AWS Credential Setup Guide
Overview
This guide walks you through creating AWS credentials for the Infra Execution Layer MCP server.
Step 1: Create an IAM User
- Log in to the AWS Management Console
- Navigate to IAM → Users → Create user
- Enter a user name (e.g.,
infra-execution-layer) - Click Next
Step 2: Set Permissions
Choose Attach policies directly and add these policies:
Minimum Required Permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"rds:*",
"s3:*",
"lambda:*",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"cloudformation:*"
],
"Resource": "*"
}
]
}
Or Use Managed Policies
For easier setup, attach these AWS managed policies:
AmazonEC2FullAccessAmazonRDSFullAccessAmazonS3FullAccessAWSLambda_FullAccessIAMFullAccess(only if creating roles)CloudFormationFullAccess
Step 3: Create Access Key
- After creating the user, go to the user's Security credentials tab
- Click Create access key
- Choose Other as the use case
- Click Next
- Click Create access key
- Copy both values:
- Access Key ID (starts with
AKIA...) - Secret Access Key
- Access Key ID (starts with
⚠️ Important: The Secret Access Key is shown only once. Copy it immediately.
Step 4: Store Credentials in MCP
Option A: Using the MCP Tool
Ask the agent to store your credentials:
Store my AWS credentials with name "Production AWS"
Access Key ID: AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Region: us-east-1
Option B: Using the Setup Script
node scripts/setup-credentials.js
Step 5: Verify Setup
Ask the agent:
List my stored credentials
You should see your credentials listed with the name you provided.
Security Notes
- Credentials are encrypted at rest using AES-256-GCM
- Raw credentials are never exposed in MCP responses
- Credentials are stored locally in
~/.infra-execution-layer/credentials/ - For production, use IAM roles instead of access keys when possible
Next Steps
Once credentials are stored, you can test the full deployment flow:
Deploy a production-ready web application with a database
The agent will:
- Generate deployment suggestions
- Show pricing estimates
- Use your stored credentials to deploy
- Provide outputs (instance IDs, endpoints, etc.)