chore: import upstream snapshot with attribution
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,154 @@
|
||||
import type { STSAssumeRoleParams, STSAssumeRoleResponse } from '@/tools/sts/types'
|
||||
import type { ToolConfig } from '@/tools/types'
|
||||
|
||||
export const assumeRoleTool: ToolConfig<STSAssumeRoleParams, STSAssumeRoleResponse> = {
|
||||
id: 'sts_assume_role',
|
||||
name: 'STS Assume Role',
|
||||
description: 'Assume an IAM role and receive temporary security credentials',
|
||||
version: '1.0.0',
|
||||
|
||||
params: {
|
||||
region: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS region (e.g., us-east-1)',
|
||||
},
|
||||
accessKeyId: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS access key ID',
|
||||
},
|
||||
secretAccessKey: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS secret access key',
|
||||
},
|
||||
roleArn: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'ARN of the IAM role to assume',
|
||||
},
|
||||
roleSessionName: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Identifier for the assumed role session',
|
||||
},
|
||||
durationSeconds: {
|
||||
type: 'number',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Duration of the session in seconds (900-43200, default 3600)',
|
||||
},
|
||||
policy: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'JSON IAM policy to further restrict session permissions (max 2048 chars)',
|
||||
},
|
||||
externalId: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'External ID for cross-account access',
|
||||
},
|
||||
serialNumber: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'MFA device serial number or ARN',
|
||||
},
|
||||
tokenCode: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'MFA token code (6 digits)',
|
||||
},
|
||||
policyArns: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description:
|
||||
'Comma-separated ARNs of up to 10 IAM managed policies to use as session policies',
|
||||
},
|
||||
tags: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description:
|
||||
'JSON object of up to 50 session tag key/value pairs for attribute-based access control',
|
||||
},
|
||||
transitiveTagKeys: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Comma-separated tag keys that propagate through role chaining',
|
||||
},
|
||||
},
|
||||
|
||||
request: {
|
||||
url: '/api/tools/sts/assume-role',
|
||||
method: 'POST',
|
||||
headers: () => ({ 'Content-Type': 'application/json' }),
|
||||
body: (params) => ({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
roleArn: params.roleArn,
|
||||
roleSessionName: params.roleSessionName,
|
||||
durationSeconds: params.durationSeconds,
|
||||
policy: params.policy,
|
||||
externalId: params.externalId,
|
||||
serialNumber: params.serialNumber,
|
||||
tokenCode: params.tokenCode,
|
||||
policyArns: params.policyArns,
|
||||
tags: params.tags,
|
||||
transitiveTagKeys: params.transitiveTagKeys,
|
||||
}),
|
||||
},
|
||||
|
||||
transformResponse: async (response: Response) => {
|
||||
const data = await response.json()
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(data.error || 'Failed to assume role')
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
output: {
|
||||
accessKeyId: data.accessKeyId ?? '',
|
||||
secretAccessKey: data.secretAccessKey ?? '',
|
||||
sessionToken: data.sessionToken ?? '',
|
||||
expiration: data.expiration ?? null,
|
||||
assumedRoleArn: data.assumedRoleArn ?? '',
|
||||
assumedRoleId: data.assumedRoleId ?? '',
|
||||
packedPolicySize: data.packedPolicySize ?? null,
|
||||
sourceIdentity: data.sourceIdentity ?? null,
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
outputs: {
|
||||
accessKeyId: { type: 'string', description: 'Temporary access key ID' },
|
||||
secretAccessKey: { type: 'string', description: 'Temporary secret access key' },
|
||||
sessionToken: { type: 'string', description: 'Temporary session token' },
|
||||
expiration: { type: 'string', description: 'Credential expiration timestamp', optional: true },
|
||||
assumedRoleArn: { type: 'string', description: 'ARN of the assumed role' },
|
||||
assumedRoleId: { type: 'string', description: 'Assumed role ID with session name' },
