Add AWS MCP Server integration + IAM self-modify with approval gate

- CDK: add compute/build, broad read-only, IAM self-modify (scoped to own role), IAM policy management, and SSM read permissions to runtime1Role - config.py: load /agent-claw/aws-mcp-url from SSM at cold start - main.py: connect to AWS MCP Server with SigV4 auth (_AwsMcpSigV4Auth); add request_iam_permission and apply_iam_permission tools - agentcore.json: add EXECUTION_ROLE_ARN env var
2026-05-15 08:56:06 -05:00
parent 68aad4fb71
commit 88ed337938
4 changed files with 141 additions and 5 deletions
--- a/agentclaw/app/agent_claw_main/config.py
+++ b/agentclaw/app/agent_claw_main/config.py
@@ -1,10 +1,11 @@
-"""Config loader — fetches model IDs from SSM Parameter Store at cold start."""
+"""Config loader — fetches model IDs and service URLs from SSM Parameter Store at cold start."""

 import boto3

 _DEFAULTS = {
    '/agent-claw/model-id': 'us.anthropic.claude-sonnet-4-6',
    '/agent-claw/config/compaction_model_id': 'us.anthropic.claude-3-5-haiku-20241022-v1:0',
+    '/agent-claw/aws-mcp-url': 'https://aws-mcp.us-east-1.api.aws/mcp',
 }


@@ -23,3 +24,4 @@ _params = _load()

 AGENT_MODEL_ID: str = _params['/agent-claw/model-id']
 COMPACTION_MODEL_ID: str = _params['/agent-claw/config/compaction_model_id']
+AWS_MCP_URL: str = _params['/agent-claw/aws-mcp-url']