Skip to content

feat(mcpsecret): add robust AWS STS credentials handling (GetSessionToken + AssumeRole) for MCP #379

Open
Pnkcaht wants to merge 1 commit intodocker:mainfrom
Pnkcaht:feat/aws-sts-secrets
Open

feat(mcpsecret): add robust AWS STS credentials handling (GetSessionToken + AssumeRole) for MCP #379
Pnkcaht wants to merge 1 commit intodocker:mainfrom
Pnkcaht:feat/aws-sts-secrets

Conversation

@Pnkcaht
Copy link
Copy Markdown
Contributor

@Pnkcaht Pnkcaht commented Feb 3, 2026

What I did

  • Added pkg/mcp/mcpsecret/ package to handle temporary AWS STS credentials.
  • Implemented:
    • AWSManager struct to manage generation and storage of credentials.
    • SaveTemporaryCredentials with support for GetSessionToken and AssumeRole.
    • LoadCredentials to retrieve and validate credentials from MCP credstore.
    • DescribeSecret to show human-readable summary without exposing secrets.
    • maskString helper to partially hide AccessKeyId.
  • Added retries on STS API calls and MCP write operations.
  • Ensured context cancellation is respected throughout.
  • Input sanitization for serverName and validation for durationSeconds (900–129600s).

Releated Issue

Before / After

Before

No STS credential management in MCP gateway. Only manual secrets or older ad-hoc implementations.

After

Automatic STS credential management with:

  • JSON encoding of credentials
  • MCP credstore integration
  • Role-based or user-based STS retrieval
  • Retry logic and expiration validation

Diagram (Mermaid)

flowchart TD
    A[Request STS Credentials] --> B{roleARN provided?}
    B -- Yes --> C[AssumeRole via STS]
    B -- No --> D[GetSessionToken via STS]
    C --> E[Validate Credentials]
    D --> E[Validate Credentials]
    E --> F[Marshal as JSON]
    F --> G[Store in MCP credstore]
    G --> H[Success / Return]
    H --> I[Optional: LoadCredentials / DescribeSecret]
Loading

Directory Tree (new package)

graph TD
    A[pkg/mcp] --> B[mcpsecret]
    B --> C[aws_manager.go]
    B --> D[helpers.go]:::future
    B --> E[aws_manager_test.go]:::future

    classDef future fill:#f9f,stroke:#333,stroke-dasharray: 5 5;
Loading
  • aws_manager.go contains all the structs and methods (AWSManager, AWSCredentials, SaveTemporaryCredentials, LoadCredentials, DescribeSecret, maskString).

Security Considerations

  • Secret values (AccessKeyId, SecretAccessKey, SessionToken) are never printed or logged.
  • DescribeSecret only exposes a masked AccessKeyId and expiration info.
  • Credentials are validated for completeness and expiration before use.

Validation / Sanitization

  • serverName is sanitized to produce a valid MCP secret key (replaces /, \, :, *, ., space with _).
  • durationSeconds defaults to 3600s if <= 0, and must be within STS limits (900–129600 seconds).

Future Work / TODOs

  • Add unit tests in aws_manager_test.go.
  • Move reusable helpers to helpers.go if needed.
  • Potentially add metrics / logging hooks for STS requests and MCP writes.

@Pnkcaht
feat(mcpsecret): add AWS STS temporary credentials management
aee61da 
Signed-off-by: pnkcaht <samzoovsk19@gmail.com>
@Pnkcaht Pnkcaht requested a review from a team as a code owner February 3, 2026 01:59
@Pnkcaht Pnkcaht mentioned this pull request Feb 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Equivalent of Docker Engine API for ~/.docker/cli-plugins/docker-mcp plugin?

1 participant

@Pnkcaht