PyPI - awslabs.iam-mcp-server - Versions diffs - 1.0.1__py3-none-any.whl → 1.0.3__py3-none-any.whl - Mend

awslabs.iam-mcp-server 1.0.1py3-none-any.whl → 1.0.3py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

awslabs/iam_mcp_server/server.py CHANGED Viewed

@@ -22,8 +22,17 @@ from awslabs.iam_mcp_server.errors import IamClientError, IamValidationError, ha
 from awslabs.iam_mcp_server.models import (
     AccessKey,
     AttachedPolicy,
+    CreateGroupResponse,
     CreateUserResponse,
+    GroupDetailsResponse,
+    GroupMembershipResponse,
+    GroupPolicyAttachmentResponse,
+    GroupsListResponse,
+    IamGroup,
     IamUser,
+    InlinePolicyListResponse,
+    InlinePolicyResponse,
+    ManagedPolicyResponse,
     UserDetailsResponse,
     UsersListResponse,
 )
@@ -45,10 +54,17 @@ mcp = FastMCP(
     1. **User Management**: Create, list, update, and delete IAM users
     2. **Role Management**: Create, list, update, and delete IAM roles
     3. **Policy Management**: Create, list, update, and delete IAM policies
-    4. **Group Management**: Create, list, update, and delete IAM groups
-    5. **Permission Management**: Attach/detach policies to users, roles, and groups
-    6. **Access Key Management**: Create, list, and delete access keys for users
-    7. **Security Analysis**: Analyze permissions, find unused resources, and security recommendations
+    4. **Inline Policy Management**: Full CRUD operations for user and role inline policies
+    5. **Group Management**: Create, list, update, and delete IAM groups
+    6. **Permission Management**: Attach/detach policies to users, roles, and groups
+    7. **Access Key Management**: Create, list, and delete access keys for users
+    8. **Security Analysis**: Analyze permissions, find unused resources, and security recommendations
+    ## Inline Policy Management:
+    - **User Inline Policies**: Create, retrieve, update, delete, and list inline policies for users
+    - **Role Inline Policies**: Create, retrieve, update, delete, and list inline policies for roles
+    - **Policy Validation**: Automatic JSON validation for policy documents
+    - **Security Best Practices**: Built-in guidance for policy creation and management
     ## Security Best Practices:
     - Always follow the principle of least privilege
@@ -56,6 +72,8 @@ mcp = FastMCP(
     - Use roles instead of users for applications
     - Enable MFA where possible
     - Review and audit permissions regularly
+    - Prefer managed policies over inline policies for reusable permissions
+    - Test policies using simulate_principal_policy before applying
     ## Usage Requirements:
     - Requires valid AWS credentials with appropriate IAM permissions
@@ -180,7 +198,7 @@ async def get_user(
         inline_policies = inline_policies_response.get('PolicyNames', [])
         # Get groups
-        groups_response = iam.get_groups_for_user(UserName=user_name)
+        groups_response = iam.list_groups_for_user(UserName=user_name)
         groups = [group['GroupName'] for group in groups_response.get('Groups', [])]
         # Get access keys
@@ -321,7 +339,7 @@ async def delete_user(
         if force:
             # Remove from all groups
-            groups = iam.get_groups_for_user(UserName=user_name)
+            groups = iam.list_groups_for_user(UserName=user_name)
             for group in groups.get('Groups', []):
                 iam.remove_user_from_group(GroupName=group['GroupName'], UserName=user_name)
@@ -542,6 +560,63 @@ async def list_policies(
         raise handle_iam_error(e)
+@mcp.tool()
+async def get_managed_policy_document(
+    policy_arn: str = Field(description='The ARN of the managed policy'),
+    version_id: Optional[str] = Field(
+        description='The version ID of the policy (defaults to current version)', default=None
+    ),
+) -> ManagedPolicyResponse:
+    """Retrieve the policy document for a managed policy.
+    This tool retrieves the policy document for a specific managed policy version.
+    Use this to examine the actual permissions and wildcards in managed policies.
