UNPKG

@aashari/mcp-server-aws-sso

Version:

Node.js/TypeScript MCP server for AWS Single Sign-On (SSO). Enables AI systems (LLMs) with tools to initiate SSO login (device auth flow), list accounts/roles, and securely execute AWS CLI commands using temporary credentials. Streamlines AI interaction w

github.com/aashari/mcp-server-aws-sso

aashari/mcp-server-aws-sso

94 lines (87 loc) 4.36 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); const logger_util_js_1 = require("../utils/logger.util.js"); const error_util_js_1 = require("../utils/error.util.js"); const aws_sso_types_js_1 = require("./aws.sso.types.js"); const aws_sso_ec2_controller_js_1 = __importDefault(require("../controllers/aws.sso.ec2.controller.js")); /** * AWS SSO EC2 Execution Tool Module * * Provides MCP tools for executing shell commands on EC2 instances via SSM * with temporary credentials from AWS SSO. Enables AI systems to run * commands on EC2 instances without SSH or direct network access. */ // Create a module logger const toolLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.ec2.tool.ts'); // Log module initialization toolLogger.debug('AWS SSO EC2 execution tool module initialized'); /** * Handles the AWS SSO EC2 exec tool * Executes shell commands on EC2 instances via SSM with credentials from AWS SSO * @param args Tool arguments with instance info and command * @returns MCP response with command execution results */ async function handleEc2ExecCommand(args, _extra) { const ec2ExecCommandLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.ec2.tool.ts', 'handleEc2ExecCommand'); ec2ExecCommandLogger.debug('Handling EC2 exec command request', args); try { // Pass args directly to the controller const result = await aws_sso_ec2_controller_js_1.default.executeEc2Command(args); // Return the response in MCP format without metadata return { content: [ { type: 'text', text: result.content, }, ], }; } catch (error) { ec2ExecCommandLogger.error('EC2 exec failed', error); return (0, error_util_js_1.formatErrorForMcpTool)(error); } } /** * Register AWS SSO EC2 exec tools with the MCP server * @param server MCP server instance */ function registerTools(server) { const registerLogger = logger_util_js_1.Logger.forContext('tools/aws.sso.ec2.tool.ts', 'registerTools'); registerLogger.debug('Registering AWS SSO EC2 exec tools'); // Register the AWS SSO EC2 exec command tool server.tool('aws_sso_ec2_exec_command', `Executes a shell command on an EC2 instance via AWS Systems Manager (SSM) using temporary credentials obtained through AWS SSO. This tool enables running commands on EC2 instances without requiring SSH access or opening inbound ports. How it works: 1. Verifies you have a valid AWS SSO authentication token 2. Obtains temporary credentials for the specified account and role 3. Sends the command to the EC2 instance via SSM's RunShellScript document 4. Polls for command completion (up to 20 seconds) 5. Returns the command output and execution status Critical prerequisites: - You MUST first authenticate using \`aws_sso_login\` to obtain a valid token - The EC2 instance MUST have the SSM Agent installed and running - The instance MUST have an IAM role with the AmazonSSMManagedInstanceCore policy - Your AWS role MUST have permissions for \`ssm:SendCommand\` and \`ssm:GetCommandInvocation\` - AWS SSO must be configured with a start URL and region Required parameters: - \`instanceId\`: The EC2 instance ID (e.g., "i-1234567890abcdef0") - \`accountId\`: The 12-digit AWS account ID (get from \`aws_sso_ls_accounts\`) - \`roleName\`: The IAM role name to assume (get from \`aws_sso_ls_accounts\`) - \`command\`: The shell command to execute (e.g., "ls -l", "whoami", "df -h") Optional parameters: - \`region\`: AWS region where the EC2 instance is located (defaults to configured region) For complex commands with quoting, ensure proper escaping. Returns comprehensive Markdown output that includes: - Execution context (instance ID, account, role, region) - Command that was executed - Command output - Error messages if any - Troubleshooting guidance if SSM connection fails - Suggested alternative roles if permission errors occur`, aws_sso_types_js_1.Ec2ExecCommandToolArgs.shape, handleEc2ExecCommand); registerLogger.debug('AWS SSO EC2 exec tools registered'); } // Export the register function exports.default = { registerTools };