stacklok / toolhive / 21732934896 / 1
65%
main: 65%

DEFAULT BRANCH: main
Ran
Files 497
Run time 10s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 61.033% (+0.1%) from 60.931%
21732934896.1

push

github

web-flow 
Add CEL-based AWS STS role mapper for claim-based IAM role selection (#3609)

Implement a role mapper that selects IAM roles based on JWT claims using
CEL expressions with priority-based selection. The mapper supports two
configuration modes: a simple claim syntax where a value like "admins"
is checked for membership in a configurable claim (defaulting to
"groups"), and a full CEL matcher syntax for complex expressions such as
agent delegation checks using the RFC 7519 "act" claim. All CEL
expressions are compiled at configuration load time for fail-fast
validation, claim values are validated against a safe-character regex to
prevent CEL injection, and role ARNs are validated using the AWS SDK.
When multiple mappings match, the one with the lowest priority number
wins, with configuration order as a tie-breaker. A fallback role ARN can
be configured for when no mapping matches.

This is the first in a series of PRs that add AWS STS authentication to
ToolHive, enabling MCP servers to authenticate with AWS services by exchanging
incoming OIDC tokens for temporary AWS credentials via STS
AssumeRoleWithWebIdentity. Subsequent PRs then add token exchange with SigV4
request signing, credential caching, HTTP middleware integration for the CLI
runner, operator CRD support via MCPExternalAuthConfig, and user-facing
documentation. This PR provides the claim-to-role mapping foundation that all
subsequent layers depend on.

Fixes: #3567

41388 of 67812 relevant lines covered (61.03%)

75.99 hits per line

Source Files on job 21732934896.1