stacklok / toolhive / 21732934896

push

github

Add CEL-based AWS STS role mapper for claim-based IAM role selection (#3609)

Implement a role mapper that selects IAM roles based on JWT claims using
CEL expressions with priority-based selection. The mapper supports two
configuration modes: a simple claim syntax where a value like "admins"
is checked for membership in a configurable claim (defaulting to
"groups"), and a full CEL matcher syntax for complex expressions such as
agent delegation checks using the RFC 7519 "act" claim. All CEL
expressions are compiled at configuration load time for fail-fast
validation, claim values are validated against a safe-character regex to
prevent CEL injection, and role ARNs are validated using the AWS SDK.
When multiple mappings match, the one with the lowest priority number
wins, with configuration order as a tie-breaker. A fallback role ARN can
be configured for when no mapping matches.

This is the first in a series of PRs that add AWS STS authentication to
ToolHive, enabling MCP servers to authenticate with AWS services by exchanging
incoming OIDC tokens for temporary AWS credentials via STS
AssumeRoleWithWebIdentity. Subsequent PRs then add token exchange with SigV4
request signing, credential caching, HTTP middleware integration for the CLI
runner, operator CRD support via MCPExternalAuthConfig, and user-facing
documentation. This PR provides the claim-to-role mapping foundation that all
subsequent layers depend on.

Fixes: #3567

144 of 146 new or added lines in 2 files covered. (98.63%)

41388 of 67812 relevant lines covered (61.03%)

75.99 hits per line