# IAM Policy Autopilot — CLI + MCP for AWS IAM > IAM Policy Autopilot generates baseline IAM policies from source code via CLI or MCP; verified 357★ and supports stdio/http transports. ## Install Merge the JSON below into your `.mcp.json`: ## Quick Use ```bash pip install iam-policy-autopilot iam-policy-autopilot generate-policies ./src/app.py --region us-east-1 --account 123456789012 --pretty iam-policy-autopilot mcp-server --transport stdio ``` ## Intro IAM Policy Autopilot generates baseline IAM policies from source code via CLI or MCP; verified 357★ and supports stdio/http transports. **Best for:** AWS teams who want deterministic policy scaffolding and faster AccessDenied debugging with an AI assistant **Works with:** Python/Go/TS/JS/Java AWS SDK codebases; works with MCP clients via `mcp-server` **Setup time:** 10-20 minutes ### Key facts (verified) - GitHub: 357 stars · 38 forks · pushed 2026-05-13. - License: Apache-2.0 · owner avatar + repo URL verified via GitHub API. - README-backed entrypoint: `iam-policy-autopilot mcp-server --transport stdio`. ## Main - Treat output as a baseline: review policies before deployment and narrow resources/conditions to your actual boundaries. - Use CLI explanations to trace why actions were included; keep that explanation as evidence in code review. - Prefer MCP integration for agent workflows, but still enforce least privilege at the IaC layer (ARNs, boundaries, SCPs). ### Source-backed notes - README lists three CLI commands: `generate-policies`, `fix-access-denied`, and `mcp-server`. - README notes `mcp-server` supports `stdio` (default) and `http` transports (example: `--transport http`). - README describes deterministic local code analysis to generate identity-based policies across multiple languages. ### FAQ - **Does this guarantee least privilege?**: No — it generates a baseline; you still need review and resource scoping. - **What if resources are chosen at runtime?**: README notes it can’t predict dynamic values; add conditions/ARN constraints manually. - **Should I use CLI or MCP?**: Use CLI for one-offs; use MCP when an agent should call tools during iteration. ## Source & Thanks > Source: https://github.com/awslabs/iam-policy-autopilot > License: Apache-2.0 > GitHub stars: 357 · forks: 38 --- ## Quick Use ```bash pip install iam-policy-autopilot iam-policy-autopilot generate-policies ./src/app.py --region us-east-1 --account 123456789012 --pretty iam-policy-autopilot mcp-server --transport stdio ``` ## Intro IAM Policy Autopilot 可从源码分析生成基础 IAM policy,并提供 CLI 与 MCP server;已验证 357★,支持 stdio/http,并含 generate-policies 与 fix-access-denied 两条主路径。 **Best for:** 在 AWS 上开发的团队:需要确定性生成 policy 脚手架,并用 AI 更快定位 AccessDenied **Works with:** 使用 AWS SDK 的 Python/Go/TS/JS/Java 代码库;可通过 `mcp-server` 接入 MCP 客户端 **Setup time:** 10-20 minutes ### Key facts (verified) - GitHub:357 stars · 38 forks;最近更新 2026-05-13。 - 许可证:Apache-2.0;作者头像与仓库链接均已通过 GitHub API 复核。 - README 中可对照的入口命令:`iam-policy-autopilot mcp-server --transport stdio`。 ## Main - 把输出当作 baseline:上线前务必人工复核,并把资源与条件收敛到真实边界。 - 用 CLI 的解释能力追溯“为什么包含某个 action”,并把解释作为证据写进 code review。 - Agent 用 MCP 更顺滑,但最终仍要在 IaC 层做最小权限(ARN/permission boundary/SCP)。 ### Source-backed notes - README 列出三个主要命令:`generate-policies`、`fix-access-denied` 与 `mcp-server`。 - README 写明 `mcp-server` 支持 `stdio`(默认)与 `http` 两种 transport(示例含 `--transport http`)。 - README 描述通过确定性的本地代码分析生成 identity-based policies,并覆盖多语言 SDK 使用场景。 ### FAQ - **能保证最小权限吗?**:不能——它生成 baseline;仍需要人工复核并做资源范围收敛。 - **如果资源在运行时决定怎么办?**:README 提到无法预测动态值;需要手动补充条件与 ARN 约束。 - **用 CLI 还是 MCP?**:一次性生成用 CLI;希望 agent 迭代时调用工具就用 MCP。 ## Source & Thanks > Source: https://github.com/awslabs/iam-policy-autopilot > License: Apache-2.0 > GitHub stars: 357 · forks: 38 --- Source: https://tokrepo.com/en/workflows/iam-policy-autopilot-cli-mcp-for-aws-iam Author: MCP Hub