UNPKG

@aashari/mcp-server-aws-sso

Version:

Node.js/TypeScript MCP server for AWS Single Sign-On (SSO). Enables AI systems (LLMs) with tools to initiate SSO login (device auth flow), list accounts/roles, and securely execute AWS CLI commands using temporary credentials. Streamlines AI interaction w

github.com/aashari/mcp-server-aws-sso

aashari/mcp-server-aws-sso

100 lines (92 loc) 4.55 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); const logger_util_js_1 = require("../utils/logger.util.js"); const error_util_js_1 = require("../utils/error.util.js"); const aws_sso_types_js_1 = require("./aws.sso.types.js"); const aws_sso_exec_controller_js_1 = __importDefault(require("../controllers/aws.sso.exec.controller.js")); const command_util_js_1 = require("../utils/command.util.js"); /** * AWS SSO Execution Tool Module * * Provides MCP tools for executing AWS CLI commands with temporary credentials * obtained through AWS SSO. These tools enable AI models to interact with AWS * resources using secure, time-limited credentials. */ // Create a module logger const toolLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.exec.tool.ts'); // Log module initialization toolLogger.debug('AWS SSO execution tool module initialized'); /** * Handles the AWS SSO exec tool * Executes AWS CLI commands with credentials from AWS SSO * @param args Tool arguments with account info and command * @param _extra Extra request handler information * @returns MCP response with command execution results */ async function handleExec(args, _extra) { const execCommandLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.exec.tool.ts', 'handleExec'); execCommandLogger.debug('Handling exec request', args); try { // Parse the command string properly instead of simple split const commandParts = (0, command_util_js_1.parseCommand)(args.command); // Call the controller with proper args const result = await aws_sso_exec_controller_js_1.default.executeCommand({ accountId: args.accountId, roleName: args.roleName, region: args.region, command: commandParts, }); // Return the response in MCP format return { content: [ { type: 'text', text: result.content, }, ], metadata: result.metadata, }; } catch (error) { execCommandLogger.error('Exec failed', error); return (0, error_util_js_1.formatErrorForMcpTool)(error); } } /** * Register AWS SSO exec tools with the MCP server * @param server MCP server instance */ function registerTools(server) { const registerLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.exec.tool.ts', 'registerTools'); registerLogger.debug('Registering AWS SSO exec tools'); // Register the AWS SSO exec tool server.tool('exec', `Execute AWS CLI commands using temporary credentials from AWS SSO. PURPOSE: Run AWS CLI commands with credentials automatically obtained from AWS SSO. WHEN TO USE: - After authenticating with AWS SSO via login - When you need to interact with AWS resources via the CLI - When you need temporary credentials for specific accounts and roles WHEN NOT TO USE: - Before authenticating with AWS SSO - For non-AWS commands NOTES: - Credentials are obtained just-in-time for the command execution - Commands are executed with proper AWS environment variables set - The command must start with "aws" to use the AWS CLI - Quotes within commands are handled properly RETURNS: Markdown output with command results, including stdout, stderr, and exit code EXAMPLES: - List S3 buckets: { accountId: "123456789012", roleName: "ReadOnlyAccess", command: "aws s3 ls" } - Describe EC2 instances in a region: { accountId: "123456789012", roleName: "PowerUserAccess", region: "us-west-2", command: "aws ec2 describe-instances" } - Complex command with quotes: { accountId: "123456789012", roleName: "ReadOnlyAccess", command: "aws ec2 describe-instances --filters \\"Name=instance-state-name,Values=running\\"" } ERRORS: - Authentication required: You must login first using login - Invalid credentials: The accountId/roleName combination is invalid or you lack permission - Command errors: The AWS CLI command itself may return errors`, aws_sso_types_js_1.ExecToolArgs.shape, handleExec); registerLogger.debug('AWS SSO exec tools registered'); } // Export the register function exports.default = { registerTools };