setup-devops-agent

AWS DevOps Agent — Claude Setup

The instructions below are specifically for setting up the AWS DevOps Agent plugin for Claude applications. For other clients, use this as a reference, but adjust the instructions based on the client's specific requirements.

Step 0: Check if setup is needed

1/ Check if the "aws-devops-agent" MCP server is running. If it is, verify that it has a valid connection (see "Step 3: Verify connectivity").

If verification is successful, you should inform the user that the plugin is already setup using SigV4 or Bearer Token. Offer that you can switch the configuration to Bearer Token or SigV4, see "Step 2: Decide auth path" below for details.

If the user does not want to change their auth configuration, then you are DONE STOP HERE.

2/ Check for an MCP server config with a key "aws-devops-agent" in the following locations:

• Plugin scoped: ${CLAUDE_PLUGIN_ROOT}/.mcp.json
• Project-scoped: .mcp.json (in your project directory, version-controlled)
• Project-specific: .claude/settings.local.json (in your project directory)
• User-specific local: ~/.claude/settings.local.json
• User-specific global: ~/.claude/settings.json
• Main Claude.json: ~/.claude.json
• Dedicated MCP file: ~/.claude/mcp_servers.json

Then:

• If aws-devops-agent key exists AND the server is connected (tools are available, see "Step 3: Verify connectivity") → Inform the user: "DevOps Agent is already configured and connected."; If Bearer Token is used in the MCP config, suggest that you can alternatively setup the plugin to use SigV4 credentials for the AWS DevOps Agent (multiple agent spaces, admin tooling). If SigV4 credentials are used in the MCP config, suggest that you can alternatively setup the plugin to use Bearer Token credentials for the AWS DevOps Agent (single agent space).
• If aws-devops-agent key exists but is failing → continue to "Step 1: Diagnose current state"
• If aws-devops-agent key does NOT exist → continue to "Step 1: Diagnose current state"

---

Step 1: Diagnose current state

Run these checks:

# Bearer token
echo "DEVOPS_AGENT_TOKEN: $([ -n "$DEVOPS_AGENT_TOKEN" ] && echo 'set' || echo 'not set')"
echo "DEVOPS_AGENT_REGION: ${DEVOPS_AGENT_REGION:-not set}"

# SigV4 dependencies
uvx --version 2>&1

# AWS credentials
aws sts get-caller-identity 2>&1

Determine:

• bearer_ready = DEVOPS_AGENT_TOKEN is set AND DEVOPS_AGENT_REGION is set
• sigv4_ready = aws sts get-caller-identity succeeds AND uvx is installed

---

Step 2: Decide auth path

After diagnostics, ALWAYS ask the user which path they want — even if only one is available. Present what you found and let them choose.

The user may want to use bearer token if they only have access to the operator app for an agent space.

The user may want to use SigV4 if they use multiple agent spaces and/or have admin permissions to manage agent spaces.

Bearer ready	SigV4 ready	Action
yes	yes	"You have both a bearer token and AWS credentials configured. Which would you prefer for the DevOps Agent? Bearer token (single agent space) or AWS credentials / SigV4 (multiple agent spaces and admin tooling)?"
yes	no	"You have a bearer token configured. Would you like me to set up the DevOps Agent using your Bearer token (single agent space)? Or would you prefer to configure AWS credentials / SigV4 instead (multiple agent spaces and admin tooling)?"
no	yes	"You have valid AWS credentials. Would you like me to set up the DevOps Agent using SigV4 (multiple agent spaces and admin tooling)? Or would you prefer to set up a Bearer token instead (single agent space)?"
no	no	"Neither a bearer token nor AWS credentials are configured. Would you like to connect via Bearer token (single agent space) or AWS credentials / SigV4 (multiple agent spaces and admin tooling)?" Then guide them through the chosen path.

If the user would like to setup a bearer token, refer them to the AWS docs for Connect to DevOps Agent remote servers or walk them through the steps to create a access token from this document.

Do NOT proceed to Step 3 until the user confirms their choice.

---

Step 3: Verify connectivity

If the "aws-devops-agent" MCP server is already running, check if you can list tools. If you can, then you have verified the connection.

Otherwise, proceed.

Verify BEFORE writing .mcp.json. This confirms the credentials work against the live endpoint. Or use this to verify an existing MCP server config.

Bearer verification

curl -s -w "\nHTTP_STATUS: %{http_code}" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DEVOPS_AGENT_TOKEN" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
  "https://connect.aidevops.${DEVOPS_AGENT_REGION}.api.aws/mcp"

Result	Meaning	Action
HTTP 200 + result.tools array	Success	Proceed to Step 4
HTTP 401	Token invalid or expired	Tell user to create a new token in the Operator Web App
HTTP 403	Token scope insufficient	Tell user token needs agent:read + agent:operate scopes
Connection refused / timeout	Endpoint unreachable	If SigV4 is available, offer fallback. Otherwise report unavailable.

SigV4 verification

timeout 30 bash -c '
{
echo "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2024-11-05\",\"capabilities\":{},\"clientInfo\":{\"name\":\"setup-check\",\"version\":\"1.0\"}}}"
sleep 0.5
echo "{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\"}"
sleep 0.5
echo "{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/list\",\"params\":{}}"
sleep 8
} | uvx mcp-proxy-for-aws@latest "https://connect.aidevops.${DEVOPS_AGENT_REGION}.api.aws/mcp" --service aidevops --region "$DEVOPS_AGENT_REGION"
'

Note: The first run may take 10-15s as uvx downloads mcp-proxy-for-aws and its dependencies. Subsequent runs are near-instant.

