21987880162

Committed 13 Feb 2026 01:04PM UTC coverage: 61.99% (-0.06%) from 62.048%

Build # 21987880162

Build Type

push

github

Committed by

web-flow

Commit Message

Add AWS STS auth type to MCPExternalAuthConfig CRD (#3816)

Extends the MCPExternalAuthConfig CRD with a new 'awsSts' authentication type
that enables AWS STS token exchange with SigV4 request signing for MCP servers.

The AWSStsConfig supports:
- Region and service configuration for SigV4 signing
- Default IAM role ARN for token exchange
- Role claim-based mapping for multi-tenant scenarios
- Session name claim for CloudTrail correlation
- Configurable session duration

This allows vMCP to authenticate with AWS services (like AWS MCP Server) by
exchanging incoming OIDC tokens for temporary AWS credentials using STS
AssumeRoleWithWebIdentity.

Fixes: #3570

Run Details

48 of 130 new or added lines in 6 files covered. (36.92%)

10 existing lines in 3 files now uncovered.

44268 of 71411 relevant lines covered (61.99%)

76.19 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.58

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 21987880162

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous