timebound-iam

Timebound-IAM acts as an MCP server that intermediates between an AI agent (such as Claude Code) and AWS STS to issue short-lived, service-scoped credentials. It lets you request temporary credentials scoped to specific AWS services and access levels, so your agent can access necessary resources without long-lived keys. Once running, Claude Code can register the MCP server and request credentials on-demand, and you can also use the standalone CLI to wrap shell commands with credentials for automated tasks. The server supports scopes like service:level (ro for read-only or full access) and can return credentials that expire after a defined window (from minutes to hours). The built-in CLI also allows you to print environment exports or run commands with temporary credentials injected into the environment. To use it with Claude Code, install and start the server, then run the Claude MCP integration commands to connect and verify the server is active. The CLI also includes a test flow that fetches credentials for S3 read-only access and writes them to a temporary file for verification.

Prerequisites:

• Go tooling installed (Go 1.20+ recommended)
• Access to AWS to create and configure the broker IAM role
• Optional: Homebrew (macOS/Linux) or prebuilt binaries

Installation steps:

1. Homebrew (macOS/Linux): brew install builder-magic/tap/timebound-iam

2. Go install (build from source or fetch): go install github.com/builder-magic/timebound-iam@latest

3. Binary download (prebuilt):

   • Visit the GitHub Releases page for builder-magic/timebound-iam
   • Download the appropriate binary for your OS
   • Ensure the binary is in your PATH

4. Run the setup and configuration instructions from the project documentation to create and configure the broker role in AWS, then register the MCP server with Claude Code as described in the Setup section of the README.

Notes and tips:

• The broker role in AWS must have policies that allow creating and issuing STS tokens for the requested scopes.
• Ensure your environment variables (AWS_REGION, broker role ARN, etc.) are correctly set or provided to the MCP server process.
• When testing with the CLI, use the provided test flow to verify that credentials are issued and can access the intended services (e.g., S3 read-only).
• If you encounter issues with Claude Code integration, restart Claude Code after registering the MCP server so it picks up the new server configuration.
• The time-bound credentials are designed to minimize risk; choose an expiration window that aligns with your security policies (e.g., 15 minutes to 2 hours).
• For production deployments, consider running the server behind a secure load balancer and enabling proper IAM role trust relationships and least-privilege policies.