+    Args:
+        policy_arn: The ARN of the managed policy
+        version_id: Optional version ID (defaults to current version)
+    Returns:
+        ManagedPolicyResponse containing the policy document and details
+    """
+    try:
+        logger.info(f'Getting managed policy document for: {policy_arn}')
+        if not policy_arn:
+            raise IamValidationError('Policy ARN is required')
+        iam = get_iam_client()
+        # Build parameters for the API call
+        kwargs = {'PolicyArn': policy_arn}
+        if version_id:
+            kwargs['VersionId'] = version_id
+        response = iam.get_policy_version(**kwargs)
+        policy_version = response['PolicyVersion']
+        # Extract policy name from ARN
+        policy_name = policy_arn.split('/')[-1]
+        result = ManagedPolicyResponse(
+            policy_arn=policy_arn,
+            policy_name=policy_name,
+            version_id=policy_version['VersionId'],
+            policy_document=json.dumps(policy_version['Document'], indent=2),
+            is_default_version=policy_version['IsDefaultVersion'],
+            create_date=policy_version['CreateDate'].isoformat(),
+            message=f'Successfully retrieved managed policy document for {policy_name}',
+        )
+        logger.info(f'Successfully retrieved managed policy document for: {policy_arn}')
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error getting managed policy document: {error}')
+        raise error
 @mcp.tool()
 async def attach_user_policy(
     user_name: str = Field(description='The name of the IAM user'),
@@ -738,6 +813,761 @@ async def simulate_principal_policy(
         raise handle_iam_error(e)
+# Group Management Tools
+@mcp.tool()
+async def list_groups(
+    path_prefix: Optional[str] = Field(
+        None, description='Path prefix to filter groups (e.g., "/division_abc/")'
+    ),
+    max_items: int = Field(100, description='Maximum number of groups to return'),
+) -> GroupsListResponse:
+    """List IAM groups in the account.
+    This tool retrieves a list of IAM groups from your AWS account with optional filtering.
+    Use this to get an overview of all groups or find specific groups by path prefix.
+    ## Usage Tips:
+    - Use path_prefix to filter groups by organizational structure
+    - Adjust max_items to control response size for large accounts
+    - Results may be paginated for accounts with many groups
+    Args:
+        path_prefix: Optional path prefix to filter groups
+        max_items: Maximum number of groups to return
+    Returns:
+        GroupsListResponse containing list of groups and metadata
+    """
+    if Context.is_readonly():
+        # List operations are allowed in read-only mode
+        pass
+    try:
+        iam = get_iam_client()
+        kwargs: Dict[str, Union[int, str]] = {'MaxItems': max_items}
+        if path_prefix:
+            kwargs['PathPrefix'] = path_prefix
+        response = iam.list_groups(**kwargs)
+        groups = []
+        for group_data in response.get('Groups', []):
+            group = IamGroup(
+                group_name=group_data['GroupName'],
+                group_id=group_data['GroupId'],
+                arn=group_data['Arn'],
+                path=group_data['Path'],
+                create_date=group_data['CreateDate'].isoformat(),
+            )
+            groups.append(group)
+        return GroupsListResponse(
+            groups=groups,
+            is_truncated=response.get('IsTruncated', False),
+            marker=response.get('Marker'),
+            count=len(groups),
+        )
+    except Exception as e:
+        raise handle_iam_error(e)
+@mcp.tool()
+async def get_group(
+    group_name: str = Field(description='The name of the IAM group to retrieve'),
+) -> GroupDetailsResponse:
+    """Get detailed information about a specific IAM group.
+    This tool retrieves comprehensive information about an IAM group including
+    group members, attached policies, and inline policies. Use this to get
+    a complete picture of a group's configuration and membership.