|
||||
packedPolicySize: {
|
||||
type: 'number',
|
||||
description: 'Percentage of allowed policy size used',
|
||||
optional: true,
|
||||
},
|
||||
sourceIdentity: {
|
||||
type: 'string',
|
||||
description: 'Source identity set on the role session, if any',
|
||||
optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,145 @@
|
||||
import type { STSAssumeRoleWithSAMLParams, STSAssumeRoleWithSAMLResponse } from '@/tools/sts/types'
|
||||
import type { ToolConfig } from '@/tools/types'
|
||||
|
||||
export const assumeRoleWithSAMLTool: ToolConfig<
|
||||
STSAssumeRoleWithSAMLParams,
|
||||
STSAssumeRoleWithSAMLResponse
|
||||
> = {
|
||||
id: 'sts_assume_role_with_saml',
|
||||
name: 'STS Assume Role With SAML',
|
||||
description:
|
||||
'Assume an IAM role using a SAML 2.0 authentication response from an enterprise identity provider and receive temporary security credentials',
|
||||
version: '1.0.0',
|
||||
|
||||
params: {
|
||||
region: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS region (e.g., us-east-1)',
|
||||
},
|
||||
roleArn: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'ARN of the IAM role to assume',
|
||||
},
|
||||
principalArn: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'ARN of the SAML provider in IAM that describes the identity provider',
|
||||
},
|
||||
samlAssertion: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Base64-encoded SAML authentication response from the identity provider',
|
||||
},
|
||||
policyArns: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description:
|
||||
'Comma-separated ARNs of up to 10 IAM managed policies to use as session policies',
|
||||
},
|
||||
policy: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'JSON IAM policy to further restrict session permissions (max 2048 chars)',
|
||||
},
|
||||
durationSeconds: {
|
||||
type: 'number',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Duration of the session in seconds (900-43200, default 3600)',
|
||||
},
|
||||
},
|
||||
|
||||
request: {
|
||||
url: '/api/tools/sts/assume-role-with-saml',
|
||||
method: 'POST',
|
||||
headers: () => ({ 'Content-Type': 'application/json' }),
|
||||
body: (params) => ({
|
||||
region: params.region,
|
||||
roleArn: params.roleArn,
|
||||
principalArn: params.principalArn,
|
||||
samlAssertion: params.samlAssertion,
|
||||
policyArns: params.policyArns,
|
||||
policy: params.policy,
|
||||
durationSeconds: params.durationSeconds,
|
||||
}),
|
||||
},
|
||||
|
||||
transformResponse: async (response: Response) => {
|
||||
const data = await response.json()
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(data.error || 'Failed to assume role with SAML')
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
output: {
|
||||
accessKeyId: data.accessKeyId ?? '',
|
||||
secretAccessKey: data.secretAccessKey ?? '',
|
||||
sessionToken: data.sessionToken ?? '',
|
||||
expiration: data.expiration ?? null,
|
||||
assumedRoleArn: data.assumedRoleArn ?? '',
|
||||
assumedRoleId: data.assumedRoleId ?? '',
|
||||
subject: data.subject ?? null,
|
||||
subjectType: data.subjectType ?? null,
|
||||
issuer: data.issuer ?? null,
|
||||
audience: data.audience ?? null,
|
||||
nameQualifier: data.nameQualifier ?? null,
|
||||
packedPolicySize: data.packedPolicySize ?? null,
|
||||
sourceIdentity: data.sourceIdentity ?? null,
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
outputs: {
|
||||
accessKeyId: { type: 'string', description: 'Temporary access key ID' },
|
||||
secretAccessKey: { type: 'string', description: 'Temporary secret access key' },
|
||||
sessionToken: { type: 'string', description: 'Temporary session token' },
|
||||
expiration: { type: 'string', description: 'Credential expiration timestamp', optional: true },
|
||||
assumedRoleArn: { type: 'string', description: 'ARN of the assumed role' },
|
||||
assumedRoleId: { type: 'string', description: 'Assumed role ID with session name' },
|
||||
subject: {
|
||||
type: 'string',
|
||||
description: 'Value of the NameID element in the Subject of the SAML assertion',
|
||||
optional: true,
|
||||
},
|
||||
subjectType: {
|
||||
