CLI Reference

tryaudex run

Run a command with scoped, short-lived cloud credentials.

tryaudex run [OPTIONS] -- <COMMAND>...

Options

Flag	Description	Default
`--allow <ACTIONS>`	Comma-separated IAM/permission actions (required)	—
`--profile <NAME>`	Named policy profile (e.g. “s3-readonly”)	None
`--ttl <DURATION>`	Session time-to-live	`15m`
`--budget <USD>`	Advisory budget limit in USD	None
`--resource <ARNS>`	Comma-separated resource ARNs to restrict	`*`
`--provider <PROVIDER>`	Cloud provider: aws, gcp, azure, vault	`aws`
`--role-arn <ARN>`	IAM role ARN (AWS) or service account email (GCP)	`$AUDEX_ROLE_ARN`
`--service-account <EMAIL>`	GCP service account email	`$AUDEX_GCP_SERVICE_ACCOUNT`
`--subscription <ID>`	Azure subscription ID	`$AZURE_SUBSCRIPTION_ID`
`--region <REGION>`	AWS region for STS	`$AWS_REGION`
`--notify <URL>`	Webhook URL for notifications	None

Examples

# Basic S3 read access
tryaudex run --allow "s3:GetObject,s3:ListBucket" -- aws s3 ls

# With budget cap
tryaudex run --ttl 15m --budget 5 \
  --allow "lambda:UpdateFunctionCode" -- ./deploy.sh

# Using a profile
tryaudex run --profile s3-readonly -- aws s3 ls

# GCP example
tryaudex run --provider gcp --allow "storage.objects.get" -- gsutil ls

# Azure example
tryaudex run --provider azure --allow "Microsoft.Storage/storageAccounts/read" \
  -- az storage account list

tryaudex chain

Run a multi-step workflow with progressively scoped credentials per step.

tryaudex chain --step <ACTIONS> --step <ACTIONS> -- <COMMAND>...

Options

Flag	Description	Default
`--step <ACTIONS>`	IAM actions for this step (repeat for each step, required)	—
`--ttl <DURATION>`	TTL per step	`5m`
`--provider <PROVIDER>`	Cloud provider (aws, gcp, azure)	`aws`
`--fail-fast`	Stop on first failure	`true`
`--json`	Output results as JSON	False

Example

# Deploy: read from S3, then invoke Lambda
tryaudex chain \
  --step "s3:GetObject" \
  --step "lambda:InvokeFunction" \
  -- ./deploy.sh

Each step runs with its own credentials and session, scoped to exactly what that step needs.

tryaudex sessions

List and inspect credential sessions.

tryaudex sessions [COMMAND]

Subcommands

Command	Description
`list [--status STATUS]`	List all sessions, optionally filtered by status
`show <SESSION_ID>`	Show details of a specific session
`kill <SESSION_ID>`	Revoke a session manually

Status Values

active, completed, failed, expired, revoked, budget_exceeded

Examples

# List all sessions
tryaudex sessions list

# Filter by status
tryaudex sessions list --status active

# Show a specific session
tryaudex sessions show a1b2c3d4e5f6

# Revoke a session
tryaudex sessions kill a1b2c3d4e5f6

tryaudex audit

View the append-only audit trail of all sessions and events.

tryaudex audit [COMMAND]

Subcommands

Command	Description
`show <SESSION_ID>`	Show all events for a session
`recent [--limit N]`	Show recent audit entries
`path`	Print the audit log file path
`export <FORMAT>`	Export audit log (json, csv) for compliance

Examples

# Show audit entries for a session
tryaudex audit show a1b2c3d4

# Show recent entries
tryaudex audit recent --limit 50

# Export for compliance
tryaudex audit export json > audit.json

tryaudex intent

Convert natural language to IAM permissions using Claude API.

tryaudex intent "<DESCRIPTION>"

Options

Flag	Description
`--api-key <KEY>`	Anthropic API key (or `$ANTHROPIC_API_KEY`)
`--model <MODEL>`	Claude model to use (default: claude-opus)

Example

# Convert natural language to permissions
tryaudex intent "I need to read from S3 and invoke a Lambda"

# Output:
# {
#   "allow": "s3:GetObject,lambda:InvokeFunction",
#   "resource": null,
#   "description": "Read objects from S3 and invoke Lambda functions"
# }

tryaudex learn

Learn minimum IAM permissions by observing CloudTrail during command execution.

tryaudex learn -- <COMMAND>...

Options

Flag	Description
`--ttl <DURATION>`	Session TTL (default: 15m)
`--role-arn <ARN>`	IAM role with broad permissions for learning

Example

# Observe what S3 operations a script actually uses
tryaudex learn -- ./my-script.sh

# Output shows the minimum IAM policy needed:
# s3:GetObject,s3:ListBucket,s3:HeadObject

CloudTrail has a ~5 minute delay, so this is best for longer-running operations.

tryaudex estimate

Estimate potential cost before issuing credentials.

tryaudex estimate [OPTIONS]

Options

Flag	Description
`--allow <ACTIONS>`	IAM actions to estimate cost for
`--region <REGION>`	AWS region for pricing data
`--ttl <DURATION>`	Estimated session duration

