@aashari/mcp-server-aws-sso
Version:
Node.js/TypeScript MCP server for AWS Single Sign-On (SSO). Enables AI systems (LLMs) with tools to initiate SSO login (device auth flow), list accounts/roles, and securely execute AWS CLI commands using temporary credentials. Streamlines AI interaction w
130 lines (120 loc) • 6.03 kB
JavaScript
;
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
const logger_util_js_1 = require("../utils/logger.util.js");
const error_util_js_1 = require("../utils/error.util.js");
const aws_sso_types_js_1 = require("./aws.sso.types.js");
const aws_sso_auth_controller_js_1 = __importDefault(require("../controllers/aws.sso.auth.controller.js"));
/**
* AWS SSO Authentication Tool Module
*
* Provides MCP tools for authenticating with AWS SSO and managing authentication state.
* These tools enable AI models to initiate the login flow and verify authentication status.
*/
// Create a module logger
const toolLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts');
// Log module initialization
toolLogger.debug('AWS SSO authentication tool module initialized');
/**
* Handles the AWS SSO login tool
* @param args Tool arguments
* @returns MCP response with login information
*/
async function handleLogin(args) {
const loginLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'handleLogin');
loginLogger.debug('Handling login request', args);
try {
// Pass args directly to the controller without setting defaults here
// The controller should handle all defaults
const response = await aws_sso_auth_controller_js_1.default.startLogin(args);
loginLogger.debug('Login process completed', {
responseLength: response.content.length,
});
// Return the response in the MCP format
return {
content: [
{
type: 'text',
text: response.content,
},
],
};
}
catch (error) {
// Log the error with full details for diagnostics
loginLogger.error('AWS SSO login failed', error);
// Format the error for MCP tool response
return (0, error_util_js_1.formatErrorForMcpTool)(error);
}
}
/**
* Handles the AWS SSO status tool
* @returns MCP response with authentication status
*/
async function handleStatus() {
const statusLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'handleStatus');
statusLogger.debug('Handling status check request');
try {
// Call controller to get auth status
const response = await aws_sso_auth_controller_js_1.default.getAuthStatus();
// Return the response in the MCP format without metadata
return {
content: [
{
type: 'text',
text: response.content,
},
],
};
}
catch (error) {
statusLogger.error('Status check failed', error);
return (0, error_util_js_1.formatErrorForMcpTool)(error);
}
}
/**
* Register AWS SSO auth tools with the MCP server
* @param server MCP server instance
*/
function registerTools(server) {
const registerLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'registerTools');
registerLogger.debug('Registering AWS SSO auth tools');
// Register the AWS SSO login tool
server.tool('aws_sso_login', `Initiates the AWS SSO device authorization flow to obtain temporary credentials. This flow works as follows:
1. The tool generates a unique user verification code and authentication URL
2. A browser is opened to the AWS SSO login page (if \`launchBrowser: true\`)
3. You enter the verification code in the browser and complete the AWS SSO login
4. The tool receives and caches the token, valid for typically 8-12 hours
5. The cached token is then used by other AWS SSO tools without requiring repeated login
Browser launch behavior can be controlled with \`launchBrowser\` (default: true). When set to false, you must manually open the URL and enter the code.
Automatic polling for completion can be controlled with \`autoPoll\` (default: true). When set to false, the tool returns immediately after starting the flow, and you must use \`aws_sso_status\` to check completion.
Prerequisites:
- AWS SSO must be configured with a start URL and region (via AWS config file or environment variables)
- Browser access is required to complete the authentication flow
- You must have an AWS SSO account with appropriate permissions
Returns Markdown containing:
- Authentication status (already logged in, authentication started, or success)
- Session details (expiration time and duration if authenticated)
- Verification code and URL (if authentication is started)
- Browser launch status (if authentication is started)
- Next steps and usage guidance`, aws_sso_types_js_1.LoginToolArgsSchema.shape, handleLogin);
// Register the AWS SSO status tool
server.tool('aws_sso_status', `Checks the current AWS SSO authentication status by verifying if a valid cached token exists and its expiration time.
This tool does NOT perform authentication itself - it only checks if you're already authenticated. If no valid token exists, it will instruct you to run \`aws_sso_login\`.
A valid cached token is required for all other AWS SSO commands to work. Use this tool to verify authentication status before using commands like \`aws_sso_ls_accounts\` or \`aws_sso_exec_command\`.
The tool checks:
- If a token exists in the cache
- If the token is still valid (not expired)
- When the token will expire (if valid)
Prerequisites:
- AWS SSO must be configured with a start URL and region (via AWS config file or environment variables)
Returns Markdown containing:
- Authentication status (authenticated or not)
- Session details (expiration time and duration if authenticated)
- Instructions for next steps based on the status`, aws_sso_types_js_1.StatusToolArgsSchema.shape, handleStatus);
registerLogger.debug('AWS SSO auth tools registered');
}
// Export the register function
exports.default = { registerTools };