⭐️ Integrating with AWS

Moment ships with first-class AWS support so you never have to paste long-lived access keys into an environment. Sign in once via the AWS SSO flow, and Moment's built-in Rust proxy will sign every outbound AWS call on your behalf using SigV4. Your JavaScript code only ever sees a placeholder — the real credentials live in the proxy and are spliced in at the network layer.

This is a different mechanism from the {{env.X}} Mustache variables described in ⭐️ Working with Environments. AWS credentials are exposed through a runtime object (env._aws) inside JavaScript request pages, not through Mustache substitution.

Signing in to AWS

Open the environment selector in the top right.

Choose Sign in to AWS.

Complete the SSO flow in your browser. Moment receives a short-lived credential set scoped to your selected role and region.

The session is held by the local Rust proxy. When the session expires, the environment selector will prompt you to sign in again.

You can switch roles or accounts at any time from the same selector. Each Moment environment can have its own AWS sign-in, so you can keep staging and production AWS sessions side by side and swap between them with a single click.

Calling AWS from a JavaScript request page

AWS calls are made from request pages with type: javascript. Inside the code body, the runtime exposes an env argument with two AWS-specific fields:

env._aws.region — the region selected during sign-in (e.g., us-west-2).

env._aws.credentials — an object with accessKeyId, secretAccessKey, and sessionToken. These are placeholder values. The proxy replaces them with real credentials and re-signs the request before it leaves the machine.

Construct AWS SDK v3 clients with both fields. Here is a minimal GetCallerIdentity call that confirms who you are signed in as:

Invoke it from a code cell the same way you would any other request page:

The response includes the IAM account, ARN, and user ID — useful as a smoke test that your sign-in worked.

A larger example: listing S3 buckets

This same shape works for any AWS SDK v3 client: import the client and command, construct the client with env._aws, and return the response.

Parameterizing AWS requests

JavaScript request pages do not support {{env.X}} substitution — only env._aws is provided at runtime. They do support {{params.X}} substitution, which lets callers pass values in via query() or mutation(). Use this to parameterize bucket names, table names, regions, and so on:

Call it with overrides:

Common AWS SDK clients

Import any AWS SDK v3 client from https://cdn.skypack.dev/@aws-sdk/client-*@3.716.0. A few of the most commonly used:

client-s3 — object storage (ListBucketsCommand, GetObjectCommand, PutObjectCommand)

client-sts — identity (GetCallerIdentityCommand, AssumeRoleCommand)

client-lambda — invoke functions (InvokeCommand, ListFunctionsCommand)

client-dynamodb — key-value store (QueryCommand, GetItemCommand, PutItemCommand)

client-ec2 — instances and networking (DescribeInstancesCommand)

client-ecs — containers (ListClustersCommand, DescribeServicesCommand)

client-cloudwatch — metrics (GetMetricDataCommand)

client-cloudwatch-logs — log groups (FilterLogEventsCommand)

Pin the version (@3.716.0) to keep behavior stable as Skypack updates upstream.

Why this design

Routing AWS credentials through the proxy keeps them out of every part of the system most likely to leak them. A pasted screenshot, a shared .moment directory, an exported HAR file, a console log — none of these contain anything more than the literal string env._aws.credentials. The real session token only exists at the moment a request is on its way to AWS, and only inside a process you control on your own machine.

Combined with version-controlled Markdown pages, this means you can commit and share an entire AWS dashboard — request pages, code cells, charts — and a teammate can sign in with their own account and run the same document against their own infrastructure without ever seeing yours.

Troubleshooting

"The security token included in the request is invalid" — your SSO session expired. Re-sign-in from the environment selector.

env._aws is undefined in a code cellenv._aws is only available inside type: javascript request pages. From a code cell, call the request page via query() or mutation() instead of trying to read env._aws directly.

Region mismatchenv._aws.region is fixed by the SSO sign-in. To target a different region, override it on the client (new S3Client({ region: "us-east-1", credentials: env._aws.credentials })) or pass it through {{params.region}}.

Permission denied — Moment uses whatever IAM role the SSO session resolves to. If a call returns AccessDenied, the fix is upstream in your AWS account, not in Moment.

See also

Working with Secrets — covers {{env.X}} environment variables, workspace secrets, and how non-AWS credentials flow through the proxy.