Forem: Jérôme GUYON The latest articles on Forem by Jérôme GUYON (@jerome_guyon_614ecd636c2c). https://forem.com/jerome_guyon_614ecd636c2c https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3880056%2Fb518d47b-aba1-41b0-b3c8-1e7d7762adc1.jpg Forem: Jérôme GUYON https://forem.com/jerome_guyon_614ecd636c2c en CloudShell - The Hidden API Jérôme GUYON Mon, 11 May 2026 09:25:55 +0000 https://forem.com/aws-builders/cloudshell-the-hidden-api-51km https://forem.com/aws-builders/cloudshell-the-hidden-api-51km <blockquote> <p><strong>Credits:</strong> Inspired by Dan V.'s <a href="https://github.com/dan-v/cloudshell-store" rel="noopener noreferrer">cloudshell-store</a> project that demonstrated the CloudShell API use, I built an unofficial boto3 client by injecting a custom botocore service model and you get a native boto3 experience: SigV4 signing, retries...</p> <p>⚠️ Undocumented API — AWS can break it anytime. For exploration and learning only.</p> </blockquote> <p>🔗 <a href="https://github.com/guyon-it-consulting/cloudshell-boto3" rel="noopener noreferrer">https://github.com/guyon-it-consulting/cloudshell-boto3</a></p> <h2> AWS CloudShell Has a Hidden API. Here's How to Use It with boto3. </h2> <p><a href="https://aws.amazon.com/cloudshell/" rel="noopener noreferrer">AWS CloudShell</a> is a free, browser-based shell built into the AWS Console — pre-authenticated, with the AWS CLI, Python, Docker, and ~1 GB of persistent storage per region. No setup, no EC2, no cost. It even supports VPC mode, so it can reach your private resources directly.</p> <p>But here's the thing: <strong>it has no public API</strong>. No SDK, no CLI, no CloudFormation support. Console only.</p> <p>Or so it seems. 😁</p> <h2> Discovering the API </h2> <p>If you open your browser's developer tools while launching CloudShell, you'll notice something interesting. The Console makes REST calls to <code>https://cloudshell.&lt;region&gt;.amazonaws.com</code> — with endpoints like <code>/createEnvironment</code>, <code>/describeEnvironments</code>, <code>/createSession</code>, and more. These requests are signed with standard AWS SigV4 authentication. They use the <code>cloudshell:</code> IAM namespace. In other words, this is a full AWS API — it's just not documented.</p> <p><a href="https://github.com/dan-v/cloudshell-store" rel="noopener noreferrer">Dan V.</a> demonstrated that you could call these endpoints programmatically. Building on their work, I wanted to go further: what if we could use this API with the standard boto3 interface, complete with SigV4 signing, retries, pagination, and error handling?</p> <p>That's exactly what <a href="https://github.com/guyon-it-consulting/cloudshell-boto3" rel="noopener noreferrer">cloudshell-boto3</a> does.</p> <h2> How it works </h2> <p>The trick is botocore's extensibility. Every AWS service in boto3 is described by a JSON service model — the same format AWS uses internally. If you provide your own model and inject it into botocore's loader, boto3 treats it as a standard service. You get a native client with proper request signing, serialization, and error handling.</p> <p>Here's how you create the client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">botocore.session</span> <span class="c1"># Inject the custom service model </span><span class="n">bc_session</span> <span class="o">=</span> <span class="n">botocore</span><span class="p">.</span><span class="n">session</span><span class="p">.</span><span class="nf">get_session</span><span class="p">()</span> <span class="n">loader</span> <span class="o">=</span> <span class="n">bc_session</span><span class="p">.</span><span class="nf">get_component</span><span class="p">(</span><span class="sh">'</span><span class="s">data_loader</span><span class="sh">'</span><span class="p">)</span> <span class="n">loader</span><span class="p">.</span><span class="n">search_paths</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="sh">'</span><span class="s">./my-additional-models</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Create the boto3 session and client </span><span class="n">session</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nc">Session</span><span class="p">(</span><span class="n">botocore_session</span><span class="o">=</span><span class="n">bc_session</span><span class="p">)</span> <span class="n">client</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">cloudshell</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">'</span><span class="s">eu-west-1</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <h2> The API surface </h2> <p>Once you have the client, you get access to the full CloudShell lifecycle. Let me walk you through the key operations.