type: 'string',
|
||||
description: 'Format of the name ID (e.g. transient, persistent)',
|
||||
optional: true,
|
||||
},
|
||||
issuer: {
|
||||
type: 'string',
|
||||
description: 'Value of the Issuer element of the SAML assertion',
|
||||
optional: true,
|
||||
},
|
||||
audience: {
|
||||
type: 'string',
|
||||
description: "Value of the SAML assertion's SubjectConfirmationData Recipient attribute",
|
||||
optional: true,
|
||||
},
|
||||
nameQualifier: {
|
||||
type: 'string',
|
||||
description: 'Hash uniquely identifying the issuer, account, and SAML provider',
|
||||
optional: true,
|
||||
},
|
||||
packedPolicySize: {
|
||||
type: 'number',
|
||||
description: 'Percentage of allowed policy size used',
|
||||
optional: true,
|
||||
},
|
||||
sourceIdentity: {
|
||||
type: 'string',
|
||||
description: 'Source identity set on the role session, if any',
|
||||
optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,144 @@
|
||||
import type {
|
||||
STSAssumeRoleWithWebIdentityParams,
|
||||
STSAssumeRoleWithWebIdentityResponse,
|
||||
} from '@/tools/sts/types'
|
||||
import type { ToolConfig } from '@/tools/types'
|
||||
|
||||
export const assumeRoleWithWebIdentityTool: ToolConfig<
|
||||
STSAssumeRoleWithWebIdentityParams,
|
||||
STSAssumeRoleWithWebIdentityResponse
|
||||
> = {
|
||||
id: 'sts_assume_role_with_web_identity',
|
||||
name: 'STS Assume Role With Web Identity',
|
||||
description:
|
||||
'Assume an IAM role using an OIDC/OAuth 2.0 web identity token (e.g. GitHub Actions OIDC, EKS IRSA, Google/Facebook federation) and receive temporary security credentials',
|
||||
version: '1.0.0',
|
||||
|
||||
params: {
|
||||
region: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS region (e.g., us-east-1)',
|
||||
},
|
||||
roleArn: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'ARN of the IAM role to assume',
|
||||
},
|
||||
roleSessionName: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Identifier for the assumed role session',
|
||||
},
|
||||
webIdentityToken: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description:
|
||||
'OAuth 2.0 access token or OpenID Connect ID token from the identity provider (up to 20000 chars)',
|
||||
},
|
||||
providerId: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description:
|
||||
'Fully qualified host of a legacy OAuth 2.0 provider (e.g. www.amazon.com); omit for OpenID Connect providers',
|
||||
},
|
||||
policyArns: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description:
|
||||
'Comma-separated ARNs of up to 10 IAM managed policies to use as session policies',
|
||||
},
|
||||
policy: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'JSON IAM policy to further restrict session permissions (max 2048 chars)',
|
||||
},
|
||||
durationSeconds: {
|
||||
type: 'number',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Duration of the session in seconds (900-43200, default 3600)',
|
||||
},
|
||||
},
|
||||
|
||||
request: {
|
||||
url: '/api/tools/sts/assume-role-with-web-identity',
|
||||
method: 'POST',
|
||||
headers: () => ({ 'Content-Type': 'application/json' }),
|
||||
body: (params) => ({
|
||||
region: params.region,
|
||||
roleArn: params.roleArn,
|
||||
roleSessionName: params.roleSessionName,
|
||||
webIdentityToken: params.webIdentityToken,
|
||||
providerId: params.providerId,
|
||||
policyArns: params.policyArns,
|
||||
policy: params.policy,
|
||||
durationSeconds: params.durationSeconds,
|
||||
}),
|
||||
},
|
||||
|
||||
transformResponse: async (response: Response) => {
|
||||
const data = await response.json()
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(data.error || 'Failed to assume role with web identity')
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
output: {
|
||||
accessKeyId: data.accessKeyId ?? '',
|
||||
secretAccessKey: data.secretAccessKey ?? '',
|
||||
sessionToken: data.sessionToken ?? '',
|
||||
expiration: data.expiration ?? null,
|
||||
assumedRoleArn: data.assumedRoleArn ?? '',
|
||||
assumedRoleId: data.assumedRoleId ?? '',
|
||||
subjectFromWebIdentityToken: data.subjectFromWebIdentityToken ?? '',
|
||||
audience: data.audience ?? null,
|
||||