Example

tryaudex estimate --allow "s3:GetObject" --ttl 1h
# Output: Estimated cost: $0.002 for S3 operations

tryaudex compliance

Export audit trail as SOC2/ISO 27001 compliance reports.

tryaudex compliance [OPTIONS]

Options

Flag	Description
`--format <FORMAT>`	Report format: soc2, iso27001, cis
`--since <DATE>`	Start date for report (YYYY-MM-DD)
`--until <DATE>`	End date for report (YYYY-MM-DD)
`--output <FILE>`	Output file path

Example

tryaudex compliance --format soc2 --since 2024-01-01 --output soc2-report.pdf

tryaudex dashboard

Interactive TUI dashboard for monitoring sessions and audit trails. See Dashboard for full details.

tryaudex dashboard
# or simply: tryaudex

tryaudex health

Run health checks on Audex configuration, credential stores, and cloud connectivity.

tryaudex health [OPTIONS]

Options

Flag	Description
`--check <NAME>`	Run a specific check (config, credentials, cloud, all)
`--verbose`	Show detailed output

Example

tryaudex health
# Checks: config file, credential store, AWS/GCP/Azure connectivity, etc.

tryaudex health --check aws
# Check only AWS STS connectivity

tryaudex metrics

Serve Prometheus metrics or print metrics once.

tryaudex metrics [OPTIONS]

Options

Flag	Description
`--serve <ADDR>`	Serve metrics on this address (e.g. “localhost:9090”)
`--once`	Print metrics once and exit

Example

# Serve Prometheus metrics on port 9090
tryaudex metrics --serve localhost:9090

# Print once
tryaudex metrics --once

Metrics include: sessions created, credentials issued, budget spent, API latencies, etc.

tryaudex replay

Replay the full timeline of a past session from the audit log.

tryaudex replay <SESSION_ID>

Example

tryaudex replay a1b2c3d4

# Output shows:
# 00:00 -- SessionCreated: role=arn:aws:iam::123456789:role/AudexRole, actions=s3:GetObject
# 00:01 -- CredentialsIssued: access_key=ASIA..., expires_at=2024-01-01T12:16:00Z
# 00:15 -- SessionEnded: status=completed, exit_code=0, duration=15m

tryaudex watch

Watch live API calls for an active session via CloudTrail.

tryaudex watch <SESSION_ID>

Example

# In one terminal, start a session:
tryaudex run --allow "s3:*" -- my-script.sh

# In another, watch it (replace SESSION_ID with the one from above):
tryaudex watch a1b2c3d4

# Shows real-time CloudTrail events:
# s3:GetObject -- bucket=my-bucket, key=data.json
# s3:ListBucket -- bucket=my-bucket

CloudTrail has a ~1 minute delay.

tryaudex clean

Clear sessions, audit logs, or all local data.

tryaudex clean [OPTIONS]

Options

Flag	Description
`--sessions`	Delete all session files
`--audit`	Delete the audit log
`--all`	Delete everything (sessions, audit, config)
`--before <DATE>`	Only delete entries before this date

Examples

# Delete completed sessions
tryaudex clean --sessions

# Delete audit log
tryaudex clean --audit

# Delete everything
tryaudex clean --all

# Delete entries older than 30 days
tryaudex clean --before 2024-01-01

tryaudex server

Run centralized HTTP API server for team credential issuance. See Team Mode for full details.

tryaudex server [OPTIONS]

Options

Flag	Description
`--listen <ADDR>`	Server address (default: localhost:8080)
`--config <FILE>`	Server configuration file
`--enable-sso`	Enable SAML/OIDC authentication
`--enable-approvals`	Require multi-party approvals

Example

tryaudex server --listen 0.0.0.0:8080 --enable-sso --enable-approvals

tryaudex mcp

Start the MCP (Model Context Protocol) server for AI agent integration. See MCP Server for setup details.

tryaudex mcp

This starts a JSON-RPC server over stdin/stdout for use with Claude Code and other compatible clients.

Global Environment Variables

Variable	Description	Used By
`AUDEX_ROLE_ARN`	Default IAM role ARN (AWS)	`run`, `chain`
`AUDEX_GCP_SERVICE_ACCOUNT`	Default GCP service account email	`run`
`AUDEX_AZURE_SUBSCRIPTION_ID`	Default Azure subscription ID	`run`
`AUDEX_TENANT_ID`	Default Azure tenant ID	`run`
`AWS_REGION`	AWS region for STS calls	`run`, `chain`
`VAULT_ADDR`	HashiCorp Vault server address	`run` (Vault provider)
`VAULT_TOKEN`	HashiCorp Vault authentication token	`run` (Vault provider)
`ANTHROPIC_API_KEY`	API key for Claude (used by `intent` command)	`intent`

TTL Format

TTL values use human-readable duration strings:

Example	Duration
`30s`	30 seconds
`5m`	5 minutes
`1h`	1 hour
`2h30m`	2 hours 30 minutes

Maximum: 12 hours (cloud provider limit). Values exceeding this are silently clamped.

Data Directories

Path	Purpose
`~/.local/share/audex/sessions/`	Session JSON files
`~/.local/share/audex/audit/`	Audit log (JSONL format)
`~/.config/audex/config.toml`	Configuration file
`~/.local/share/audex/keystore/`	Encrypted credential cache