Problem
The AWS multi-account MCP server currently requires IRSA (IAM Roles for Service Accounts) — it assumes a hard-coded web identity token path (/var/run/secrets/eks.amazonaws.com/serviceaccount/token) and only calls assume_role_with_web_identity. This means the server cannot be used with EKS Pod Identity, which injects credentials via the Pod Identity agent rather than a projected token file.
Users running clusters that use Pod Identity instead of (or in addition to) IRSA have no way to authenticate without patching the code themselves.
Expected behaviour
The server should automatically detect the available credential method and use whichever is appropriate:
- If
AWS_WEB_IDENTITY_TOKEN_FILE is set → use IRSA (assume_role_with_web_identity)
- Otherwise → fall back to plain
assume_role using boto3's standard credential chain (Pod Identity agent, EC2 instance profile, environment variables, etc.)
Fix
PR #18 implements this by adding a _assume_role fallback and making auth-method selection automatic based on the environment, with no breaking changes for existing IRSA users.
Problem
The AWS multi-account MCP server currently requires IRSA (IAM Roles for Service Accounts) — it assumes a hard-coded web identity token path (
/var/run/secrets/eks.amazonaws.com/serviceaccount/token) and only callsassume_role_with_web_identity. This means the server cannot be used with EKS Pod Identity, which injects credentials via the Pod Identity agent rather than a projected token file.Users running clusters that use Pod Identity instead of (or in addition to) IRSA have no way to authenticate without patching the code themselves.
Expected behaviour
The server should automatically detect the available credential method and use whichever is appropriate:
AWS_WEB_IDENTITY_TOKEN_FILEis set → use IRSA (assume_role_with_web_identity)assume_roleusing boto3's standard credential chain (Pod Identity agent, EC2 instance profile, environment variables, etc.)Fix
PR #18 implements this by adding a
_assume_rolefallback and making auth-method selection automatic based on the environment, with no breaking changes for existing IRSA users.