays a configuration example that you ca - 1. Install the **aws-devops-agent** power from the Powers marketplace. +For [Kiro](https://kiro.dev/) users, a dedicated **AWS DevOps Agent** power is available from the IDE or from the [Kiro Powers marketplace](https://kiro.dev/powers/#aws-devops-agent). @@ -101 +107 @@ After creating a token, the web app displays a configuration example that you ca - 2. Set the following environment variables to configure the connection: +**Step 1: Install the power** @@ -102,0 +109 @@ After creating a token, the web app displays a configuration example that you ca +Install the **aws-devops-agent** power from the Powers marketplace. @@ -103,0 +111 @@ After creating a token, the web app displays a configuration example that you ca +**Step 2: Set environment variables** @@ -104,0 +113 @@ After creating a token, the web app displays a configuration example that you ca +Set the following environment variables to configure the connection: @@ -106 +114,0 @@ After creating a token, the web app displays a configuration example that you ca -``` DEVOPS_AGENT_TOKEN=<your-token> DEVOPS_AGENT_REGION=<your-agent-space-region> ``` @@ -108 +116,2 @@ After creating a token, the web app displays a configuration example that you ca - 1. Approve the environment variable prompt when it appears. + DEVOPS_AGENT_TOKEN=<your-access-token> + DEVOPS_AGENT_REGION=<your-agent-space-region> @@ -110 +119 @@ After creating a token, the web app displays a configuration example that you ca - 2. Restart the IDE when necessary. +**Step 3: Approve the variables in Kiro** @@ -111,0 +121 @@ After creating a token, the web app displays a configuration example that you ca +Go to **Settings** > **MCP Approved Env Vars** and approve `DEVOPS_AGENT_TOKEN` and `DEVOPS_AGENT_REGION`. Kiro does not pass environment variables to MCP servers until they are approved. @@ -112,0 +123 @@ After creating a token, the web app displays a configuration example that you ca +**Step 4: Restart Kiro** @@ -113,0 +125 @@ After creating a token, the web app displays a configuration example that you ca +Restart Kiro to apply the changes. @@ -119,3 +131 @@ The Kiro power includes `aws-mcp` as a fallback, which provides direct AWS API a - 1. Install the **aws-devops-agent** plugin. - - 2. Set the following environment variables to configure the connection: +For [Claude Code](https://code.claude.com/docs/en/overview) users, AWS DevOps Agent is available from the **aws-agents-for-devsecops** Claude plugin, which brings both AWS DevOps Agent and AWS Security Agent capabilities into Claude. Install it from [Claude plugins](https://claude.com/plugins/aws-agents-for-devsecops) or the [source repository](https://github.com/aws/agent-toolkit-for-aws/tree/main/plugins/aws-agents-for-devsecops). @@ -122,0 +133 @@ The Kiro power includes `aws-mcp` as a fallback, which provides direct AWS API a + 1. Install the **aws-agents-for-devsecops** plugin. @@ -123,0 +135 @@ The Kiro power includes `aws-mcp` as a fallback, which provides direct AWS API a + 2. Run the `/aws-agents-for-devsecops:setup-devops-agent` command to configure your connection. @@ -126 +137,0 @@ The Kiro power includes `aws-mcp` as a fallback, which provides direct AWS API a -``` DEVOPS_AGENT_TOKEN=<your-token> DEVOPS_AGENT_REGION=<your-agent-space-region> ``` @@ -128 +138,0 @@ The Kiro power includes `aws-mcp` as a fallback, which provides direct AWS API a -The Claude Code plugin includes `aws-mcp` as a fallback, which provides direct AWS API access when the remote server endpoint is unavailable. @@ -142,0 +153,18 @@ For any MCP-compatible client, configure the server with: +This configuration also works with Kiro and Claude Code if you prefer to configure the connection manually instead of using the dedicated power or plugin. + +Example MCP configuration: + + + { + "mcpServers": { + "aws-devops-agent": { + "url": "https://connect.aidevops.{region}.api.aws/mcp", + "headers": { + "Authorization": "Bearer <your-access-token>" + } + } + } + } + +Replace `{region}` with your Agent Space's Region (for example, `us-east-1`) and `<your-access-token>` with the token value. + @@ -168,0 +197,22 @@ SigV4 authentication uses your AWS credentials instead of an access token. The K +### Example configuration + +To configure an MCP client to use SigV4 instead of an access token, run the server through `mcp-proxy-for-aws`. Replace `{region}` with your Agent Space's Region (for example, `us-east-1`): + + + { + "mcpServers": { + "aws-devops-agent": { + "command": "uvx", + "timeout": 120000, + "args": [ + "mcp-proxy-for-aws@latest", + "https://connect.aidevops.{region}.api.aws/mcp", + "--service", "aidevops", + "--region", "{region}" + ] + } + } + } + +The proxy signs each request with your local AWS credentials, so no access token is required. +