UNPKG

@aashari/mcp-server-aws-sso

Version:

Node.js/TypeScript MCP server for AWS Single Sign-On (SSO). Enables AI systems (LLMs) with tools to initiate SSO login (device auth flow), list accounts/roles, and securely execute AWS CLI commands using temporary credentials. Streamlines AI interaction w

github.com/aashari/mcp-server-aws-sso

aashari/mcp-server-aws-sso

138 lines (127 loc) 6.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); const logger_util_js_1 = require("../utils/logger.util.js"); const error_util_js_1 = require("../utils/error.util.js"); const aws_sso_types_js_1 = require("./aws.sso.types.js"); const aws_sso_auth_controller_js_1 = __importDefault(require("../controllers/aws.sso.auth.controller.js")); /** * AWS SSO Authentication Tool Module * * Provides MCP tools for authenticating with AWS SSO and managing authentication state. * These tools enable AI models to initiate the login flow and verify authentication status. */ // Create a module logger const toolLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts'); // Log module initialization toolLogger.debug('AWS SSO authentication tool module initialized'); /** * Handles the AWS SSO login tool * @param args Tool arguments * @returns MCP response with login information */ async function handleLogin(args, _extra) { const loginLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'handleLogin'); loginLogger.debug('Handling login request', args); try { // Pass args directly to the controller without setting defaults here // The controller should handle all defaults const response = await aws_sso_auth_controller_js_1.default.startLogin(args); loginLogger.debug('Login process completed', { responseLength: response.content.length, }); // Return the response in the MCP format return { content: [ { type: 'text', text: response.content, }, ], }; } catch (error) { // Log the error with full details for diagnostics loginLogger.error('AWS SSO login failed', error); // Format the error for MCP tool response return (0, error_util_js_1.formatErrorForMcpTool)(error); } } /** * Handles the AWS SSO status tool * @returns MCP response with authentication status */ async function handleStatus(_args, _extra) { const statusLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'handleStatus'); statusLogger.debug('Handling status check request'); try { // Call controller to get auth status const response = await aws_sso_auth_controller_js_1.default.getAuthStatus(); // Return the response in the MCP format without metadata return { content: [ { type: 'text', text: response.content, }, ], }; } catch (error) { statusLogger.error('Status check failed', error); return (0, error_util_js_1.formatErrorForMcpTool)(error); } } /** * Register AWS SSO auth tools with the MCP server * @param server MCP server instance */ function registerTools(server) { const registerLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.auth.tool.ts', 'registerTools'); registerLogger.debug('Registering AWS SSO auth tools'); // Register the AWS SSO login tool server.tool('aws_sso_login', `Initiates the AWS SSO device authorization flow to obtain temporary credentials. This flow works as follows: 1. The tool generates a unique user verification code and authentication URL 2. A browser is opened to the AWS SSO login page (if \`launchBrowser: true\`) 3. You enter the verification code in the browser and complete the AWS SSO login 4. Background polling automatically collects and caches the token when authentication completes 5. The cached token is then used by other AWS SSO tools without requiring repeated login **IMPORTANT FOR AI ASSISTANTS**: The tool output includes specific guidance for AI models. When the tool returns authentication instructions: - ALWAYS check if a browser window opened automatically by asking the user - If browser opened: Guide the user to complete authentication in that window - If no browser opened: Instruct the user to manually open the provided URL and enter the verification code - Always provide both the verification code and URL as backup information - The tool response includes an "Important for AI Assistants" section with specific guidance Browser launch behavior can be controlled with \`launchBrowser\` (default: true). When set to false, you must manually open the URL and enter the code. The tool now always uses background polling to collect credentials automatically once you complete authentication in the browser. This prevents HTTP request timeouts while ensuring credentials are captured. Prerequisites: - AWS SSO must be configured with a start URL and region (via AWS config file or environment variables) - Browser access is required to complete the authentication flow - You must have an AWS SSO account with appropriate permissions Returns Markdown containing: - Authentication status (already logged in or authentication started) - Session details (expiration time and duration if authenticated) - Verification code and URL (if authentication is started) - Browser launch status (if authentication is started) - AI-specific guidance for handling browser scenarios - Background polling status and next steps`, aws_sso_types_js_1.LoginToolArgsSchema.shape, handleLogin); // Register the AWS SSO status tool server.tool('aws_sso_status', `Checks the current AWS SSO authentication status by verifying if a valid cached token exists and its expiration time. This tool does NOT perform authentication itself - it only checks if you're already authenticated. If no valid token exists, it will instruct you to run \`aws_sso_login\`. A valid cached token is required for all other AWS SSO commands to work. Use this tool to verify authentication status before using commands like \`aws_sso_ls_accounts\` or \`aws_sso_exec_command\`. The tool checks: - If a token exists in the cache - If the token is still valid (not expired) - When the token will expire (if valid) Prerequisites: - AWS SSO must be configured with a start URL and region (via AWS config file or environment variables) Returns Markdown containing: - Authentication status (authenticated or not) - Session details (expiration time and duration if authenticated) - Instructions for next steps based on the status`, aws_sso_types_js_1.StatusToolArgsSchema.shape, handleStatus); registerLogger.debug('AWS SSO auth tools registered'); } // Export the register function exports.default = { registerTools };