Result	Meaning	Action
Second line contains result.tools	Success	Proceed to Step 4
No output / timeout	Credentials invalid or endpoint unreachable	Check aws sts get-caller-identity again
ExpiredTokenException in stderr	AWS session expired	Tell user to re-authenticate (aws sso login or refresh creds)
AccessDeniedException	Missing IAM permissions	User needs DevOps Agent permissions on their role

---

Step 4: Confirm and write .mcp.json

Before writing, confirm with the user:

"I've verified connectivity. I'll now add the [Bearer token / SigV4] MCP server to the plugin's .mcp.json. Proceed?"

Only write after the user confirms. Write ONE server entry — never both. Install the MCP config in ${CLAUDE_PLUGIN_ROOT}/.mcp.json. You can also offer to install the MCP server at the workspace level. The installation options are:

• Plugin scoped: ${CLAUDE_PLUGIN_ROOT}/.mcp.json (default)
• Project-scoped: .mcp.json (in your project directory, version-controlled)
• Project-specific: .claude/settings.local.json (in your project directory)

Bearer config

{
  "mcpServers": {
    "aws-devops-agent": {
      "type": "http",
      "url": "https://connect.aidevops.${DEVOPS_AGENT_REGION}.api.aws/mcp",
      "headers": {
        "Authorization": "Bearer ${DEVOPS_AGENT_TOKEN}"
      },
      "timeout": 120000
    }
  }
}

SigV4 config

Replace <REGION> with the user's actual region:

{
  "mcpServers": {
    "aws-devops-agent": {
      "command": "uvx",
      "timeout": 120000,
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://connect.aidevops.<REGION>.api.aws/mcp",
        "--service", "aidevops",
        "--region", "<REGION>"
      ]
    }
  }
}

Fallback (aws-mcp)

Only add if the primary aws-devops-agent endpoint is unreachable AND SigV4 credentials are available:

{
  "mcpServers": {
    "aws-mcp": {
      "command": "uvx",
      "timeout": 100000,
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://aws-mcp.us-east-1.api.aws/mcp",
        "--metadata",
        "AWS_REGION=us-east-1"
      ]
    }
  }
}

For Sigv4 only: After writing the new MCP config, inform the user that the MCP server has been written successfully. Proceed to the next step.

---

Step 5: Multi-space routing (SigV4 only)

After successful SigV4 setup, discover and configure AgentSpace routing:

1. Call list_agent_spaces via the newly connected MCP to discover available spaces
2. Present the list to the user
3. If multiple spaces exist, write a routing guide to .claude/aws-agents-for-devsecops.md:

# AWS DevOps Agent — Routing Guide

| Space | Agent Space ID | Purpose |
|-------|----------------|---------|
| <name> | <id> | <ask user> |

1. Instruct: pass agent_space_id on every tool call when targeting a specific space.

---

Step 6: Reload plugin

Inform the user that they will need to run /reload-plugins to start the new MCP server. You may need to prompt the user to run it. Also mention that after restarting the MCP server they should try the following prompts:

• setup multi-space routing (SigV4 only)
• <list skill and prompt suggestions from ${CLAUDE_PLUGIN_ROOT}/README.md>

---

Bearer token guidance (for users who need to create one)

1. Open the AWS DevOps Agent Operator Web App for your AgentSpace

2. Navigate to Settings → Access tokens → Generate token

3. Create a token with Permissions: Operate

4. Set environment variables:

   export DEVOPS_AGENT_TOKEN="<your-token>"
   export DEVOPS_AGENT_REGION="<your-region>"
   

   Available regions: https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent-supported-regions.html

5. Restart Claude Code (it reads env vars from the shell that launched it)

Important: Without Operate permissions, the chat and investigate tools will be completely invisible — not just fail, but absent from the tool list.

---

SigV4 guidance (for users who need to configure AWS credentials)

1. Install uvx if not present:

   • macOS: brew install uv
   • Linux: curl -LsSf https://astral.sh/uv/install.sh | sh

2. Configure AWS credentials:

   aws configure sso --profile devops-agent
   aws sso login --profile devops-agent
   export AWS_PROFILE=devops-agent
   

3. Set the region:

   export DEVOPS_AGENT_REGION="<your-region>"
   

4. Verify: aws sts get-caller-identity

5. The IAM role must have DevOps Agent permissions (e.g., managed policy with aidevops access)

Important: Unset DEVOPS_AGENT_TOKEN when using SigV4. If both are set, clients may attempt bearer auth instead of the signing proxy.

---

Troubleshooting

Error	Cause	Fix
No tools visible	Token not set or Claude Code not restarted	Set DEVOPS_AGENT_TOKEN + DEVOPS_AGENT_REGION, restart
HTTP 401	Token invalid/expired	Create new token in Operator Web App
chat/investigate missing	Token scope is agent:read only	Create token with agent:operate scope
Connection refused / timeout	Endpoint unreachable	Check network; if SigV4 available, offer aws-mcp fallback
ExpiredTokenException	AWS session credentials expired	aws sso login or refresh credentials
AccessDeniedException (SigV4)	Missing IAM permissions	Use a role with DevOps Agent access
Proxy won't start	uvx not installed	brew install uv (macOS) or install per platform
Tools appear but calls timeout	Normal for chat (5-30s)	Ensure "timeout": 120000 in mcp.json