#Run AWS CLI commands from inside the NemoClaw sandbox (for things like CloudWatch log analysis).

1 messages Β· Page 1 of 1 (latest)

heady siren
#

Hey everyone πŸ‘‹

I'm running into a networking limitation with my NemoClaw + OpenShell setup and wanted to check if anyone has solved something similar.

Setup:

AWS EC2 β†’ Docker β†’ OpenShell (K3s) β†’ NemoClaw sandbox (agent)

Goal:
Run AWS CLI commands from inside the NemoClaw sandbox (for things like CloudWatch log analysis).

Current behavior:

  • The sandbox only allows outbound traffic via OpenShell’s internal proxy:

    10.200.0.1:3128

  • This proxy appears restricted to:

    inference.local (Bedrock via BAG)

  • All other external endpoints (like *.amazonaws.com) are blocked.

What I’ve tried:

  • βœ… AWS CLI installed inside sandbox
  • βœ… IAM credentials injected via sandbox env
  • βœ… Bedrock works fine via BAG
  • ❌ Direct AWS CLI calls fail (no network access)
  • ❌ Tried running Squid proxy on EC2 host (--network host)
  • ❌ Sandbox cannot reach host ports (network isolation)

Questions:

  1. Is there any way to allow outbound access (e.g., *.amazonaws.com) through the OpenShell proxy?
  2. Does OpenShell support any network allowlist or proxy config for sandbox egress?
  3. Has anyone successfully run AWS CLI from inside NemoClaw sandbox?
  4. Is the intended pattern to move AWS interactions outside the sandbox (e.g., gateway/tool execution)?

Any insights would be really helpful β€” thanks in advance πŸ™

red domeBOT
glossy glenBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> βœ… Mark Solution