◆ Open Source

Use AI agents on your cloud with no risk

Wrap any command with short-lived, scoped AWS credentials in under 5 seconds so coding agents can deploy and test without full access.

Book a Demo ▷ Docs

Install

What is Audex?

Audex is a Rust CLI that wraps any command with temporary, scoped AWS credentials via STS. Credentials are auto-revoked on exit. Every session gets an immutable audit trail. No admin keys, no permanent access, no YOLO.

[*] Scoped Inline Policies Specify exactly which AWS actions are allowed. --allow "s3:GetObject,lambda:UpdateFunctionCode" — nothing more, nothing less.

[*] Short-Lived Credentials Every session gets a TTL. Default 15 minutes. Credentials expire automatically — or get revoked the instant the process exits.

[*] Budget Caps Set a per-session spend limit with --budget 5. Audex monitors Cost Explorer and kills sessions that exceed the cap.

[*] Immutable Audit Trail Every credential issued, every action taken, every dollar spent. Append-only JSONL logs you can query, export, and hand to your compliance team.

[*] Natural Language Scoping Don't know IAM? Just say audex "read from the uploads bucket" and the intent parser generates the minimum policy automatically.

[*] Claude Code MCP Plugin Ships as an MCP server. Claude Code can request scoped credentials directly during any session — no copy-paste, no context switching.

[*] Works with Any CLI Agent Wrap any command: Cursor, Aider, Copilot, custom scripts. If it runs in a terminal, Audex scopes it.

[*] AWS Native Built on STS AssumeRole with inline policies. No proxy, no wrapper service. Your credentials never leave your machine.

Read docs →

Why Audex

[*] Credentials issued in <5 seconds. Action-level scoping. Auto-expire + revoke. Per-session budget caps. Per-session JSONL audit. Built with Rust for zero runtime dependencies.

Fig 1. Credential Issuance Time

Fig 2. Blast Radius Per Session

Fig 3. Credential Lifetime

1. Scope

Specify allowed AWS actions, TTL, and budget. Or use natural language and let the intent parser figure it out.

2. Run

Audex calls STS AssumeRole with an inline policy. Temporary credentials are injected as environment variables.

3. Execute

Your command runs with exactly the permissions it needs. Nothing more. Budget and TTL are enforced in real time.

4. Revoke

Process exits — credentials are revoked immediately. Session audit log is finalized. Zero residual access.

Works with

Audex wraps any command. These are the agents teams use it with.

◆ Claude Code

◆ Cursor

◆ Windsurf

◆ Aider

◆ GitHub Copilot

◆ Any CLI

See integration guides →

Quick Reference

Scoped Run

With Budget

NL Intent

Audit Log

List Sessions

Built with Rust + AWS STS

FAQ

What is Audex?

Audex is an open-source Rust CLI that wraps any command with temporary, scoped AWS credentials. It calls STS AssumeRole with an inline policy scoped to exactly the actions you specify, injects the credentials as environment variables, runs your command, and auto-revokes credentials when the process exits. Every session gets an append-only JSONL audit log.

How is this different from just using IAM roles?

IAM roles are coarse-grained and long-lived. You create them once and they persist forever. Audex creates ephemeral credentials scoped to a single command invocation — action-level precision, automatic expiry, per-session budget limits, and a complete audit trail. No role creation, no policy JSON, no IAM console.

What agents does it work with?

Any agent or tool that runs in a terminal. Claude Code gets first-class support via an MCP plugin — the agent can request scoped credentials directly. For everything else (Cursor, Aider, Copilot, custom scripts), wrap the command with tryaudex run.

What's the natural language scoping?

Instead of writing IAM policy JSON, you can describe what you want in plain English: audex "read from the uploads bucket". The intent parser (powered by Claude) generates the minimum IAM policy automatically. It shows you the blast radius and waits for confirmation before issuing credentials.

How does budget enforcement work?

Pass --budget 5 to set a per-session spend cap in USD. Audex polls AWS Cost Explorer and kills the session if spend exceeds the limit. Note: Cost Explorer has a ~24 hour delay, so real-time enforcement uses CloudWatch billing alarms as a backstop.

Do my credentials leave my machine?

No. Audex calls AWS STS directly from your machine. The temporary credentials are injected as environment variables into the child process. Nothing is proxied, nothing is stored remotely. The audit log is a local JSONL file.

What AWS permissions does Audex need?

Audex needs sts:AssumeRole on the target role, plus ce:GetCostAndUsage if you use budget caps. The target role needs a trust policy that allows your IAM identity to assume it. That's it — no admin access, no broad permissions.

Is it open source?

Yes. MIT licensed. The full source is on GitHub. Written in Rust with zero runtime dependencies beyond the AWS SDK.

Does it support GCP or Azure?

Not yet. AWS is the focus for v1. GCP (Workload Identity Federation) and Azure (Managed Identity) are on the roadmap for v0.4+.

How do I get started?

Install with cargo install tryaudex, configure your IAM role with audex login, then run tryaudex run --allow "s3:GetObject" -- your-command. The docs have a full quickstart guide.