+    ## Usage Tips:
+    - Use this after list_groups to get detailed information about specific groups
+    - Review attached policies to understand group permissions
+    - Check group members to see who has these permissions
+    Args:
+        group_name: The name of the IAM group
+    Returns:
+        GroupDetailsResponse containing comprehensive group information
+    """
+    if Context.is_readonly():
+        # Get operations are allowed in read-only mode
+        pass
+    try:
+        iam = get_iam_client()
+        # Get group details and members
+        group_response = iam.get_group(GroupName=group_name)
+        group_data = group_response['Group']
+        group = IamGroup(
+            group_name=group_data['GroupName'],
+            group_id=group_data['GroupId'],
+            arn=group_data['Arn'],
+            path=group_data['Path'],
+            create_date=group_data['CreateDate'].isoformat(),
+        )
+        # Get group members
+        users = [user['UserName'] for user in group_response.get('Users', [])]
+        # Get attached managed policies
+        attached_policies_response = iam.list_attached_group_policies(GroupName=group_name)
+        attached_policies = [
+            AttachedPolicy(policy_name=policy['PolicyName'], policy_arn=policy['PolicyArn'])
+            for policy in attached_policies_response.get('AttachedPolicies', [])
+        ]
+        # Get inline policies
+        inline_policies_response = iam.list_group_policies(GroupName=group_name)
+        inline_policies = inline_policies_response.get('PolicyNames', [])
+        return GroupDetailsResponse(
+            group=group,
+            users=users,
+            attached_policies=attached_policies,
+            inline_policies=inline_policies,
+        )
+    except Exception as e:
+        raise handle_iam_error(e)
+@mcp.tool()
+async def create_group(
+    group_name: str = Field(description='The name of the new IAM group'),
+    path: str = Field('/', description='The path for the group'),
+) -> CreateGroupResponse:
+    """Create a new IAM group.
+    This tool creates a new IAM group in your AWS account. The group will be created
+    without any permissions by default - you'll need to attach policies separately.
+    ## Security Best Practices:
+    - Use descriptive group names that indicate the group's purpose
+    - Set appropriate paths for organizational structure
+    - Follow the principle of least privilege when assigning permissions later
+    Args:
+        group_name: The name of the new IAM group
+        path: The path for the group (default: '/')
+    Returns:
+        CreateGroupResponse containing the created group details
+    """
+    if Context.is_readonly():
+        raise IamValidationError('Cannot create group in read-only mode')
+    try:
+        iam = get_iam_client()
+        response = iam.create_group(GroupName=group_name, Path=path)
+        group_data = response['Group']
+        group = IamGroup(
+            group_name=group_data['GroupName'],
+            group_id=group_data['GroupId'],
+            arn=group_data['Arn'],
+            path=group_data['Path'],
+            create_date=group_data['CreateDate'].isoformat(),
+        )
+        return CreateGroupResponse(
+            group=group, message=f'Successfully created IAM group: {group_name}'
+        )
+    except Exception as e:
+        raise handle_iam_error(e)
+@mcp.tool()
+async def delete_group(
+    group_name: str = Field(description='The name of the IAM group to delete'),
+    force: bool = Field(
+        False, description='Force delete by removing all members and policies first'
+    ),
+) -> Dict[str, str]:
+    """Delete an IAM group.
+    Args:
+        group_name: The name of the IAM group to delete
+        force: If True, removes all members and attached policies first
+    Returns:
+        Dictionary containing deletion status
+    """
+    if Context.is_readonly():
+        raise IamValidationError('Cannot delete group in read-only mode')
+    try:
+        iam = get_iam_client()
+        if force:
+            # Remove all users from the group
+            group_response = iam.get_group(GroupName=group_name)
+            for user in group_response.get('Users', []):
+                iam.remove_user_from_group(GroupName=group_name, UserName=user['UserName'])
+            # Detach all managed policies
+            attached_policies = iam.list_attached_group_policies(GroupName=group_name)
+            for policy in attached_policies.get('AttachedPolicies', []):
+                iam.detach_group_policy(GroupName=group_name, PolicyArn=policy['PolicyArn'])
+            # Delete all inline policies
+            inline_policies = iam.list_group_policies(GroupName=group_name)
+            for policy_name in inline_policies.get('PolicyNames', []):
+                iam.delete_group_policy(GroupName=group_name, PolicyName=policy_name)
+        # Delete the group
+        iam.delete_group(GroupName=group_name)
+        return {'message': f'Successfully deleted IAM group: {group_name}'}
+    except Exception as e:
+        raise handle_iam_error(e)
+@mcp.tool()
+async def add_user_to_group(
+    group_name: str = Field(description='The name of the IAM group'),
+    user_name: str = Field(description='The name of the IAM user'),
+) -> GroupMembershipResponse:
+    """Add a user to an IAM group.
