AWS
Give your agent access to AWS services — S3, SQS, DynamoDB, and more. The Pai sidecar signs every request with AWS SigV4 so the agent never handles credentials.
Get credentials
Create an IAM user or role with the required permissions, then generate an access key:
- Go to IAM → Users → your-user → Security credentials
- Click Create access key
- Copy the Access key ID and Secret access key
Setup
# 1. Store the credentials
pai add secret aws-creds \
--from-literal access_key_id=AKIAIOSFODNN7EXAMPLE \
--from-literal secret_access_key=wJalrXUtnFEMI...
# 2. Create the provider
pai apply -f - <<EOF
apiVersion: pai.io/v1
kind: Provider
metadata:
name: s3-reader
spec:
type: aws
auth:
type: aws-sigv4
secretRef: aws-creds
config:
region: us-east-1
services: [s3]
policy:
allow:
- s3:GetObject
- s3:ListBucket
- s3:HeadObject
deny:
- s3:DeleteObject
- s3:PutObject
scope:
resources:
- "arn:aws:s3:::my-bucket/*"
EOF
Attach to an agent
spec:
providers:
- s3-reader
Config fields
| Field | Description |
|---|---|
config.region | AWS region (e.g. us-east-1) |
config.services | Restrict to specific services (e.g. [s3, sqs, dynamodb]). Omit to allow all |
Supported actions
Actions use the standard AWS IAM format service:Action:
| Service | Example actions |
|---|---|
| S3 | s3:GetObject, s3:PutObject, s3:ListBucket, s3:DeleteObject |
| SQS | sqs:SendMessage, sqs:ReceiveMessage, sqs:DeleteMessage |
| DynamoDB | dynamodb:GetItem, dynamodb:PutItem, dynamodb:Query, dynamodb:Scan |
| Lambda | lambda:InvokeFunction |
| Secrets Manager | secretsmanager:GetSecretValue |
Resource scope
Restrict access to specific ARNs:
scope:
resources:
- "arn:aws:s3:::my-bucket/*"
- "arn:aws:sqs:us-east-1:123456789012:my-queue"