Cloud infrastructure analysis for AI agents — AWS, GCP, Azure inventory and cost analysis

Tools · Quickstart · Security · Pro

Architecture

graph LR
    A[AI Agent] -->|MCP protocol| B[CloudVault MCP]
    B --> C[AWS]
    B --> D[GCP]
    B --> E[Azure]

    C --> C1[EC2 Instances]
    C --> C2[RDS Databases]
    C --> C3[S3 Buckets]
    C --> C4[Secrets Manager]
    D --> D1[Compute Engine]
    D --> D2[Cloud SQL]
    D --> D3[Cloud Storage]
    D --> D4[Secret Manager]
    E --> E1[Virtual Machines]
    E --> E2[SQL Databases]
    E --> E3[Storage Accounts]
    E --> E4[Key Vault]

CloudVault connects your AI agent to your cloud infrastructure. All operations are read-only — no create, modify, or delete operations are ever performed.

Tools

Phase 1 — Core Inventory + AWS (free)

| Tool | Description | |:-----|:-----------| | list_instances | Compute instances — state, type, IP, region, monthly cost estimate | | list_databases | Managed databases — engine, version, storage, backup status | | list_storage | S3/GCS buckets — public access status, encryption, versioning | | get_secrets | Secret names and metadata — values never returned |

Phase 2 — Extended Inventory + GCP (free)

| Tool | Description | |:-----|:-----------| | resource_tags | List/search resources by tags/labels | | health_dashboard | Running/stopped/error counts, pending maintenance | | cost_current | Current month cost breakdown vs previous month |

Phase 3 — Pro Features + Azure (PRO license required)

| Tool | Description | |:-----|:-----------| | cost_forecast | 3/6/12-month projections with conservative/realistic/optimistic scenarios | | cost_anomalies | Detect cost spikes vs 30-day baseline, severity classification | | idle_resources | Underutilized instances, empty buckets — sorted by savings potential | | security_scan | Public buckets, unencrypted storage, unrotated secrets — informational only | | cross_cloud_report | Unified multi-cloud inventory with environment parity checks | | compliance_snapshot | SOC2/ISO27001 control mapping — not legal advice |

Provider Support

| Provider | Phase 1 | Phase 2 | Phase 3 | |:---------|:-------:|:-------:|:-------:| | AWS | ✅ | ✅ | ✅ | | GCP | ✅ | ✅ | ✅ | | Azure | ✅ | ✅ | ✅ |

Quickstart

Install

npm install -g cloudvault-mcp

AWS Setup

export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
export AWS_REGION=us-east-1   # optional, defaults to us-east-1

GCP Setup

export GOOGLE_CLOUD_PROJECT=your_project_id
export GOOGLE_ACCESS_TOKEN=$(gcloud auth print-access-token)

Azure Setup

export AZURE_TENANT_ID=your_tenant_id
export AZURE_CLIENT_ID=your_client_id
export AZURE_CLIENT_SECRET=your_client_secret
export AZURE_SUBSCRIPTION_ID=your_subscription_id

Claude Desktop Config

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "cloudvault": {
      "command": "npx",
      "args": ["cloudvault-mcp"],
      "env": {
        "AWS_ACCESS_KEY_ID": "your_access_key",
        "AWS_SECRET_ACCESS_KEY": "your_secret_key",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

npx (no install)

{
  "mcpServers": {
    "cloudvault": {
      "command": "npx",
      "args": ["-y", "cloudvault-mcp"],
      "env": {
        "AWS_ACCESS_KEY_ID": "your_access_key",
        "AWS_SECRET_ACCESS_KEY": "your_secret_key"
      }
    }
  }
}

Usage Examples

Ask your AI agent:

• "List all my running EC2 instances in us-east-1"
• "What databases do I have and is backup enabled on all of them?"
• "Do any of my S3 buckets have public access enabled?"
• "List all my secrets in AWS Secrets Manager — just names, no values"
• "Which instances are tagged with Environment=production?"
• "Show me the health dashboard for my GCP project"
• "What's my current AWS spend vs last month?"
• "[PRO] Are there any cost anomalies this month?"
• "[PRO] Give me a cross-cloud inventory of all my infrastructure"
• "[PRO] Run a compliance snapshot against SOC2 controls for AWS"

IAM Permissions

CloudVault requires read-only IAM permissions. Attach this minimal policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "rds:DescribeDBInstances",
        "s3:ListBuckets",
        "s3:GetBucketAcl",
        "s3:GetBucketEncryption",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    }
  ]
}

Security

Secret values are never returned. The get_secrets tool only retrieves:

• Secret names
• Descriptions
• Creation and rotation dates
• Rotation status
• Tags

The raw secret value is never fetched or transmitted. This is enforced at both the adapter level (using ListSecrets, not GetSecretValue) and the tool level (belt-and-suspenders value stripping).

Cost Explorer note: The cost_current tool (Phase 2) uses the AWS Cost Explorer API, which costs $0.01 per API request. The tool warns users about this before executing.

Security scan disclaimer: The security_scan tool (Phase 3 Pro) is informational only and not a substitute for a professional security audit.

Compliance snapshot disclaimer: The compliance_snapshot tool (Phase 3 Pro) maps findings to SOC2/ISO27001 controls as a reference guide. It is not legal advice and does not constitute a compliance certification.

Audit Log

All tool calls are logged to ~/.cloudvault/audit.db (SQLite). The log stores:

• Tool name
• Sanitized input (sensitive values redacted)
• Result summary
• Success/failure
• Duration

Logs are retained for 90 days and auto-cleaned on startup.

Pro Features

Set PRO_LICENSE=CPK-your-key to unlock Phase 3 pro tools. Get a license at craftpipe.dev/products/cloudvault-mcp.

{
  "env": {
    "AWS_ACCESS_KEY_ID": "...",
    "AWS_SECRET_ACCESS_KEY": "...",
    "PRO_LICENSE": "CPK-your-license-key"
  }
}

Testing

npm test

265 tests across gate (14), fetch-retry (6), audit (8), providers (9), AWS adapter (26), GCP adapter (32), Azure adapter (28), 7 tools (74), and 6 PRO tools (68).

License

MIT © Craftpipe