feat(auth): add per-call AWS profile override middleware#205
Draft
feat(auth): add per-call AWS profile override middleware#205
Conversation
2 tasks
This was
linked to
issues
Mar 31, 2026
1 task
anasstahr
reviewed
Apr 2, 2026
benjstoll
force-pushed
the
feat/profile-override-middleware
branch
3 times, most recently
from
f142bea to
1ba8d99
Compare
| """Intercept ``profile`` and route through a dedicated per-profile client.""" | ||
| arguments = context.message.arguments | ||
| if isinstance(arguments, dict) and 'profile' in arguments: | ||
| profile = arguments['profile'] |
Collaborator
There was a problem hiding this comment.
profile can collide with tools that already have a profile parameter. If a backend tool already has a profile parameter in its schema, this middleware will silently overwrite it in on_list_tools and strip it in on_call_tool. This could break legitimate tool parameters.
Author
There was a problem hiding this comment.
Do you think proxy_profile would be a better name to avoid collisions?
Contributor
There was a problem hiding this comment.
I think proxy_profile sounds good, however I think we should warn the user when this override happens
rshevchuk-git
requested changes
Apr 7, 2026
arnewouters
reviewed
Apr 7, 2026
benjstoll
force-pushed
the
feat/profile-override-middleware
branch
from
a496fad to
46cfe20
Compare
Adds ProfileOverrideMiddleware that allows routing individual tool calls through dedicated per-profile MCP connections via a `profile` argument. Enabled with `--allow-switch-profile` CLI flag restricted to an explicit allowlist of profile names.
Concurrent tool calls (e.g. from parallel subagents) could race in _get_profile_client, each creating a separate Client for the same profile. The loser's client would leak — connected but never tracked or cleaned up. Wrapping in an asyncio.Lock ensures only one client is created per profile.
…rror on failures Avoids collisions with backend tool arguments by using a namespaced proxy_profile parameter. Errors now raise ToolError instead of returning ToolResult for proper MCP error propagation. Deep-copies tool parameters to prevent mutating shared upstream dicts. Extracts profile override middleware setup into a dedicated helper.
benjstoll
force-pushed
the
feat/profile-override-middleware
branch
from
46cfe20 to
b23a615
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds ProfileOverrideMiddleware that allows routing individual tool calls through dedicated per-profile MCP connections via a
profileargument. Enabled with--allow-switch-profileCLI flag restricted to an explicit allowlist of profile names.Summary
Changes
validates it against an allowlist, and routes the request through a dedicated per-profile MCP client with its own SigV4-signed transport.
in the finally block).
error handling, and client disconnect logic. 90% branch coverage on the new middleware.
--allow-switch-profile interacts with --profile, including a JSON config example.
User experience
Before: Users who needed to query AWS resources across multiple accounts had to run separate proxy instances per profile, or manually
restart the proxy with a different --profile value.
After: Users pass --allow-switch-profile profile-a profile-b alongside their default --profile. Any tool call can include a profile
argument to route that single request through a dedicated connection signed with the specified profile's credentials. Tool calls without
profile continue to use the default connection. Each profile's connection is created lazily on first use, so there is no startup cost for
unused profiles.
Checklist
If your change doesn't seem to apply, please leave them unchecked.
Is this a breaking change? (Y/N)
Please add details about how this change was tested.
Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.