</p> <h3> List your environments </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">describe_environments</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Environments</span><span class="sh">'</span><span class="p">])</span> </code></pre> </div> <h3> Create an environment </h3> <p>For a public environment, call with no arguments. For a VPC environment, pass the network configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Public environment </span><span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">create_environment</span><span class="p">()</span> <span class="n">env_id</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">EnvironmentId</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># VPC environment </span><span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">create_environment</span><span class="p">(</span> <span class="n">EnvironmentName</span><span class="o">=</span><span class="sh">'</span><span class="s">my-vpc-shell</span><span class="sh">'</span><span class="p">,</span> <span class="n">VpcConfig</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">VpcId</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">vpc-0123456789abcdef0</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">SubnetIds</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span><span class="sh">'</span><span class="s">subnet-0123456789abcdef0</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">SecurityGroupIds</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span><span class="sh">'</span><span class="s">sg-0123456789abcdef0</span><span class="sh">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">)</span> </code></pre> </div> <blockquote> <p>VPC environments require additional IAM permissions (<code>ec2:CreateNetworkInterface</code>, <code>ec2:CreateTags</code>, etc.). See the <a href="https://docs.aws.amazon.com/cloudshell/latest/userguide/aws-cloudshell-vpc-permissions-1.html" rel="noopener noreferrer">AWS docs</a>.</p> </blockquote> <h3> Wait for it, then connect </h3> <p>Environments take a few seconds to start. Poll the status, then open an interactive session via SSM WebSocket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">uuid</span> <span class="kn">import</span> <span class="n">time</span> <span class="c1"># Wait for RUNNING </span><span class="k">while</span> <span class="n">client</span><span class="p">.</span><span class="nf">get_environment_status</span><span class="p">(</span><span class="n">EnvironmentId</span><span class="o">=</span><span class="n">env_id</span><span class="p">)[</span><span class="sh">'</span><span class="s">Status</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="sh">'</span><span class="s">RUNNING</span><span class="sh">'</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="c1"># Open a session </span><span class="n">sess</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">create_session</span><span class="p">(</span> <span class="n">EnvironmentId</span><span class="o">=</span><span class="n">env_id</span><span class="p">,</span> <span class="n">SessionType</span><span class="o">=</span><span class="sh">'</span><span class="s">TMUX</span><span class="sh">'</span><span class="p">,</span> <span class="n">TabId</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()),</span> <span class="n">QCliDisabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">sess</span><span class="p">[</span><span class="sh">'</span><span class="s">SessionId</span><span class="sh">'</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="n">sess</span><span class="p">[</span><span class="sh">'</span><span class="s">StreamUrl</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># wss://ssmmessages.&lt;region&gt;.amazonaws.com/... </span></code></pre> </div> <p>Use the <code>StreamUrl</code>, <code>SessionId</code>, and <code>TokenValue</code> with the <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html" rel="noopener noreferrer">session-manager-plugin</a> to get an interactive shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span><span class="p">,</span> <span class="n">subprocess</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">'</span><span class="s">SessionId</span><span class="sh">'</span><span class="p">:</span> <span class="n">sess</span><span class="p">[</span><span class="sh">'</span><span class="s">SessionId</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">TokenValue</span><span class="sh">'</span><span class="p">:</span> <span class="n">sess</span><span class="p">[</span><span class="sh">'</span><span class="s">TokenValue</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">StreamUrl</span><span class="sh">'</span><span class="p">:</span> <span class="n">sess</span><span class="p">[</span><span class="sh">'</span><span class="s">StreamUrl</span><span class="sh">'</span><span class="p">],</span> <span class="p">})</span> <span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">([</span><span class="sh">'</span><span class="s">session-manager-plugin</span><span class="sh">'</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="sh">'</span><span class="s">eu-west-1</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">StartSession</span><span class="sh">'</span><span class="p">])</span> </code></pre> </div> <h3> Upload and download files </h3> <p>The API provides S3 presigned URLs for file transfer — the same mechanism the Console uses behind the scenes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get_file_upload_urls</span><span class="p">(</span><span class="n">EnvironmentId</span><span class="o">=</span><span class="n">env_id</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">script.sh</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="n">resp</span><span class="p">[</span><span class="sh">'</span><span class="s">FileUploadPresignedUrl</span><span class="sh">'</span><span class="p">],</span> <span class="n">data</span><span class="o">=</span><span class="n">resp</span><span class="p">[</span><span class="sh">'</span><span class="s">FileUploadPresignedFields</span><span class="sh">'</span><span