+    Args:
+        group_name: The name of the IAM group
+        user_name: The name of the IAM user
+    Returns:
+        GroupMembershipResponse containing operation status
+    """
+    if Context.is_readonly():
+        raise IamValidationError('Cannot add user to group in read-only mode')
+    try:
+        iam = get_iam_client()
+        iam.add_user_to_group(GroupName=group_name, UserName=user_name)
+        return GroupMembershipResponse(
+            message=f'Successfully added user {user_name} to group {group_name}',
+            group_name=group_name,
+            user_name=user_name,
+        )
+    except Exception as e:
+        raise handle_iam_error(e)
+@mcp.tool()
+async def remove_user_from_group(
+    group_name: str = Field(description='The name of the IAM group'),
+    user_name: str = Field(description='The name of the IAM user'),
+) -> GroupMembershipResponse:
+    """Remove a user from an IAM group.
+    Args:
+        group_name: The name of the IAM group
+        user_name: The name of the IAM user
+    Returns:
+        GroupMembershipResponse containing operation status
+    """
+    if Context.is_readonly():
+        raise IamValidationError('Cannot remove user from group in read-only mode')
+    try:
+        iam = get_iam_client()
+        iam.remove_user_from_group(GroupName=group_name, UserName=user_name)
+        return GroupMembershipResponse(
+            message=f'Successfully removed user {user_name} from group {group_name}',
+            group_name=group_name,
+            user_name=user_name,
+        )
+    except Exception as e:
+        raise handle_iam_error(e)
+@mcp.tool()
+async def attach_group_policy(
+    group_name: str = Field(description='The name of the IAM group'),
+    policy_arn: str = Field(description='The ARN of the policy to attach'),
+) -> GroupPolicyAttachmentResponse:
+    """Attach a managed policy to an IAM group.
+    Args:
+        group_name: The name of the IAM group
+        policy_arn: The ARN of the policy to attach
+    Returns:
+        GroupPolicyAttachmentResponse containing operation status
+    """
+    if Context.is_readonly():
+        raise IamValidationError('Cannot attach policy to group in read-only mode')
+    try:
+        iam = get_iam_client()
+        iam.attach_group_policy(GroupName=group_name, PolicyArn=policy_arn)
+        return GroupPolicyAttachmentResponse(
+            message=f'Successfully attached policy {policy_arn} to group {group_name}',
+            group_name=group_name,
+            policy_arn=policy_arn,
+        )
+    except Exception as e:
+        raise handle_iam_error(e)
+@mcp.tool()
+async def detach_group_policy(
+    group_name: str = Field(description='The name of the IAM group'),
+    policy_arn: str = Field(description='The ARN of the policy to detach'),
+) -> GroupPolicyAttachmentResponse:
+    """Detach a managed policy from an IAM group.
+    Args:
+        group_name: The name of the IAM group
+        policy_arn: The ARN of the policy to detach
+    Returns:
+        GroupPolicyAttachmentResponse containing operation status
+    """
+    if Context.is_readonly():
+        raise IamValidationError('Cannot detach policy from group in read-only mode')
+    try:
+        iam = get_iam_client()
+        iam.detach_group_policy(GroupName=group_name, PolicyArn=policy_arn)
+        return GroupPolicyAttachmentResponse(
+            message=f'Successfully detached policy {policy_arn} from group {group_name}',
+            group_name=group_name,
+            policy_arn=policy_arn,
+        )
+    except Exception as e:
+        raise handle_iam_error(e)
+# Inline Policy Management Tools
+@mcp.tool()
+async def put_user_policy(
+    user_name: str = Field(description='The name of the IAM user'),
+    policy_name: str = Field(description='The name of the inline policy'),
+    policy_document: Union[str, dict] = Field(
+        description='The policy document in JSON format (string or dict)'
+    ),
+) -> InlinePolicyResponse:
+    """Create or update an inline policy for an IAM user.
+    This tool creates a new inline policy or updates an existing one for the specified user.