provider: data.provider ?? null,
|
||||
packedPolicySize: data.packedPolicySize ?? null,
|
||||
sourceIdentity: data.sourceIdentity ?? null,
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
outputs: {
|
||||
accessKeyId: { type: 'string', description: 'Temporary access key ID' },
|
||||
secretAccessKey: { type: 'string', description: 'Temporary secret access key' },
|
||||
sessionToken: { type: 'string', description: 'Temporary session token' },
|
||||
expiration: { type: 'string', description: 'Credential expiration timestamp', optional: true },
|
||||
assumedRoleArn: { type: 'string', description: 'ARN of the assumed role' },
|
||||
assumedRoleId: { type: 'string', description: 'Assumed role ID with session name' },
|
||||
subjectFromWebIdentityToken: {
|
||||
type: 'string',
|
||||
description: "Unique user identifier from the identity provider's token subject claim",
|
||||
},
|
||||
audience: {
|
||||
type: 'string',
|
||||
description: 'Intended audience (client ID) of the web identity token',
|
||||
optional: true,
|
||||
},
|
||||
provider: {
|
||||
type: 'string',
|
||||
description: 'Issuing authority of the presented web identity token',
|
||||
optional: true,
|
||||
},
|
||||
packedPolicySize: {
|
||||
type: 'number',
|
||||
description: 'Percentage of allowed policy size used',
|
||||
optional: true,
|
||||
},
|
||||
sourceIdentity: {
|
||||
type: 'string',
|
||||
description: 'Source identity set on the role session, if any',
|
||||
optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,70 @@
|
||||
import type { STSGetAccessKeyInfoParams, STSGetAccessKeyInfoResponse } from '@/tools/sts/types'
|
||||
import type { ToolConfig } from '@/tools/types'
|
||||
|
||||
export const getAccessKeyInfoTool: ToolConfig<
|
||||
STSGetAccessKeyInfoParams,
|
||||
STSGetAccessKeyInfoResponse
|
||||
> = {
|
||||
id: 'sts_get_access_key_info',
|
||||
name: 'STS Get Access Key Info',
|
||||
description: 'Get the AWS account ID associated with an access key',
|
||||
version: '1.0.0',
|
||||
|
||||
params: {
|
||||
region: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS region (e.g., us-east-1)',
|
||||
},
|
||||
accessKeyId: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS access key ID',
|
||||
},
|
||||
secretAccessKey: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS secret access key',
|
||||
},
|
||||
targetAccessKeyId: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'The access key ID to look up',
|
||||
},
|
||||
},
|
||||
|
||||
request: {
|
||||
url: '/api/tools/sts/get-access-key-info',
|
||||
method: 'POST',
|
||||
headers: () => ({ 'Content-Type': 'application/json' }),
|
||||
body: (params) => ({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
targetAccessKeyId: params.targetAccessKeyId,
|
||||
}),
|
||||
},
|
||||
|
||||
transformResponse: async (response: Response) => {
|
||||
const data = await response.json()
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(data.error || 'Failed to get access key info')
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
output: {
|
||||
account: data.account ?? '',
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
outputs: {
|
||||
account: { type: 'string', description: 'AWS account ID that owns the access key' },
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,67 @@
|
||||
import type { STSGetCallerIdentityParams, STSGetCallerIdentityResponse } from '@/tools/sts/types'
|
||||
import type { ToolConfig } from '@/tools/types'
|
||||
|
||||
export const getCallerIdentityTool: ToolConfig<
|
||||
STSGetCallerIdentityParams,
|
||||
STSGetCallerIdentityResponse
|
||||
> = {
|
||||
id: 'sts_get_caller_identity',
|
||||
name: 'STS Get Caller Identity',
|
||||
description: 'Get details about the IAM user or role whose credentials are used to call the API',
|
||||
version: '1.0.0',
|
||||
|
||||
params: {
|
||||
region: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS region (e.g., us-east-1)',
|
||||
},
|
||||
accessKeyId: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS access key ID',
|
||||
},
|
||||
secretAccessKey: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS secret access key',
|
||||