class="p">],</span> <span class="n">files</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">file</span><span class="sh">'</span><span class="p">:</span> <span class="p">(</span><span class="sh">'</span><span class="s">script.sh</span><span class="sh">'</span><span class="p">,</span> <span class="n">f</span><span class="p">)},</span> <span class="p">)</span> </code></pre> </div> <h3> Keep it alive </h3> <p>CloudShell environments go to sleep after inactivity. Send heartbeats to prevent that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">threading</span> <span class="k">def</span> <span class="nf">heartbeat_loop</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="n">env_id</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="mi">300</span><span class="p">):</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">client</span><span class="p">.</span><span class="nf">send_heart_beat</span><span class="p">(</span><span class="n">EnvironmentId</span><span class="o">=</span><span class="n">env_id</span><span class="p">)</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">interval</span><span class="p">)</span> <span class="n">t</span> <span class="o">=</span> <span class="n">threading</span><span class="p">.</span><span class="nc">Thread</span><span class="p">(</span><span class="n">target</span><span class="o">=</span><span class="n">heartbeat_loop</span><span class="p">,</span> <span class="n">args</span><span class="o">=</span><span class="p">(</span><span class="n">client</span><span class="p">,</span> <span class="n">env_id</span><span class="p">),</span> <span class="n">daemon</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">t</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> </code></pre> </div> <h3> Lifecycle management </h3> <p>You also get <code>start_environment</code>, <code>stop_environment</code>, <code>delete_environment</code>, and <code>delete_session</code> — the full lifecycle, from creation to cleanup.</p> <h2> The complete API reference </h2> <p>Here's every operation available in the reverse-engineered service model:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>describe_environments</code></td> <td>List all CloudShell environments for the current IAM principal</td> </tr> <tr> <td><code>create_environment</code></td> <td>Create a new public or VPC environment</td> </tr> <tr> <td><code>get_environment_status</code></td> <td>Get current status (<code>CREATING</code>, <code>RUNNING</code>, <code>SUSPENDED</code>, ...)</td> </tr> <tr> <td><code>start_environment</code></td> <td>Start a suspended environment</td> </tr> <tr> <td><code>stop_environment</code></td> <td>Stop a running environment</td> </tr> <tr> <td><code>delete_environment</code></td> <td>Delete an environment</td> </tr> <tr> <td><code>create_session</code></td> <td>Open an interactive SSM WebSocket session</td> </tr> <tr> <td><code>delete_session</code></td> <td>Close an active session</td> </tr> <tr> <td><code>send_heart_beat</code></td> <td>Keep an environment alive</td> </tr> <tr> <td><code>get_file_upload_urls</code></td> <td>Get S3 presigned URLs for file upload</td> </tr> <tr> <td><code>get_file_download_urls</code></td> <td>Get S3 presigned URLs for file download</td> </tr> <tr> <td><code>put_credentials</code></td> <td>Forward console credentials (console-only, not usable programmatically)</td> </tr> </tbody> </table></div> <h2> IAM permissions </h2> <p>CloudShell uses the <code>cloudshell:</code> IAM namespace. Each API operation maps to a corresponding IAM action (<code>cloudshell:CreateEnvironment</code>, <code>cloudshell:DescribeEnvironments</code>, etc.). For VPC environments, IAM also supports condition keys to restrict which VPCs, subnets, and security groups can be used:</p> <ul> <li><code>cloudshell:VpcIds</code></li> <li><code>cloudshell:SubnetIds</code></li> <li><code>cloudshell:SecurityGroupIds</code></li> </ul> <h2> Limits to keep in mind </h2> <ul> <li>Max <strong>2 VPC environments</strong> per IAM principal</li> <li>Max <strong>5 security groups</strong> per VPC environment</li> <li>~<strong>1 GB</strong> persistent storage per environment per region</li> <li>Environments <strong>sleep after inactivity</strong> (use heartbeats to prevent)</li> <li>Environments can be <strong>reclaimed by AWS</strong> at any time</li> </ul> <h2> Getting started </h2> <p>Clone the repo and try it yourself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/guyon-it-consulting/cloudshell-boto3.git <span class="nb">cd </span>cloudshell-boto3 pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="nv">AWS_PROFILE</span><span class="o">=</span>my-profile python simple_example.py </code></pre> </div> <p>The repo includes a <a href="https://github.com/guyon-it-consulting/cloudshell-boto3/blob/main/example.py" rel="noopener noreferrer">complete example</a> that creates an environment, connects via <code>session-manager-plugin</code>, injects credentials, and runs a command — the full lifecycle in one script.