Hello!
The feature request is to give this MCP functionality to allow agents to assume profiles for multi-account access.
Use Case
I was using steampipe in order to accomplish this before, but that is only helpful for some read-only operations. When I used this MCP, I needed to close Claude Code, assume a new profile, relaunch Claude Code, and repeat X amount of times depending on what I'm doing. We have 70 AWS accounts so you can imagine why this might be a pain.
Proposed Solution
I have a very scrappy tool that Ive created which enabled me to do this already, if its something you think could be a good addition to this project I can tidy it up and create a PR. Let me know what you think!
The switch_profile tool lets you change which AWS identity the proxy uses mid-session. You enable it with --allow-switch-profile and a whitelist of profile names. When called, a middleware intercepts the request, validates the profile against the allowlist, creates a new boto3 session, swaps it into a shared SessionHolder, reconnects the upstream client, and invalidates the tool cache. All subsequent requests are then signed with the new credentials automatically.
Other Information
No response
Acknowledgements
Describe the feature (Security related? please follow https://github.com/aws/mcp-proxy-for-aws/security/policy to report them to AWS Security directly.)
Hello!
The feature request is to give this MCP functionality to allow agents to assume profiles for multi-account access.
Use Case
I was using steampipe in order to accomplish this before, but that is only helpful for some read-only operations. When I used this MCP, I needed to close Claude Code, assume a new profile, relaunch Claude Code, and repeat X amount of times depending on what I'm doing. We have 70 AWS accounts so you can imagine why this might be a pain.
Proposed Solution
I have a very scrappy tool that Ive created which enabled me to do this already, if its something you think could be a good addition to this project I can tidy it up and create a PR. Let me know what you think!
The switch_profile tool lets you change which AWS identity the proxy uses mid-session. You enable it with --allow-switch-profile and a whitelist of profile names. When called, a middleware intercepts the request, validates the profile against the allowlist, creates a new boto3 session, swaps it into a shared SessionHolder, reconnects the upstream client, and invalidates the tool cache. All subsequent requests are then signed with the new credentials automatically.
Other Information
No response
Acknowledgements