+    Inline policies are directly embedded in a single user, role, or group and have a one-to-one
+    relationship with the identity.
+    ## Security Best Practices:
+    - Follow the principle of least privilege when creating policies
+    - Use managed policies for common permissions that can be reused
+    - Regularly review and audit inline policies
+    - Test policies using simulate_principal_policy before applying
+    Args:
+        user_name: The name of the IAM user
+        policy_name: The name of the inline policy
+        policy_document: The policy document in JSON format
+    Returns:
+        InlinePolicyResponse containing the policy details and operation status
+    """
+    try:
+        logger.info(f'Creating/updating inline policy {policy_name} for user: {user_name}')
+        # Check if server is in read-only mode
+        if Context.is_readonly():
+            raise IamClientError(
+                'Cannot create/update inline policy: server is running in read-only mode'
+            )
+        if not user_name or not policy_name:
+            raise IamValidationError('User name and policy name are required')
+        iam = get_iam_client()
+        # Handle both string and dict types
+        if isinstance(policy_document, dict):
+            policy_doc = json.dumps(policy_document)
+        else:
+            policy_doc = policy_document
+            # Validate JSON
+            try:
+                json.loads(policy_doc)
+            except json.JSONDecodeError:
+                raise IamValidationError('Invalid JSON in policy_document')
+        iam.put_user_policy(UserName=user_name, PolicyName=policy_name, PolicyDocument=policy_doc)
+        result = InlinePolicyResponse(
+            policy_name=policy_name,
+            policy_document=policy_doc,
+            user_name=user_name,
+            role_name=None,
+            message=f'Successfully created/updated inline policy {policy_name} for user {user_name}',
+        )
+        logger.info(
+            f'Successfully created/updated inline policy {policy_name} for user: {user_name}'
+        )
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error creating/updating inline policy: {error}')
+        raise error
+@mcp.tool()
+async def get_user_policy(
+    user_name: str = Field(description='The name of the IAM user'),
+    policy_name: str = Field(description='The name of the inline policy'),
+) -> InlinePolicyResponse:
+    """Retrieve an inline policy for an IAM user.
+    This tool retrieves the policy document for a specific inline policy attached to a user.
+    Args:
+        user_name: The name of the IAM user
+        policy_name: The name of the inline policy
+    Returns:
+        InlinePolicyResponse containing the policy document and details
+    """
+    try:
+        logger.info(f'Getting inline policy {policy_name} for user: {user_name}')
+        if not user_name or not policy_name:
+            raise IamValidationError('User name and policy name are required')
+        iam = get_iam_client()
+        response = iam.get_user_policy(UserName=user_name, PolicyName=policy_name)
+        result = InlinePolicyResponse(
+            policy_name=response['PolicyName'],
+            policy_document=response['PolicyDocument'],
+            user_name=response['UserName'],
+            role_name=None,
+            message=f'Successfully retrieved inline policy {policy_name} for user {user_name}',
+        )
+        logger.info(f'Successfully retrieved inline policy {policy_name} for user: {user_name}')
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error getting inline policy: {error}')
+        raise error
+@mcp.tool()
+async def delete_user_policy(
+    user_name: str = Field(description='The name of the IAM user'),
+    policy_name: str = Field(description='The name of the inline policy to delete'),
+) -> Dict[str, Any]:
+    """Delete an inline policy from an IAM user.
+    This tool removes an inline policy from the specified user. The policy document
+    will be permanently deleted and cannot be recovered.
+    Args:
+        user_name: The name of the IAM user
+        policy_name: The name of the inline policy to delete
+    Returns:
+        Dictionary containing deletion status
+    """
+    try:
+        logger.info(f'Deleting inline policy {policy_name} from user: {user_name}')
+        # Check if server is in read-only mode
+        if Context.is_readonly():
+            raise IamClientError(
+                'Cannot delete inline policy: server is running in read-only mode'
+            )
+        if not user_name or not policy_name:
+            raise IamValidationError('User name and policy name are required')
+        iam = get_iam_client()
+        iam.delete_user_policy(UserName=user_name, PolicyName=policy_name)
+        result = {
+            'message': f'Successfully deleted inline policy {policy_name} from user {user_name}',
+            'user_name': user_name,
+            'policy_name': policy_name,
+        }
+        logger.info(f'Successfully deleted inline policy {policy_name} from user: {user_name}')
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error deleting inline policy: {error}')
+        raise error
+# Role Inline Policy Management Tools
+@mcp.tool()
+async def put_role_policy(
+    role_name: str = Field(description='The name of the IAM role'),
+    policy_name: str = Field(description='The name of the inline policy'),
+    policy_document: Union[str, dict] = Field(
+        description='The policy document in JSON format (string or dict)'
+    ),
+) -> InlinePolicyResponse:
+    """Create or update an inline policy for an IAM role.