</p> <p>— Jérôme</p> api aws python showdev CloudWatch RUM vs. Ad blockers : How to fix possible missing telemetry Jérôme GUYON Thu, 30 Apr 2026 16:56:50 +0000 https://forem.com/aws-builders/cloudwatch-rum-vs-ad-blockers-how-to-fix-possible-missing-telemetry-54j5 https://forem.com/aws-builders/cloudwatch-rum-vs-ad-blockers-how-to-fix-possible-missing-telemetry-54j5 <p>A few weeks ago, I was reviewing the <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM.html" rel="noopener noreferrer">Amazon CloudWatch RUM</a> dashboard for a web application I maintain. Page views were suspiciously low. After some digging, I opened the browser's DevTools on my machine and there it was: uBlock Origin was quietly blocking every request to <code>dataplane.rum.eu-west-1.amazonaws.com</code>. <strong>Our real user monitoring was blind to a non-negligible portion of our actual traffic.</strong></p> <p>CloudWatch RUM is one of those AWS services that doesn't get the attention it deserves. But if you care about understanding how <em>real</em> users experience your application — page load times, JavaScript errors, HTTP failures, Web Vitals — it's genuinely valuable. Here's what the dashboard looks like out of the box:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxytuf0selcjd0f1h6i5i.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxytuf0selcjd0f1h6i5i.gif" alt="RUM Dashboard" width="800" height="578"></a></p> <p>The problem is that ad blockers treat its data plane endpoint the same way they treat any third-party tracking domain: a request flying off to <code>dataplane.rum.*.amazonaws.com</code> looks exactly like telemetry that users might want to block.</p> <p><strong>The architecture fix is simple</strong>: your CloudFront distribution already serves your frontend. Add one behavior — <code>/rum/*</code> — that proxies to the RUM data plane. On the client side, point the <a href="https://github.com/aws-observability/aws-rum-web" rel="noopener noreferrer">aws-rum-web</a> SDK to <code>https://yourdomain.com/rum/</code> instead of the default AWS endpoint. I use AWS CDK here, but the same works with CloudFormation, Terraform, or the console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8tbii90og763tadbae6k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8tbii90og763tadbae6k.png" alt="RUM + Cloudfront architecture" width="800" height="444"></a></p> <p><strong>Step 1: Create the CloudWatch RUM app monitor and its Cognito identity pool.</strong> RUM needs a Cognito identity pool with unauthenticated access to authorize browsers to send telemetry.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cognito</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cognito</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">rum</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-rum</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Create an identity pool for RUM (unauthenticated access)</span> <span class="kd">const</span> <span class="nx">rumIdentityPool</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">CfnIdentityPool</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RumIdentityPool</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">allowUnauthenticatedIdentities</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Create the IAM role for unauthenticated users</span> <span class="kd">const</span> <span class="nx">guestRole</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RumGuestRole</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">WebIdentityPrincipal</span><span class="p">(</span> <span class="dl">'</span><span class="s1">cognito-identity.amazonaws.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">StringEquals</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">cognito-identity.amazonaws.com:aud</span><span class="dl">'</span><span class="p">:</span> <span class="nx">rumIdentityPool</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">ForAnyValue:StringLike</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">cognito-identity.amazonaws.com:amr</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">unauthenticated</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">),</span> <span class="p">});</span> <span class="c1">// Attach the identity pool to the role</span> <span class="k">new</span> <span class="nx">cognito</span><span class="p">.</span><span class="nc">CfnIdentityPoolRoleAttachment</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RumRoleAttachment</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">identityPoolId</span><span class="p">:</span> <span class="nx">rumIdentityPool</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">roles</span><span class="p">:</span> <span class="p">{</span> <span class="na">unauthenticated</span><span class="p">:</span> <span class="nx">guestRole</span><span class="p">.</span><span class="nx">roleArn</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Create the RUM app monitor</span> <span class="kd">const</span> <span class="nx">rumAppMonitor</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">rum</span><span class="p">.</span><span class="nc">CfnAppMonitor</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RumAppMonitor</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">myapp.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">myapp-rum</span><span class="dl">'</span><span class="p">,</span> <span class="na">appMonitorConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">allowCookies</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Allow X-Ray tracing</span> <span class="na">enableXRay</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Track 100% of sessions</span> <span class="na">sessionSampleRate</span><span class="p">:</span> <span class="mf">1.0</span><span class="p">,</span> <span class="na">telemetries</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">performance</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">errors</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http</span><span class="dl">'</span><span class="p">],</span> <span class="na">identityPoolId</span><span class="p">:</span> <span class="nx">rumIdentityPool</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Grant the guest role permission to send RUM events</span> <span class="nx">guestRole</span><span class="p">.