tryaudex-core
Core library for Audex — scoped, short-lived cloud credentials for AI coding agents.
What it provides
- Policy engine — Parse IAM actions (
s3:GetObject,lambda:Update*) into inline session policies with deny list enforcement and wildcard matching - Credential issuance — AWS STS
AssumeRole, GCP service account impersonation, Azure CLI credentials, and HashiCorp Vault backend - Session management — Create, persist, list, and kill credential sessions with full lifecycle tracking
- Audit logging — Append-only JSONL audit trail with HMAC chain integrity verification and secrets redaction
- Multi-cloud support — Unified policy syntax (
storage:read) that maps to provider-specific actions across AWS, GCP, and Azure - Smart features — TTL estimation from commands, credential caching, auto-suggest on AccessDenied, policy learning from CloudTrail
Usage
use Policy;
use SessionStore;
use CredentialIssuer;
// Parse a policy
let policy = from_allow_str?;
// Issue scoped credentials
let issuer = new;
let creds = issuer.issue.await?;
// Manage sessions
let store = new?;
let sessions = store.list?;
Feature overview
| Module | Purpose |
|---|---|
policy |
IAM policy parsing, profiles, deny lists, network conditions |
credentials |
AWS STS credential issuance with permissions boundaries |
gcp |
GCP service account impersonation |
azure |
Azure CLI credential issuance |
vault |
HashiCorp Vault AWS secrets engine backend |
session |
Session CRUD, kill, credential caching |
audit |
JSONL audit trail with structured events |
integrity |
HMAC-SHA256 chain for tamper detection |
leakdetect |
Credential leak scanning and secrets redaction |
config |
TOML config file parsing |
smart_ttl |
Command-aware TTL estimation |
universal |
Cloud-agnostic permission mapping |
intent |
Natural language to IAM policy via Claude API |
License
MIT — see LICENSE