awslabs.eks-mcp-server 0.1.4__py3-none-any.whl → 0.1.5__py3-none-any.whl

awslabs/eks_mcp_server/aws_helper.py

@@ -18,7 +18,8 @@ import boto3
 import os
 from awslabs.eks_mcp_server import __version__
 from botocore.config import Config
-from typing import Any, Optional
+from loguru import logger
+from typing import Any, