AWS DevOps Agent — Claude Setup
The instructions below are specifically for setting up the AWS DevOps Agent plugin for Claude applications. For other clients, use this as a reference, but adjust the instructions based on the client's specific requirements.
Step 0: Check if setup is needed
1/ Check if the "aws-devops-agent" MCP server is running. If it is, verify that it has a valid connection (see "Step 3: Verify connectivity").
If verification is successful, you should inform the user that the plugin is already setup using
. Offer that you can switch the configuration to
, see "Step 2: Decide auth path" below for details.
If the user does not want to change their auth configuration, then you are DONE STOP HERE.
2/ Check for an MCP server config with a key "aws-devops-agent" in the following locations:
- Plugin scoped:
${CLAUDE_PLUGIN_ROOT}/.mcp.json
- Project-scoped: .mcp.json (in your project directory, version-controlled)
- Project-specific: .claude/settings.local.json (in your project directory)
- User-specific local: ~/.claude/settings.local.json
- User-specific global: ~/.claude/settings.json
- Main Claude.json: ~/.claude.json
- Dedicated MCP file: ~/.claude/mcp_servers.json
Then:
- If key exists AND the server is connected (tools are available, see "Step 3: Verify connectivity") → Inform the user: "DevOps Agent is already configured and connected."; If Bearer Token is used in the MCP config, suggest that you can alternatively setup the plugin to use SigV4 credentials for the AWS DevOps Agent (multiple agent spaces, admin tooling). If SigV4 credentials are used in the MCP config, suggest that you can alternatively setup the plugin to use Bearer Token credentials for the AWS DevOps Agent (single agent space).
- If key exists but is failing → continue to "Step 1: Diagnose current state"
- If key does NOT exist → continue to "Step 1: Diagnose current state"
Step 1: Diagnose current state
Run these checks:
bash
# Bearer token
echo "DEVOPS_AGENT_TOKEN: $([ -n "$DEVOPS_AGENT_TOKEN" ] && echo 'set' || echo 'not set')"
echo "DEVOPS_AGENT_REGION: ${DEVOPS_AGENT_REGION:-not set}"
# SigV4 dependencies
uvx --version 2>&1
# AWS credentials
aws sts get-caller-identity 2>&1
Determine:
- = is set AND is set
- =
aws sts get-caller-identity
succeeds AND is installed
Step 2: Decide auth path
After diagnostics, ALWAYS ask the user which path they want — even if only one is available. Present what you found and let them choose.
The user may want to use bearer token if they only have access to the operator app for an agent space.
The user may want to use SigV4 if they use multiple agent spaces and/or have admin permissions to manage agent spaces.
| Bearer ready | SigV4 ready | Action |
|---|
| yes | yes | "You have both a bearer token and AWS credentials configured. Which would you prefer for the DevOps Agent? Bearer token (single agent space) or AWS credentials / SigV4 (multiple agent spaces and admin tooling)?" |
| yes | no | "You have a bearer token configured. Would you like me to set up the DevOps Agent using your Bearer token (single agent space)? Or would you prefer to configure AWS credentials / SigV4 instead (multiple agent spaces and admin tooling)?" |
| no | yes | "You have valid AWS credentials. Would you like me to set up the DevOps Agent using SigV4 (multiple agent spaces and admin tooling)? Or would you prefer to set up a Bearer token instead (single agent space)?" |
| no | no | "Neither a bearer token nor AWS credentials are configured. Would you like to connect via Bearer token (single agent space) or AWS credentials / SigV4 (multiple agent spaces and admin tooling)?" Then guide them through the chosen path. |
If the user would like to setup a bearer token, refer them to the AWS docs for
Connect to DevOps Agent remote servers
or walk them through the steps to create a access token from this document.
Do NOT proceed to Step 3 until the user confirms their choice.
Step 3: Verify connectivity
If the "aws-devops-agent" MCP server is already running, check if you can list tools. If you can, then you have verified the connection.
Otherwise, proceed.
Verify BEFORE writing
. This confirms the credentials work against the live endpoint. Or use this to verify an existing MCP server config.
Bearer verification
bash
curl -s -w "\nHTTP_STATUS: %{http_code}" \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $DEVOPS_AGENT_TOKEN" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
"https://connect.aidevops.${DEVOPS_AGENT_REGION}.api.aws/mcp"
| Result | Meaning | Action |
|---|
| HTTP 200 + array | Success | Proceed to Step 4 |
| HTTP 401 | Token invalid or expired | Tell user to create a new token in the Operator Web App |
| HTTP 403 | Token scope insufficient | Tell user token needs + scopes |
| Connection refused / timeout | Endpoint unreachable | If SigV4 is available, offer fallback. Otherwise report unavailable. |
SigV4 verification
bash
timeout 30 bash -c '
{
echo "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2024-11-05\",\"capabilities\":{},\"clientInfo\":{\"name\":\"setup-check\",\"version\":\"1.0\"}}}"
sleep 0.5
echo "{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\"}"
sleep 0.5
echo "{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/list\",\"params\":{}}"
sleep 8
} | uvx mcp-proxy-for-aws@latest "https://connect.aidevops.${DEVOPS_AGENT_REGION}.api.aws/mcp" --service aidevops --region "$DEVOPS_AGENT_REGION"
'
Note: The first run may take 10-15s as
downloads
and its dependencies. Subsequent runs are near-instant.