</span><span class="nf">addToPolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">rum:PutRumEvents</span><span class="dl">'</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`arn:aws:rum:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:appmonitor/</span><span class="p">${</span><span class="nx">rumAppMonitor</span><span class="p">.</span><span class="nx">ref</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">],</span> <span class="p">}),</span> <span class="p">);</span> </code></pre> </div> <p><strong>Step 2: Add the <code>/rum/*</code> behavior to your CloudFront distribution.</strong> This is the key part. I create an additional behavior that forwards requests matching <code>/rum/*</code> to the RUM data plane origin.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cf</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cloudfront</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">origins</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib/aws-cloudfront-origins</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Build the additional behaviors map</span> <span class="kd">const</span> <span class="nx">additionalBehaviors</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">BehaviorOptions</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{};</span> <span class="c1">// Proxy RUM traffic through CloudFront</span> <span class="nx">additionalBehaviors</span><span class="p">[</span><span class="dl">'</span><span class="s1">/rum/*</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="na">origin</span><span class="p">:</span> <span class="k">new</span> <span class="nx">origins</span><span class="p">.</span><span class="nc">HttpOrigin</span><span class="p">(</span> <span class="s2">`dataplane.rum.</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">region</span><span class="p">}</span><span class="s2">.amazonaws.com`</span> <span class="p">),</span> <span class="na">viewerProtocolPolicy</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">ViewerProtocolPolicy</span><span class="p">.</span><span class="nx">HTTPS_ONLY</span><span class="p">,</span> <span class="na">cachePolicy</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">CachePolicy</span><span class="p">.</span><span class="nx">CACHING_DISABLED</span><span class="p">,</span> <span class="na">allowedMethods</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">AllowedMethods</span><span class="p">.</span><span class="nx">ALLOW_ALL</span><span class="p">,</span> <span class="na">originRequestPolicy</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">OriginRequestPolicy</span><span class="p">.</span><span class="nx">ALL_VIEWER_EXCEPT_HOST_HEADER</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// Create the distribution (your existing one — just add the behavior)</span> <span class="kd">const</span> <span class="nx">distribution</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cf</span><span class="p">.</span><span class="nc">Distribution</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Distribution</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">defaultBehavior</span><span class="p">:</span> <span class="p">{</span> <span class="na">origin</span><span class="p">:</span> <span class="nx">origins</span><span class="p">.</span><span class="nx">S3BucketOrigin</span><span class="p">.</span><span class="nf">withOriginAccessControl</span><span class="p">(</span><span class="nx">websiteBucket</span><span class="p">),</span> <span class="na">viewerProtocolPolicy</span><span class="p">:</span> <span class="nx">cf</span><span class="p">.</span><span class="nx">ViewerProtocolPolicy</span><span class="p">.</span><span class="nx">REDIRECT_TO_HTTPS</span><span class="p">,</span> <span class="p">},</span> <span class="nx">additionalBehaviors</span><span class="p">,</span> <span class="na">domainNames</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">myapp.example.com</span><span class="dl">'</span><span class="p">],</span> <span class="na">certificate</span><span class="p">:</span> <span class="nx">myCertificate</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>I choose <code>ALL_VIEWER_EXCEPT_HOST_HEADER</code> because the RUM data plane expects the <code>Host</code> header to match its own domain (<code>dataplane.rum.eu-west-1.amazonaws.com</code>), not yours. If you forward the original <code>Host</code>, the request will fail with a 403.</p> <p><strong>Step 3: Point the RUM web client to your proxied endpoint.</strong> Install the <a href="https://www.npmjs.com/package/aws-rum-web" rel="noopener noreferrer">aws-rum-web</a> package and configure the <code>endpoint</code> to use your domain instead of the default AWS URL.