application-signals-mcp:CallReadOnlyTool

Read

application-signals-mcp:CallReadOnlyTool is a Read access-level action in the application-signals-mcp service. Grants permission to invoke read-only Application Signals MCP tools (list_monitored_services, get_service_detail, query_service_metrics, list_service_operations, get_slo, list_slos, search_transaction_spans, query_sampled_traces, list_slis, get_enablement_guide, list_change_events, list_group_services, audit_group_health, get_group_dependencies, get_group_changes, list_grouping_attribute_definitions, audit_services, audit_slos, audit_service_operations, analyze_canary_failures)

Resource types

ARNs that application-signals-mcp:CallReadOnlyTool can be scoped to in an IAM policy.

arn:${Partition}:application-signals-mcp:${Region}:${Account}:mcp-server/ required
mcp-server

Condition keys

Keys you can use in the Condition block of a policy that grants application-signals-mcp:CallReadOnlyTool.

aws:ResourceTag/${TagKey} String

Filters access by tag key-value pairs attached to the resource

Example IAM policy

A minimal policy that allows application-signals-mcp:CallReadOnlyTool. Replace "Resource": "*" with a specific ARN to follow least privilege.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowApplicationsignalsmcpCallReadOnlyTool",
      "Effect": "Allow",
      "Action": "application-signals-mcp:CallReadOnlyTool",
      "Resource": "*"
    }
  ]
}

Related actions in application-signals-mcp

View all application-signals-mcp actions →