Skip to main content

Prerequisites

Before installing the Nova Act CLI, ensure you have the following requirements:

AWS CLI

Configured with appropriate permissions

Docker

Installed and running for container builds

Python 3.10+

Required for running the CLI

IAM Permissions

Access to ECR, AgentCore, IAM, and S3

Install via pip

Install the Nova Act CLI with the [cli] extra to include all command-line dependencies: 
pip install nova-act[cli]
The [cli] extra includes all dependencies needed for the command-line interface. If you only need the Nova Act SDK for programmatic use, install without the extra: pip install nova-act

Verify Installation

Confirm the CLI is installed correctly: 
act --version
You should see output similar to: 
Nova Act CLI, version 1.0.0

Check Help

View available commands: 
act --help
View workflow-specific commands: 
act workflow --help

Verify Prerequisites

1

Check AWS CLI Configuration

Verify AWS credentials are configured:
aws sts get-caller-identity
Expected output:
{
    "UserId": "AIDAXXXXXXXXXXXXXXXXX",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/your-username"
}
If this fails, run aws configure to set up your credentials.
2

Check Docker

Ensure Docker is installed and running:
docker --version
Expected output:
Docker version 24.0.0, build abc1234
Test Docker is running:
docker ps
If you see “Cannot connect to the Docker daemon”, start Docker Desktop or the Docker service.
3

Check Python Version

Verify Python 3.10 or higher is installed:
python --version
Expected output:
Python 3.10.0 (or higher)

Configure AWS Credentials

The CLI uses standard AWS credential resolution. Configure credentials using any of these methods:
Configure credentials interactively:
aws configure
Provide:
  • AWS Access Key ID
  • AWS Secret Access Key
  • Default region (e.g., us-east-1)
  • Default output format (e.g., json)

AWS Permissions Required

The CLI requires specific IAM permissions. Choose the appropriate policy based on your use case:

Complete Policy (All Features)

For full CLI functionality including deployment and execution: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "STSIdentityVerification",
      "Effect": "Allow",
      "Action": ["sts:GetCallerIdentity"],
      "Resource": "*"
    },
    {
      "Sid": "IAMRoleManagement",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:GetRole",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy"
      ],
      "Resource": "arn:aws:iam::*:role/nova-act-*"
    },
    {
      "Sid": "ECRRepositoryManagement",
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:DescribeRepositories",
        "ecr:CreateRepository"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECRImageOperations",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload",
        "ecr:PutImage"
      ],
      "Resource": "arn:aws:ecr:*:*:repository/*"
    },
    {
      "Sid": "S3BucketManagement",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:HeadBucket",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:PutBucketPublicAccessBlock",
        "s3:GetBucketPublicAccessBlock",
        "s3:PutBucketEncryption",
        "s3:GetBucketEncryption",
        "s3:PutBucketVersioning",
        "s3:GetBucketVersioning",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "arn:aws:s3:::nova-act-*"
    },
    {
      "Sid": "S3ObjectOperations",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::nova-act-*/*"
    },
    {
      "Sid": "BedrockAgentCoreControl",
      "Effect": "Allow",
      "Action": [
        "bedrock-agentcore:CreateAgentRuntime",
        "bedrock-agentcore:UpdateAgentRuntime",
        "bedrock-agentcore:ListAgentRuntimes"
      ],
      "Resource": "*"
    },
    {
      "Sid": "BedrockAgentCoreData",
      "Effect": "Allow",
      "Action": ["bedrock-agentcore:InvokeAgentRuntime"],
      "Resource": "*"
    },
    {
      "Sid": "NovaActWorkflowDefinitions",
      "Effect": "Allow",
      "Action": [
        "nova-act:CreateWorkflowDefinition",
        "nova-act:GetWorkflowDefinition",
        "nova-act:DeleteWorkflowDefinition"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchLogsStreaming",
      "Effect": "Allow",
      "Action": [
        "logs:StartLiveTail",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    }
  ]
}

Minimal Policy (Run Workflows Only)

For users who only need to execute existing workflows: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity",
        "bedrock-agentcore:InvokeAgentRuntime",
        "logs:StartLiveTail",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    }
  ]
}

Developer Policy (Deploy Without IAM Role Creation)

For developers who deploy workflows but use pre-created execution roles: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["sts:GetCallerIdentity"],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["iam:GetRole"],
      "Resource": "arn:aws:iam::*:role/nova-act-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:DescribeRepositories",
        "ecr:CreateRepository",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload",
        "ecr:PutImage"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:HeadBucket",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:PutBucketPublicAccessBlock",
        "s3:GetBucketPublicAccessBlock",
        "s3:PutBucketEncryption",
        "s3:GetBucketEncryption",
        "s3:PutBucketVersioning",
        "s3:GetBucketVersioning",
        "s3:ListAllMyBuckets",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::nova-act-*",
        "arn:aws:s3:::nova-act-*/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "bedrock-agentcore:CreateAgentRuntime",
        "bedrock-agentcore:UpdateAgentRuntime",
        "bedrock-agentcore:ListAgentRuntimes",
        "bedrock-agentcore:InvokeAgentRuntime"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "nova-act:CreateWorkflowDefinition",
        "nova-act:GetWorkflowDefinition",
        "nova-act:DeleteWorkflowDefinition"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:StartLiveTail",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    }
  ]
}
Provide existing role with --execution-role-arn flag:
act workflow deploy --source-dir /path/to/code \
  --execution-role-arn arn:aws:iam::123456789012:role/my-execution-role

Region Support

Important: The AWS Nova Act service is currently only available in us-east-1.While the CLI supports multi-region configuration, workflows must be deployed to us-east-1.

Next Steps

Commands Reference

Learn all available CLI commands

Deploy Your First Workflow

Follow the deployment guide

Build docs developers (and LLMs) love

Get started for freeTalk to us