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install the RUM web client</span> npm <span class="nb">install </span>aws-rum-web </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AwsRum</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-rum-web</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">rumClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AwsRum</span><span class="p">(</span> <span class="dl">'</span><span class="s1">your-app-monitor-id</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// from the CfnAppMonitor</span> <span class="dl">'</span><span class="s1">1.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// your app version</span> <span class="dl">'</span><span class="s1">eu-west-1</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// region</span> <span class="p">{</span> <span class="na">sessionSampleRate</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">identityPoolId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">eu-west-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// This is the magic line — point to your own domain</span> <span class="na">endpoint</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://myapp.example.com/rum/</span><span class="dl">'</span><span class="p">,</span> <span class="na">telemetries</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">performance</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">errors</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http</span><span class="dl">'</span><span class="p">],</span> <span class="na">allowCookies</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableXRay</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>Et voilà! The browser now sends RUM telemetry to <code>https://myapp.example.com/rum/</code>, which CloudFront proxies to the actual RUM data plane. Ad blockers see a first-party request and leave it alone.</p> <p><strong>Things to know</strong></p> <ul> <li> <strong>Ad blocker filter lists</strong> — Popular lists like EasyPrivacy and uBlock filters include patterns matching <code>dataplane.rum.*.amazonaws.com</code> and the RUM CDN script URL (<code>client.rum.*.amazonaws.com</code>). By proxying through your own domain, you bypass both. If you use the NPM installation method (recommended), the script itself is bundled in your app — only the data plane calls need proxying.</li> <li> <strong>Pricing</strong> — $1 per 100,000 RUM events. A typical visit generates ~20 events. For 500K monthly visits: ~$100/month. CloudFront proxy overhead is negligible.</li> <li> <strong>Session sample rate</strong> — In production, consider setting <code>sessionSampleRate</code> to something lower than <code>1</code> (e.g., <code>0.1</code> for 10% sampling) to control costs while still getting statistically meaningful data.</li> <li> <strong>X-Ray integration</strong> — With <code>enableXRay: true</code>, RUM traces connect to your backend X-Ray traces, giving you end-to-end visibility from the browser click to the database query. </li> </ul> <p>CloudWatch RUM is one of those "set it and forget it" services that quietly delivers real value — but only if it actually receives data. If you're already using it, proxy it through your own domain or you're likely missing a significant chunk of your user base. And if you're not using it yet, I'd strongly suggest you <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-RUM.html" rel="noopener noreferrer">have a look</a> — understanding how real users experience your app is worth the small setup effort.</p> <p>— Jerome</p> analytics aws monitoring webdev Control Your Tesla from the Terminal with a Kiro CLI Skill Jérôme GUYON Thu, 16 Apr 2026 08:49:16 +0000 https://forem.com/aws-builders/control-your-tesla-from-the-terminal-with-a-kiro-cli-skill-472g https://forem.com/aws-builders/control-your-tesla-from-the-terminal-with-a-kiro-cli-skill-472g <p>🔗 <a href="https://github.com/guyon-it-consulting/myteslamate-skills-and-power" rel="noopener noreferrer">https://github.com/guyon-it-consulting/myteslamate-skills-and-power</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpba05j5jp5o47rim0kbg.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpba05j5jp5o47rim0kbg.gif" alt="Demo" width="708" height="450"></a></p> <p>Last Tuesday, I was deep into a CDK refactor — the kind where I have 14 files open and I'm scared to blink. Then a thought hit me: did I turn on Sentry mode? My car was parked at the train station. I could grab my phone, open the Tesla app, wait for it to wake the car, scroll to Security, check the toggle… or I could just not break my flow.</p> <p>What if I could ask my coding assistant instead?</p> <p>Turns out, I can. I built a Kiro CLI skill that lets me control my Tesla straight from the terminal. <strong>It was also the perfect excuse to learn how to create a Kiro CLI Skill 😊</strong> — and what better way to test a new feature than with something fun? Check the battery, lock the doors, toggle Sentry mode, pull up charging stats — all without leaving my editor. The secret ingredient? An MCP server that wraps APIs that any AI assistant can call.</p> <h2> What is MyTeslaMate? </h2> <p>Before we get to the skill itself, let me introduce the engine behind it.</p> <p><a href="https://myteslamate.com" rel="noopener noreferrer">MyTeslaMate</a> is the hosted version of <a href="https://github.com/teslamate-org/teslamate" rel="noopener noreferrer">TeslaMate</a>, the most popular open-source data logger for Tesla vehicles. If you own a Tesla and you haven't heard of TeslaMate, stop reading and go look at it. It continuously records every drive, charge session, sleep cycle, and software update into a PostgreSQL database, and exposes rich Grafana dashboards — battery degradation, charging curves, trip history, lifetime stats, vampire drain, efficiency trends, and more.