+    This tool creates a new inline policy or updates an existing one for the specified role.
+    Inline policies are directly embedded in a single user, role, or group and have a one-to-one
+    relationship with the identity.
+    Args:
+        role_name: The name of the IAM role
+        policy_name: The name of the inline policy
+        policy_document: The policy document in JSON format
+    Returns:
+        InlinePolicyResponse containing the policy details and operation status
+    """
+    try:
+        logger.info(f'Creating/updating inline policy {policy_name} for role: {role_name}')
+        # Check if server is in read-only mode
+        if Context.is_readonly():
+            raise IamClientError(
+                'Cannot create/update inline policy: server is running in read-only mode'
+            )
+        if not role_name or not policy_name:
+            raise IamValidationError('Role name and policy name are required')
+        iam = get_iam_client()
+        # Handle both string and dict types
+        if isinstance(policy_document, dict):
+            policy_doc = json.dumps(policy_document)
+        else:
+            policy_doc = policy_document
+            # Validate JSON
+            try:
+                json.loads(policy_doc)
+            except json.JSONDecodeError:
+                raise IamValidationError('Invalid JSON in policy_document')
+        iam.put_role_policy(RoleName=role_name, PolicyName=policy_name, PolicyDocument=policy_doc)
+        result = InlinePolicyResponse(
+            policy_name=policy_name,
+            policy_document=policy_doc,
+            user_name=None,
+            role_name=role_name,
+            message=f'Successfully created/updated inline policy {policy_name} for role {role_name}',
+        )
+        logger.info(
+            f'Successfully created/updated inline policy {policy_name} for role: {role_name}'
+        )
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error creating/updating inline policy: {error}')
+        raise error
+@mcp.tool()
+async def get_role_policy(
+    role_name: str = Field(description='The name of the IAM role'),
+    policy_name: str = Field(description='The name of the inline policy'),
+) -> InlinePolicyResponse:
+    """Retrieve an inline policy for an IAM role.
+    This tool retrieves the policy document for a specific inline policy attached to a role.
+    Args:
+        role_name: The name of the IAM role
+        policy_name: The name of the inline policy
+    Returns:
+        InlinePolicyResponse containing the policy document and details
+    """
+    try:
+        logger.info(f'Getting inline policy {policy_name} for role: {role_name}')
+        if not role_name or not policy_name:
+            raise IamValidationError('Role name and policy name are required')
+        iam = get_iam_client()
+        response = iam.get_role_policy(RoleName=role_name, PolicyName=policy_name)
+        result = InlinePolicyResponse(
+            policy_name=response['PolicyName'],
+            policy_document=response['PolicyDocument'],
+            user_name=None,
+            role_name=response['RoleName'],
+            message=f'Successfully retrieved inline policy {policy_name} for role {role_name}',
+        )
+        logger.info(f'Successfully retrieved inline policy {policy_name} for role: {role_name}')
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error getting inline policy: {error}')
+        raise error
+@mcp.tool()
+async def delete_role_policy(
+    role_name: str = Field(description='The name of the IAM role'),
+    policy_name: str = Field(description='The name of the inline policy to delete'),
+) -> Dict[str, Any]:
+    """Delete an inline policy from an IAM role.
+    This tool removes an inline policy from the specified role. The policy document
+    will be permanently deleted and cannot be recovered.