| Result | Meaning | Action |
|---|
| Second line contains | Success | Proceed to Step 4 |
| No output / timeout | Credentials invalid or endpoint unreachable | Check aws sts get-caller-identity
again |
| in stderr | AWS session expired | Tell user to re-authenticate ( or refresh creds) |
| Missing IAM permissions | User needs DevOps Agent permissions on their role |
Step 4: Confirm and write
Before writing, confirm with the user:
"I've verified connectivity. I'll now add the
[Bearer token / SigV4] MCP server to the plugin's
. Proceed?"
Only write after the user confirms. Write ONE server entry — never both. Install the MCP config in
${CLAUDE_PLUGIN_ROOT}/.mcp.json
. You can also offer to install the MCP server at the workspace level. The installation options are:
- Plugin scoped:
${CLAUDE_PLUGIN_ROOT}/.mcp.json
(default)
- Project-scoped: .mcp.json (in your project directory, version-controlled)
- Project-specific: .claude/settings.local.json (in your project directory)
Bearer config
json
{
"mcpServers": {
"aws-devops-agent": {
"type": "http",
"url": "https://connect.aidevops.${DEVOPS_AGENT_REGION}.api.aws/mcp",
"headers": {
"Authorization": "Bearer ${DEVOPS_AGENT_TOKEN}"
},
"timeout": 120000
}
}
}
SigV4 config
Replace
with the user's actual region:
json
{
"mcpServers": {
"aws-devops-agent": {
"command": "uvx",
"timeout": 120000,
"args": [
"mcp-proxy-for-aws@latest",
"https://connect.aidevops.<REGION>.api.aws/mcp",
"--service", "aidevops",
"--region", "<REGION>"
]
}
}
}
Fallback (aws-mcp)
Only add if the primary
endpoint is unreachable AND SigV4 credentials are available:
json
{
"mcpServers": {
"aws-mcp": {
"command": "uvx",
"timeout": 100000,
"args": [
"mcp-proxy-for-aws@latest",
"https://aws-mcp.us-east-1.api.aws/mcp",
"--metadata",
"AWS_REGION=us-east-1"
]
}
}
}
For Sigv4 only: After writing the new MCP config, inform the user that the MCP server has been written successfully. Proceed to the next step.
Step 5: Multi-space routing (SigV4 only)
After successful SigV4 setup, discover and configure AgentSpace routing:
- Call via the newly connected MCP to discover available spaces
- Present the list to the user
- If multiple spaces exist, write a routing guide to
.claude/aws-agents-for-devsecops.md
:
markdown
# AWS DevOps Agent — Routing Guide
|-------|----------------|---------|
| <name> | <id> | <ask user> |
- Instruct: pass on every tool call when targeting a specific space.
Step 6: Reload plugin
Inform the user that they will need to run /reload-plugins to start the new MCP server. You may
need to prompt the user to run it. Also mention that after restarting the MCP server they should try the following prompts:
- setup multi-space routing (SigV4 only)
- <list skill and prompt suggestions from ${CLAUDE_PLUGIN_ROOT}/README.md>
Bearer token guidance (for users who need to create one)
-
Open the AWS DevOps Agent Operator Web App for your AgentSpace
-
Navigate to Settings → Access tokens → Generate token
-
Create a token with Permissions:
-
Set environment variables:
bash
export DEVOPS_AGENT_TOKEN="<your-token>"
export DEVOPS_AGENT_REGION="<your-region>"
-
Restart Claude Code (it reads env vars from the shell that launched it)
Important: Without
permissions, the
and
tools will be completely invisible — not just fail, but absent from the tool list.
SigV4 guidance (for users who need to configure AWS credentials)
-
- macOS:
- Linux:
curl -LsSf https://astral.sh/uv/install.sh | sh
-
Configure AWS credentials:
bash
aws configure sso --profile devops-agent
aws sso login --profile devops-agent
export AWS_PROFILE=devops-agent
-
Set the region:
bash
export DEVOPS_AGENT_REGION="<your-region>"
-
Verify:
aws sts get-caller-identity
-
The IAM role must have DevOps Agent permissions (e.g., managed policy with aidevops access)
Important: Unset
when using SigV4. If both are set, clients may attempt bearer auth instead of the signing proxy.
Troubleshooting
| Error | Cause | Fix |
|---|
| No tools visible | Token not set or Claude Code not restarted | Set + , restart |
| HTTP 401 | Token invalid/expired | Create new token in Operator Web App |
| / missing | Token scope is only | Create token with scope |
| Connection refused / timeout | Endpoint unreachable | Check network; if SigV4 available, offer fallback |
| AWS session credentials expired | or refresh credentials |
| (SigV4) | Missing IAM permissions | Use a role with DevOps Agent access |
| Proxy won't start | not installed | (macOS) or install per platform |
| Tools appear but calls timeout | Normal for (5-30s) | Ensure in mcp.json |