</p> <p>MyTeslaMate takes all of that and hosts it for you. No Docker, no self-hosting, no database maintenance. It adds premium features like supercharger cost import, automations, fleet management, and — this is the part we care about — an MCP server.</p> <p>The MCP server at <code>https://mcp.myteslamate.com/mcp</code> wraps two APIs into a single endpoint:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>API</th> <th>Tools</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td>Tesla Fleet API</td> <td>98</td> <td>Vehicle commands, energy control, charging, navigation, security</td> </tr> <tr> <td>TeslaMate API</td> <td>9</td> <td>Drive stats, charging analytics, efficiency data, trip history</td> </tr> </tbody> </table></div> <p>That's <strong>100+ tools</strong> accessible from any MCP-compatible AI assistant. Authentication is handled via OAuth SSO with Tesla's authorization server.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwhc5uxby03ify43j94z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwhc5uxby03ify43j94z.png" alt="MyTeslaMate dashboard" width="800" height="621"></a></p> <h2> What is a Kiro CLI Skill? </h2> <p>A skill is how you teach Kiro CLI about a specific domain. It's a markdown file with YAML frontmatter that describes what the skill does and when to activate it. Think of it as a cheat sheet that Kiro loads on demand — it doesn't bloat your context until you actually need it.</p> <p>A skill has two parts:</p> <p><strong>The frontmatter</strong> — metadata that tells Kiro when to load the skill:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tesla-commands</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Control your Tesla vehicle and energy products via MyTeslaMate MCP server.</span> <span class="s">Use when the user asks about their car, vehicle status, lock/unlock, climate control, charging, Powerwall, solar production, energy optimization, Sentry mode, trip planning, drive statistics, or any Tesla-related query. Triggers on "tesla", "my car", "vehicle",</span> <span class="s">"charge", "battery", "climate", "powerwall", "solar", "sentry", "lock", "unlock",</span> <span class="s">"supercharger", "road trip", "energy", "charging history", "drive stats".</span> <span class="nn">---</span> </code></pre> </div> <p><strong>The body</strong> — capabilities, workflow instructions, and safety rules that guide the agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Tesla Commands</span> The <span class="sb">`tesla-mcp`</span> server exposes <span class="gs">**100+ tools**</span>. <span class="gu">## Capabilities</span> <span class="gu">### Vehicle Control (64 commands)</span> <span class="p">-</span> Doors &amp; Access: lock, unlock, open/close trunk, open frunk <span class="p">-</span> Climate: start/stop HVAC, set temps, seat heaters, steering wheel heater <span class="p">-</span> Charging: start/stop charge, set charge limit, schedule charging ... <span class="gu">## Workflow</span> <span class="p">1.</span> Use @tesla-mcp tools directly for all Tesla operations. <span class="p">2.</span> Check current state before making changes. <span class="p">3.</span> Wake the vehicle before sending action commands if the car is asleep. <span class="gu">## Safety</span> <span class="p">-</span> Confirm with the user before executing security-sensitive commands. <span class="p">-</span> Always show current state before making changes. </code></pre> </div> <p>The skill lives in <code>~/.kiro/skills/tesla-commands/SKILL.md</code>. But a skill alone isn't enough — you also need an <strong>agent</strong> that knows how to use it.</p> <h2> The Tesla agent configuration </h2> <p>I created a dedicated agent: a JSON file that ties everything together: the skill, the MCP server and the tools.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tesla"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Tesla vehicle and energy control agent via MyTeslaMate MCP server"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"You help the user monitor and control their Tesla vehicle and energy products. Use the tesla-mcp tools for all operations. Present data in a human-readable format. Confirm before executing security-sensitive commands."</span><span class="p">,</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"shell"</span><span class="p">,</span><span class="w"> </span><span class="s2">"grep"</span><span class="p">,</span><span class="w"> </span><span class="s2">"glob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@tesla-mcp"</span><span class="p">],</span><span class="w"> </span><span class="nl">"allowedTools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@tesla-mcp"</span><span class="p">],</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/tesla-commands/SKILL.md"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tesla-mcp"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://mcp.myteslamate.com/mcp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"welcomeMessage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Tesla control ready. What would you like to do with your car?"