+    Args:
+        role_name: The name of the IAM role
+        policy_name: The name of the inline policy to delete
+    Returns:
+        Dictionary containing deletion status
+    """
+    try:
+        logger.info(f'Deleting inline policy {policy_name} from role: {role_name}')
+        # Check if server is in read-only mode
+        if Context.is_readonly():
+            raise IamClientError(
+                'Cannot delete inline policy: server is running in read-only mode'
+            )
+        if not role_name or not policy_name:
+            raise IamValidationError('Role name and policy name are required')
+        iam = get_iam_client()
+        iam.delete_role_policy(RoleName=role_name, PolicyName=policy_name)
+        result = {
+            'message': f'Successfully deleted inline policy {policy_name} from role {role_name}',
+            'role_name': role_name,
+            'policy_name': policy_name,
+        }
+        logger.info(f'Successfully deleted inline policy {policy_name} from role: {role_name}')
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error deleting inline policy: {error}')
+        raise error
+@mcp.tool()
+async def list_user_policies(
+    user_name: str = Field(description='The name of the IAM user'),
+) -> InlinePolicyListResponse:
+    """List all inline policies for an IAM user.
+    This tool retrieves the names of all inline policies attached to the specified user.
+    Args:
+        user_name: The name of the IAM user
+    Returns:
+        InlinePolicyListResponse containing the list of policy names
+    """
+    try:
+        logger.info(f'Listing inline policies for user: {user_name}')
+        if not user_name:
+            raise IamValidationError('User name is required')
+        iam = get_iam_client()
+        response = iam.list_user_policies(UserName=user_name)
+        result = InlinePolicyListResponse(
+            policy_names=response.get('PolicyNames', []),
+            user_name=user_name,
+            role_name=None,
+            count=len(response.get('PolicyNames', [])),
+        )
+        logger.info(f'Successfully listed {result.count} inline policies for user: {user_name}')
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error listing inline policies: {error}')
+        raise error
+@mcp.tool()
+async def list_role_policies(
+    role_name: str = Field(description='The name of the IAM role'),
+) -> InlinePolicyListResponse:
+    """List all inline policies for an IAM role.
+    This tool retrieves the names of all inline policies attached to the specified role.
+    Args:
+        role_name: The name of the IAM role
+    Returns:
+        InlinePolicyListResponse containing the list of policy names
+    """
+    try:
+        logger.info(f'Listing inline policies for role: {role_name}')
+        if not role_name:
+            raise IamValidationError('Role name is required')
+        iam = get_iam_client()
+        response = iam.list_role_policies(RoleName=role_name)
+        result = InlinePolicyListResponse(
+            policy_names=response.get('PolicyNames', []),
+            user_name=None,
+            role_name=role_name,
+            count=len(response.get('PolicyNames', [])),
+        )
+        logger.info(f'Successfully listed {result.count} inline policies for role: {role_name}')
+        return result
+    except Exception as e:
+        error = handle_iam_error(e)
+        logger.error(f'Error listing inline policies: {error}')
+        raise error
 def main():
     """Run the MCP server with CLI argument support."""
     parser = argparse.ArgumentParser(
@@ -745,23 +1575,20 @@ def main():
     )
     parser.add_argument(
         '--readonly',
-        action=argparse.BooleanOptionalAction,
-        help='Prevents the MCP server from performing mutating operations',
-        default=False,
+        action='store_true',
+        help='Run server in read-only mode (prevents all mutating operations)',
     )
-    parser.add_argument('--region', help='AWS region to use for operations')
     args = parser.parse_args()
-    # Initialize context with configuration
-    Context.initialize(readonly=args.readonly, region=args.region)
-    if args.region:
-        logger.info(f'Using AWS region: {args.region}')
+    # Set read-only mode if specified
     if args.readonly:
-        logger.info('Running in read-only mode - mutating operations will be disabled')
+        Context.set_readonly(True)
+        logger.info('Server started in READ-ONLY mode - all mutating operations are disabled')
+    else:
+        logger.info('Server started in FULL ACCESS mode')
+    # Run the MCP server
     mcp.run()

awslabs.iam-mcp-server 1.0.1__py3-none-any.whl → 1.0.3__py3-none-any.whl

awslabs.iam-mcp-server 1.0.1py3-none-any.whl → 1.0.3py3-none-any.whl