@aashari/mcp-server-aws-sso
Version:
Node.js/TypeScript MCP server for AWS Single Sign-On (SSO). Enables AI systems (LLMs) with tools to initiate SSO login (device auth flow), list accounts/roles, and securely execute AWS CLI commands using temporary credentials. Streamlines AI interaction w
100 lines (92 loc) • 4.06 kB
JavaScript
;
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
const logger_util_js_1 = require("../utils/logger.util.js");
const error_util_js_1 = require("../utils/error.util.js");
const aws_sso_auth_controller_js_1 = __importDefault(require("../controllers/aws.sso.auth.controller.js"));
const zod_1 = require("zod");
/**
* AWS SSO Authentication Tool Module
*
* Provides MCP tools for authenticating with AWS SSO and managing authentication state.
* These tools enable AI models to initiate the login flow and verify authentication status.
*/
// Create a module logger
const toolLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts');
// Log module initialization
toolLogger.debug('AWS SSO authentication tool module initialized');
/**
* Handles the AWS SSO login tool
* @param args Tool arguments
* @param _extra Extra request handler information
* @returns MCP response with login information
*/
async function handleLogin(args, _extra) {
const loginLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'handleLogin');
loginLogger.debug('Handling login request', args);
try {
// Call controller to start login
const response = await aws_sso_auth_controller_js_1.default.startLogin({
autoPoll: true, // Always automatically poll for token in API mode
launchBrowser: args.launchBrowser,
});
// Return the response in the MCP format
return {
content: [
{
type: 'text',
text: response.content,
},
],
metadata: response.metadata,
};
}
catch (error) {
loginLogger.error('Login failed', error);
return (0, error_util_js_1.formatErrorForMcpTool)(error);
}
}
/**
* Register AWS SSO auth tools with the MCP server
* @param server MCP server instance
*/
function registerTools(server) {
const registerLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'registerTools');
registerLogger.debug('Registering AWS SSO auth tools');
// Define schema for the login tool
const LoginArgs = zod_1.z.object({
launchBrowser: zod_1.z
.boolean()
.optional()
.default(true)
.describe('Whether to automatically launch a browser for authentication (default: true)'),
});
// Register the AWS SSO login tool
server.tool('login', `Authenticate with AWS SSO via browser.
PURPOSE: Initiates AWS SSO device authorization flow, launching a browser for login,
and automatically polls for token completion.
WHEN TO USE:
- Before accessing any AWS resources
- When your authentication token has expired
- As the first step in any AWS SSO workflow
WHEN NOT TO USE:
- When you're already authenticated (unless you explicitly want to reauthenticate)
NOTES:
- Browser launch can be disabled with launchBrowser: false
- Authentication flow is PKCE-based with a verification code displayed
- Temporary credentials are acquired via SSO, not long-term access keys
RETURNS: Markdown output with either login instructions or authentication success confirmation
(including available AWS accounts if successfully authenticated).
EXAMPLES:
- Basic usage: {}
- Without browser launch: { launchBrowser: false }
ERRORS:
- Browser launch failure: If unable to open browser automatically
- Authentication timeout: If user doesn't complete authentication in time
- AWS SSO service errors: If unable to connect to AWS SSO service`, LoginArgs.shape, handleLogin);
registerLogger.debug('AWS SSO auth tools registered');
}
// Export the register function
exports.default = { registerTools };