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>A few things worth noting here:</p> <ul> <li> <code>resources</code> uses the <code>skill://</code> URI scheme. This tells Kiro to load the skill's metadata at startup but defer loading the full content until it's actually needed. No wasted context. (See <a href="https://kiro.dev/docs/cli/custom-agents/configuration-reference" rel="noopener noreferrer">Agent Configuration Reference</a> in the Kiro docs: <em>"skill:// — Skills progressively loaded on demand"</em>.)</li> <li> <code>mcpServers</code> points to the remote MyTeslaMate MCP server in this case, no local mcp server needed.</li> <li> <code>allowedTools</code> auto-approves <code>read</code> and all <code>@tesla-mcp</code> tools so you don't get prompted for every single API call.</li> </ul> <h2> How to set it up </h2> <p><strong>Prerequisites:</strong> You'll need a Tesla vehicle (obviously) and a <a href="https://myteslamate.com" rel="noopener noreferrer">MyTeslaMate</a> account. Sign up, link your Tesla account, and pick a subscription plan. This gives you access to the MCP server and the TeslaMate analytics dashboards.</p> <p><strong>Step 1:</strong> Clone the repo and copy the files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/guyon-it-consulting/myteslamate-skills-and-power.git <span class="nb">cd </span>myteslamate-skills-and-power <span class="c"># Copy the skill</span> <span class="nb">cp</span> <span class="nt">-r</span> kiro/skills/tesla-commands ~/.kiro/skills/ <span class="c"># Copy the agent</span> <span class="nb">cp </span>kiro/agents/tesla.json ~/.kiro/agents/ </code></pre> </div> <p><strong>Step 2:</strong> Start a new Kiro CLI session and switch to Tesla Agent<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>kiro-cli <span class="go"> /agent swap tesla ✔ Switched to agent: tesla Tesla control ready. What would you like to do with your car? </span></code></pre> </div> <p><strong>Step 3:</strong> Authenticate with Tesla.</p> <p>Run <code>/mcp</code>. The <code>tesla-mcp</code> server will show <code>⚠ auth-required</code>. Follow the instructions to copy the OAuth URL, open it in your browser, and sign in with your Tesla account. This is a one-time step — the token persists across sessions.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiobcml9paboucvq4yr6m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiobcml9paboucvq4yr6m.png" alt="OAuth flow" width="800" height="553"></a></p> <h2> Using it </h2> <p>Now the fun part. Just talk naturally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Is Sentry mode on? Nope — Sentry Mode is currently off on your Model Y. It is available though, so I can turn it on for you if you'd like. Want me to enable it? </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; What's my battery at? Fresh data from TeslaMate: - Battery level: 80% (hit your charge limit!) - Estimated range: ~411 km - Charging state: Complete — plugged in but done charging - Energy added this session: 34.1 kWh Looks like it finished charging since we last checked (was at 77% earlier). You're topped up to your 80% limit. </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Lock my car Your car is already locked according to the latest status. No action needed! </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; How much did I spend on charging this month? Here's your April charging summary (so far, through April 10): ┌──────────────────┬──────────┬───────────────┬────────────┐ │ Type │ Sessions │ Energy │ Cost │ ├──────────────────┼──────────┼───────────────┼────────────┤ │ Supercharger │ 2 │ 105.0 kWh │ €37.88 │ │ Home/Destination │ 5 │ 60.98 kWh │ €0* │ │ **Total** │ **7** │ **166.0 kWh** │ **€37.88** │ └──────────────────┴──────────┴───────────────┴────────────┘ No Data, estimating home/destination charging at ~€0.25/kWh, that's roughly €15 extra, bringing the estimated total to around €53 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; What's my battery health status ? Your battery is in great shape: - Battery health: 98.6% - Current capacity: 75.7 kWh (out of 76.8 kWh max) - Current max range: 506 km (vs 512 km when new) - Degradation: only ~1.4% Very healthy for a car with 435 drives logged. Nothing to worry about there. </code></pre> </div> <p>The agent checks the current state before making changes, asks for confirmation on security-sensitive commands, and presents data with proper units. All of that behavior comes from the SKILL.md instructions.</p> <h2> Things to know </h2> <ul> <li><p><strong>100+ tools, one endpoint.</strong> The MyTeslaMate MCP server covers vehicle control, vehicle data, energy/Powerwall/solar, charging history, and TeslaMate analytics. You don't need to know which API to call — the agent figures it out.</p></li> <li><p><strong>Wake before you command.</strong> Tesla vehicles go to sleep to save battery. The skill instructs the agent to wake the car before sending action commands. You'll see a brief delay the first time.</p></li> <li><p><strong>Safety checks.</strong> The skill explicitly tells the agent to confirm before executing unlock, disable Sentry, remote start, or erase data. You won't accidentally unlock your car because of a typo.</p></li> <li><p><strong>OAuth, not API keys.</strong> Authentication goes through Tesla's OAuth flow via MyTeslaMate. The token is scoped and can be revoked from your Tesla account at any time.</p></li> </ul> <p>— Jérôme</p> kiro aws tesla myteslamate