Open
Conversation
The awsSts ExternalAuthType was defined in the CRD with a full AWSStsConfig struct but had no implementation in the vMCP layer, causing DiscoverAndResolveAuth to fail with "unsupported auth type: awsSts" for any MCPServerEntry using AWS STS authentication. Changes: - Add AwsStsConverter to the converter registry so CRD configs are translated to BackendAuthStrategy at session discovery time - Add AwsStsConfig and RoleMapping to pkg/vmcp/auth/types and regenerate zz_generated.deepcopy.go for correct deep copy behavior - Add AwsStsStrategy to pkg/vmcp/auth/strategies with a per-config cache (map + sync.RWMutex, double-checked locking) keyed by SHA-256 over all config fields; mirrors TokenExchangeStrategy lifecycle - Register AwsStsStrategy in NewOutgoingAuthRegistry - Add aws_sts to validateBackendAuthStrategy allowlist and processBackendAuthStrategy in yaml_loader - Export ExtractSessionName from pkg/auth/awssts and remove the duplicate copy in the strategy - Document new types in crd-api.md Closes #5018 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Large PR Detected
This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.
How to unblock this PR:
Add a section to your PR description with the following format:
## Large PR Justification
[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformationAlternative:
Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.
See our Contributing Guidelines for more details.
This review will be automatically dismissed once you add the justification section.
tgrunnagle
requested review from
ChrisJBurns,
JAORMX,
amirejaz,
jerm-dro,
jhrozek and
yrobla
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #5019 +/- ##
==========================================
- Coverage 69.02% 68.95% -0.08%
==========================================
Files 554 556 +2
Lines 73075 73305 +230
==========================================
+ Hits 50443 50548 +105
- Misses 19620 19736 +116
- Partials 3012 3021 +9 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
size/XL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MCPServerEntryresources usingtype: awsStsfailed to deploy through vMCP with "unsupported auth type: awsSts" because the vMCP auth converter registry had no converter registered for this type, even thoughAWSStsConfigwas fully specified in the CRD. This PR closes that gap by implementing the full vMCP-side AWS STS auth path: a converter, an outgoing auth strategy, and the plumbing to wire them into the existing registry and factory.AwsStsConverterinpkg/vmcp/auth/converters/maps CRDAWSStsConfigfields to the internalAwsStsConfigtype and is registered inNewRegistry().ResolveSecretsis a no-op because AWS STS credentials are obtained at runtime via IRSA or the pod's instance profile.AwsStsStrategyinpkg/vmcp/auth/strategies/handles outgoing request authentication: it extracts the bearer token, selects the IAM role via CEL-based claim matching, callsAssumeRoleWithWebIdentity, and signs the request with SigV4. A per-config cache (keyed by SHA-256 over all config fields) avoids redundant STS client construction across requests.pkg/auth/awssts.RequestSigneris exported (previously unexported) so the vMCP strategy can sign requests outside the HTTP middleware flow.pkg/vmcp/config/validator.goand the YAML loader now explicitly handleaws_sts, andpkg/vmcp/auth/types/types.gogains theAwsStsConfigandRoleMappingtypes with deep-copy generated code.Closes #5018
Type of change
Test plan
task test)task lint-fix)Unit tests cover:
AwsStsConverter: nil config, valid conversion with and without role mappings,ResolveSecretsno-op behavior.AwsStsStrategy:Validate(missing config, missing region, valid),Authenticate(health check skip, nil config, missing identity, missing claims, full success path), and cache key stability across concurrent callers.registry_test.go: verifiesawsStsis now a registered converter type.API Compatibility
v1beta1API, OR theapi-break-allowedlabel is applied and the migration guidance is described above.Changes
pkg/vmcp/auth/converters/aws_sts.goAwsStsConverter— maps CRDAWSStsConfigtoBackendAuthStrategypkg/vmcp/auth/converters/aws_sts_test.goAwsStsConverterpkg/vmcp/auth/converters/interface.goAwsStsConverterinNewRegistry()pkg/vmcp/auth/converters/registry_test.goawsStsconverter is registeredpkg/vmcp/auth/strategies/aws_sts.goAwsStsStrategy— STS token exchange and SigV4 signingpkg/vmcp/auth/strategies/aws_sts_test.goAwsStsStrategypkg/vmcp/auth/factory/outgoing.goAwsStsStrategyinNewOutgoingAuthRegistry()pkg/vmcp/auth/types/types.goAwsStsConfig,RoleMappingtypes andStrategyTypeAwsStsconstantpkg/vmcp/auth/types/zz_generated.deepcopy.gopkg/vmcp/config/validator.goaws_stsstrategy fields (region required)pkg/vmcp/config/yaml_loader.goaws_stsinprocessBackendAuthStrategypkg/auth/awssts/signer.goRequestSignerand addNewRequestSignerconstructorpkg/auth/awssts/middleware.gonewRequestSignercall sites for exported typepkg/auth/awssts/middleware_test.godocs/operator/crd-api.mdDoes this introduce a user-facing change?
Yes.
MCPServerEntryresources withtype: awsStsin theirMCPExternalAuthConfigcan now be deployed through vMCP. Previously they failed immediately at startup with an "unsupported auth type" error.Special notes for reviewers
The
AwsStsStrategymaintains a per-config cache ofroleMapperandexchangerinstances using double-checked locking. The cache key is a SHA-256 hash over all config fields (region, service, fallback ARN, role mappings sorted by ARN, role claim, session name claim) to avoid structural ambiguity from colons in ARN strings. The cache exists to avoid rebuilding the AWS SDK STS client on every request; the SDK performs TLS handshake and credential chain resolution on construction, which are non-trivial.The
RequestSignertype inpkg/auth/awsstsis exported to allowAwsStsStrategyto sign requests directly rather than going through the HTTP middleware. ThenewRequestSignerinternal constructor is retained so the middleware can continue usingwithServiceoptions without exposing those option types.Generated with Claude Code