UNPKG

@aashari/mcp-server-aws-sso

Version:

Node.js/TypeScript MCP server for AWS Single Sign-On (SSO). Enables AI systems (LLMs) with tools to initiate SSO login (device auth flow), list accounts/roles, and securely execute AWS CLI commands using temporary credentials. Streamlines AI interaction w

github.com/aashari/mcp-server-aws-sso

aashari/mcp-server-aws-sso

92 lines (85 loc) 4.19 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); const logger_util_js_1 = require("../utils/logger.util.js"); const error_util_js_1 = require("../utils/error.util.js"); const aws_sso_types_js_1 = require("./aws.sso.types.js"); const aws_sso_exec_controller_js_1 = __importDefault(require("../controllers/aws.sso.exec.controller.js")); // import { parseCommand } from '../utils/command.util.js'; // No longer needed /** * AWS SSO Execution Tool Module * * Provides MCP tools for executing AWS CLI commands with temporary credentials * obtained through AWS SSO. These tools enable AI models to interact with AWS * resources using secure, time-limited credentials. */ // Create a module logger const toolLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.exec.tool.ts'); // Log module initialization toolLogger.debug('AWS SSO execution tool module initialized'); /** * Handles the AWS SSO exec tool * Executes AWS CLI commands with credentials from AWS SSO * @param args Tool arguments with account info and command * @returns MCP response with command execution results */ async function handleExecCommand(args) { const execCommandLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.exec.tool.ts', 'handleExecCommand'); execCommandLogger.debug('Handling exec command request', args); try { // Pass args directly to the controller const result = await aws_sso_exec_controller_js_1.default.executeCommand(args); // Return the response in MCP format without metadata return { content: [ { type: 'text', text: result.content, }, ], }; } catch (error) { execCommandLogger.error('Exec failed', error); return (0, error_util_js_1.formatErrorForMcpTool)(error); } } /** * Register AWS SSO exec tools with the MCP server * @param server MCP server instance */ function registerTools(server) { const registerLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.exec.tool.ts', 'registerTools'); registerLogger.debug('Registering AWS SSO exec tools'); // Register the AWS SSO exec command tool server.tool('aws_sso_exec_command', `Executes an AWS CLI command using temporary credentials obtained through AWS SSO. This tool enables you to run AWS CLI commands without manually configuring credentials. How it works: 1. Verifies you have a valid AWS SSO authentication token 2. Obtains temporary credentials for the specified account and role 3. Sets up the environment with those credentials 4. Executes the AWS CLI command you specified 5. Caches credentials for the account/role combination for future use (typically valid for 1 hour) Critical prerequisites: - You MUST first authenticate using \`aws_sso_login\` to obtain a valid token - AWS CLI MUST be installed on the system where the MCP server is running - AWS SSO must be configured with a start URL and region - You must have permissions to assume the specified role in the specified account Required parameters: - \`accountId\`: The 12-digit AWS account ID (get from \`aws_sso_ls_accounts\`) - \`roleName\`: The IAM role name to assume (get from \`aws_sso_ls_accounts\`) - \`command\`: The full AWS CLI command to execute (e.g., "aws s3 ls") Optional parameters: - \`region\`: AWS region to use for the command (defaults to configured region) For complex commands with quoting, ensure proper escaping (e.g., "aws ec2 describe-instances --filters 'Name=tag:Name,Values=MyInstance'"). Returns comprehensive Markdown output that includes: - Execution context (account, role, region) - Command output (stdout) - Error messages if any (stderr) - Exit code (0 for success, non-zero for failure) - Suggested alternative roles if permission errors occur`, aws_sso_types_js_1.ExecCommandToolArgs.shape, handleExecCommand); registerLogger.debug('AWS SSO exec tools registered'); } // Export the register function exports.default = { registerTools };