},
|
||||
},
|
||||
|
||||
request: {
|
||||
url: '/api/tools/sts/get-caller-identity',
|
||||
method: 'POST',
|
||||
headers: () => ({ 'Content-Type': 'application/json' }),
|
||||
body: (params) => ({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
}),
|
||||
},
|
||||
|
||||
transformResponse: async (response: Response) => {
|
||||
const data = await response.json()
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(data.error || 'Failed to get caller identity')
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
output: {
|
||||
account: data.account ?? '',
|
||||
arn: data.arn ?? '',
|
||||
userId: data.userId ?? '',
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
outputs: {
|
||||
account: { type: 'string', description: 'AWS account ID' },
|
||||
arn: { type: 'string', description: 'ARN of the calling entity' },
|
||||
userId: { type: 'string', description: 'Unique identifier of the calling entity' },
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,92 @@
|
||||
import type { STSGetSessionTokenParams, STSGetSessionTokenResponse } from '@/tools/sts/types'
|
||||
import type { ToolConfig } from '@/tools/types'
|
||||
|
||||
export const getSessionTokenTool: ToolConfig<STSGetSessionTokenParams, STSGetSessionTokenResponse> =
|
||||
{
|
||||
id: 'sts_get_session_token',
|
||||
name: 'STS Get Session Token',
|
||||
description: 'Get temporary security credentials for an IAM user, optionally with MFA',
|
||||
version: '1.0.0',
|
||||
|
||||
params: {
|
||||
region: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS region (e.g., us-east-1)',
|
||||
},
|
||||
accessKeyId: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS access key ID',
|
||||
},
|
||||
secretAccessKey: {
|
||||
type: 'string',
|
||||
required: true,
|
||||
visibility: 'user-only',
|
||||
description: 'AWS secret access key',
|
||||
},
|
||||
durationSeconds: {
|
||||
type: 'number',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'Duration of the session in seconds (900-129600, default 43200)',
|
||||
},
|
||||
serialNumber: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'MFA device serial number or ARN',
|
||||
},
|
||||
tokenCode: {
|
||||
type: 'string',
|
||||
required: false,
|
||||
visibility: 'user-or-llm',
|
||||
description: 'MFA token code (6 digits)',
|
||||
},
|
||||
},
|
||||
|
||||
request: {
|
||||
url: '/api/tools/sts/get-session-token',
|
||||
method: 'POST',
|
||||
headers: () => ({ 'Content-Type': 'application/json' }),
|
||||
body: (params) => ({
|
||||
region: params.region,
|
||||
accessKeyId: params.accessKeyId,
|
||||
secretAccessKey: params.secretAccessKey,
|
||||
durationSeconds: params.durationSeconds,
|
||||
serialNumber: params.serialNumber,
|
||||
tokenCode: params.tokenCode,
|
||||
}),
|
||||
},
|
||||
|
||||
transformResponse: async (response: Response) => {
|
||||
const data = await response.json()
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(data.error || 'Failed to get session token')
|
||||
}
|
||||
|
||||
return {
|
||||
success: true,
|
||||
output: {
|
||||
accessKeyId: data.accessKeyId ?? '',
|
||||
secretAccessKey: data.secretAccessKey ?? '',
|
||||
sessionToken: data.sessionToken ?? '',
|
||||
expiration: data.expiration ?? null,
|
||||
},
|
||||
}
|
||||
},
|
||||
|
||||
outputs: {
|
||||
accessKeyId: { type: 'string', description: 'Temporary access key ID' },
|
||||
secretAccessKey: { type: 'string', description: 'Temporary secret access key' },
|
||||
sessionToken: { type: 'string', description: 'Temporary session token' },
|
||||
expiration: {
|
||||
type: 'string',
|
||||
description: 'Credential expiration timestamp',
|
||||
optional: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
import { assumeRoleTool } from './assume_role'
|
||||
import { assumeRoleWithSAMLTool } from './assume_role_with_saml'
|
||||
import { assumeRoleWithWebIdentityTool } from './assume_role_with_web_identity'
|
||||
import { getAccessKeyInfoTool } from './get_access_key_info'
|
||||
import { getCallerIdentityTool } from './get_caller_identity'
|
||||
import { getSessionTokenTool } from './get_session_token'
|
||||
|
||||
export const stsAssumeRoleTool = assumeRoleTool
