Marea.Plugins.Aws

Convenience wrappers around the AWS CLI for the operations a deploy typically needs: ECR registry login/create/list/delete, Route53 CNAME management (including bulk-update from per-release domains:), and S3 bucket sync.

Optional. Enable by listing Marea.Plugins.Aws under plugins: in marea.yaml.

Every command below is also exposed as an MCP tool when marea mcp serve is running — aws_ecr_login, aws_route53_list, aws_s3_sync_in, etc. Read-only operations (list, get) carry readOnlyHint: true; deletes carry destructiveHint: true. The MCP server therefore lets an agent drive AWS workflows through the same aws.<id> profile and Route53/ECR config the CLI uses, without ever needing AWS credentials inside its own sandbox.

Configuration

The AWS plugin contributes the top-level aws: field to the schema:

aws:
  default:
    profile: my-aws-profile
    region: eu-west-1
    account_id: "123456789012"
    ecr:
      image_header: my-org/
    route53:
      example.com.:
        cnames:
          alb-staging: lb-staging.example.com.
          alb-prod:    lb-prod.example.com.
    s3:
      id: secret!aws_creds!access_key_id
      secret: secret!aws_creds!secret_access_key

Multiple AWS entries are allowed:

aws:
  prod:
    profile: acme-prod
    region: eu-west-1
    account_id: "111122223333"
  staging:
    profile: acme-staging
    region: eu-west-1
    account_id: "444455556666"

The active entry is selected with --aws-id <id> / -a. If only one entry is defined, it is auto-selected; otherwise the last-used value is restored from <state_dir>/last_values.

See 04-marea-yaml.md for the full schema.

Commands

marea aws  [-a <aws-id>]
├── ecr
│   ├── login
│   ├── login-docker
│   ├── list                            --release <r>
│   ├── create
│   └── delete
├── route53  [-z <route53-zone>]
│   ├── get                             --host <h>
│   ├── list
│   ├── create                          --host <h> --cname <name>
│   ├── delete                          --host <h>
│   └── update-deploy-domains           --deploy <d> --cname <name>
└── s3
    ├── sync-in                         --bucket <b> --path <p> [--delete]
    └── sync-out                        --bucket <b> --path <p> [--delete]

Every AWS subcommand reads profile and region from the selected aws: entry, defaulting profile to the aws-id if unset.

ECR

`marea aws ecr login`

Calls aws ecr get-login-password and writes the resulting token to ./aws_token. Useful for tooling that wants the raw token.

`marea aws ecr login-docker`

The same call, piped directly into docker login:

echo "<token>" | docker login \
  --username AWS \
  --password-stdin <account_id>.dkr.ecr.<region>.amazonaws.com

Requires aws.<id>.account_id to be set.

`marea aws ecr list --release <r>`

Lists all images in the ECR repo for a release, sorted by push time (most recent first). The repo name is <image_header><release>.

`marea aws ecr create / delete`

Creates or deletes the ECR repository for the current release using aws ecr create-repository --repository-name <repo> / delete-repository --force ….

Route53

The Route53 commands take --route53-zone / -z to pick the hosted zone. If the selected aws: entry has only one zone configured, it is auto-selected; multiple zones require an explicit --route53-zone.

--host is normalised: if it doesn't already end with the zone, the zone is appended. So --host api with --route53-zone example.com. becomes api.example.com..

`marea aws route53 get --host <h>`

Fetches and pretty-prints the resource record set for <h> in the selected zone.

`marea aws route53 list`

Pretty-prints every record in the zone.

`marea aws route53 create --host <h> --cname <name>`

Creates (or upserts) a CNAME record for <h> pointing at route53.<zone>.cnames.<name>. The change-batch JSON is written to <state_dir>/last_route53.json for inspection, and the actual change-resource-record-sets call is gated behind Lib.pause_cmd!/3 so you'll be prompted to confirm.

`marea aws route53 delete --host <h>`

Deletes an existing record for <h>. Uses the existing record's exact value (fetched first via list-resource-record-sets) for the DELETE action so AWS accepts it.

`marea aws route53 update-deploy-domains --deploy <d> --cname <name>`

Walks every release in the named deploy, collects all domains: entries that belong to the selected zone, and upserts each one as a CNAME pointing at the named cname target. This is the bulk operation intended for "I just spun up a new ALB; point all of staging's domains at it":

deploys:
  staging:
    releases:
      api:
        domains:
          - api.staging.example.com
          - admin.staging.example.com
      web:
        domains:
          - www.staging.example.com

marea aws route53 update-deploy-domains --deploy staging --cname alb-staging

S3

s3 sync-in and s3 sync-out wrap aws s3 sync and pass AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY from aws.<id>.s3.id and aws.<id>.s3.secret (these can be secret!file!key references). --delete is forwarded to aws s3 sync.

marea aws s3 sync-in  --bucket my-bucket --path ./data
marea aws s3 sync-out --bucket my-bucket --path ./data --delete

The bucket and path are persisted to last-values, so subsequent syncs to the same bucket need only marea aws s3 sync-in.

How AWS commands compose with builds

The AWS plugin is intentionally orthogonal to build. build helm does call Marea.Plugins.Helm.store_image/1, which reads aws.<id>.ecr.image_header to build the image URL. But the actual ECR push (docker push <image>:<vsn>) and docker login are issued by the build command using your environment's aws CLI credentials — typically obtained via marea aws ecr login-docker once at the start of a session.

Source

lib/marea/plugins/aws.ex

← Previous Page K8s Plugin