Skip to content

Add multi-account and static credential support to AWS MCP servers#10

Open
arikalon1 wants to merge 1 commit intomasterfrom
claude/aws-auth-alternative-XdYiQ
Open

Add multi-account and static credential support to AWS MCP servers#10
arikalon1 wants to merge 1 commit intomasterfrom
claude/aws-auth-alternative-XdYiQ

Conversation

@arikalon1
Copy link
Copy Markdown
Contributor

@arikalon1 arikalon1 commented Mar 1, 2026

Summary

This PR adds comprehensive multi-account and alternative authentication support to the AWS MCP servers. The main changes enable the AWS MCP server to work with multiple AWS accounts using three different authentication modes, and updates documentation to reflect these capabilities across both single-account and multi-account deployments.

Key Changes

aws-multi-account Server Enhancements

  • Three authentication modes with auto-detection:

    • irsa: IRSA web identity token (default, EKS-recommended)
    • static: Central AWS credentials + AssumeRole across accounts
    • static_per_profile: Per-profile static credentials (no role assumption)

  • New aws_auth.py module that handles:

    • Auth mode detection from config file
    • Profile processing for all three authentication modes
    • Credential file generation with proper formatting (session tokens only when present)
    • Background refresh thread for temporary credentials (IRSA and static modes)
    • Skips refresh for static_per_profile mode (permanent credentials)

  • Updated wrapper.py to integrate the new authentication system

  • Comprehensive documentation covering:

    • Each authentication mode with example configs
    • Auth mode detection logic and priority
    • Kubernetes Secret setup for static credentials
    • IAM policy requirements for each mode
    • Troubleshooting guide for credential issues

Single-Account Server Updates

  • Updated README to mention AWS access key alternative to IRSA
  • Added documentation for using environment variables with boto3
  • Cross-referenced multi-account server for multi-account scenarios
  • Clarified security considerations for both IRSA and access key approaches

Implementation Details

  • Auth mode detection prioritizes: explicit auth_mode field → credentials section → per-profile access_key_id → default to IRSA
  • Credential refresh thread only starts for modes using temporary credentials (IRSA and static)
  • Static credentials written without session tokens; temporary credentials include session tokens
  • Per-profile region overrides supported in all authentication modes
  • Proper error handling with detailed logging for credential setup failures

https://claude.ai/code/session_014d9wty2DiYubNzBmP8cs4R

@claude
Add static AWS credential support for multi-account MCP server
e93cee4 
Support users who can't use IRSA by adding two new auth modes:
- static: Central access key/secret that assumes roles in target accounts
- static_per_profile: Separate access keys per profile (no role assumption)

IRSA remains the default and recommended option. Auth mode is auto-detected
from the config file structure or can be set explicitly via auth_mode field.

Also updated single-account README to document AWS access key authentication
as an alternative to IRSA.

https://claude.ai/code/session_014d9wty2DiYubNzBmP8cs4R
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arikalon1 @claude