|
||||
export const stsAssumeRoleWithWebIdentityTool = assumeRoleWithWebIdentityTool
|
||||
export const stsAssumeRoleWithSAMLTool = assumeRoleWithSAMLTool
|
||||
export const stsGetCallerIdentityTool = getCallerIdentityTool
|
||||
export const stsGetSessionTokenTool = getSessionTokenTool
|
||||
export const stsGetAccessKeyInfoTool = getAccessKeyInfoTool
|
||||
|
||||
export * from './types'
|
||||
@@ -0,0 +1,127 @@
|
||||
import type { ToolResponse } from '@/tools/types'
|
||||
|
||||
export interface STSConnectionConfig {
|
||||
region: string
|
||||
accessKeyId: string
|
||||
secretAccessKey: string
|
||||
}
|
||||
|
||||
export interface STSAssumeRoleParams extends STSConnectionConfig {
|
||||
roleArn: string
|
||||
roleSessionName: string
|
||||
durationSeconds?: number | null
|
||||
policy?: string | null
|
||||
externalId?: string | null
|
||||
serialNumber?: string | null
|
||||
tokenCode?: string | null
|
||||
policyArns?: string | null
|
||||
tags?: string | null
|
||||
transitiveTagKeys?: string | null
|
||||
}
|
||||
|
||||
export interface STSAssumeRoleWithWebIdentityParams {
|
||||
region: string
|
||||
roleArn: string
|
||||
roleSessionName: string
|
||||
webIdentityToken: string
|
||||
providerId?: string | null
|
||||
policyArns?: string | null
|
||||
policy?: string | null
|
||||
durationSeconds?: number | null
|
||||
}
|
||||
|
||||
export interface STSAssumeRoleWithSAMLParams {
|
||||
region: string
|
||||
roleArn: string
|
||||
principalArn: string
|
||||
samlAssertion: string
|
||||
policyArns?: string | null
|
||||
policy?: string | null
|
||||
durationSeconds?: number | null
|
||||
}
|
||||
|
||||
export interface STSGetCallerIdentityParams extends STSConnectionConfig {}
|
||||
|
||||
export interface STSGetSessionTokenParams extends STSConnectionConfig {
|
||||
durationSeconds?: number | null
|
||||
serialNumber?: string | null
|
||||
tokenCode?: string | null
|
||||
}
|
||||
|
||||
export interface STSGetAccessKeyInfoParams extends STSConnectionConfig {
|
||||
targetAccessKeyId: string
|
||||
}
|
||||
|
||||
export interface STSAssumeRoleResponse extends ToolResponse {
|
||||
output: {
|
||||
accessKeyId: string
|
||||
secretAccessKey: string
|
||||
sessionToken: string
|
||||
expiration: string | null
|
||||
assumedRoleArn: string
|
||||
assumedRoleId: string
|
||||
packedPolicySize: number | null
|
||||
sourceIdentity: string | null
|
||||
}
|
||||
}
|
||||
|
||||
export interface STSAssumeRoleWithWebIdentityResponse extends ToolResponse {
|
||||
output: {
|
||||
accessKeyId: string
|
||||
secretAccessKey: string
|
||||
sessionToken: string
|
||||
expiration: string | null
|
||||
assumedRoleArn: string
|
||||
assumedRoleId: string
|
||||
subjectFromWebIdentityToken: string
|
||||
audience: string | null
|
||||
provider: string | null
|
||||
packedPolicySize: number | null
|
||||
sourceIdentity: string | null
|
||||
}
|
||||
}
|
||||
|
||||
export interface STSAssumeRoleWithSAMLResponse extends ToolResponse {
|
||||
output: {
|
||||
accessKeyId: string
|
||||
secretAccessKey: string
|
||||
sessionToken: string
|
||||
expiration: string | null
|
||||
assumedRoleArn: string
|
||||
assumedRoleId: string
|
||||
subject: string | null
|
||||
subjectType: string | null
|
||||
issuer: string | null
|
||||
audience: string | null
|
||||
nameQualifier: string | null
|
||||
packedPolicySize: number | null
|
||||
sourceIdentity: string | null
|
||||
}
|
||||
}
|
||||
|
||||
export interface STSGetCallerIdentityResponse extends ToolResponse {
|
||||
output: {
|
||||
account: string
|
||||
arn: string
|
||||
userId: string
|
||||
}
|
||||
}
|
||||
|
||||
export interface STSGetSessionTokenResponse extends ToolResponse {
|
||||
output: {
|
||||
accessKeyId: string
|
||||
secretAccessKey: string
|
||||
sessionToken: string
|
||||
expiration: string | null
|
||||
}
|
||||
}
|
||||
|
||||
export interface STSGetAccessKeyInfoResponse extends ToolResponse {
|
||||
output: {
|
||||
account: string
|
||||
}
|
||||
}
|
||||
|
||||
export interface STSBaseResponse extends ToolResponse {
|
||||
output: { message: string }
|
||||
}
|
||||
Reference in New Issue
Block a user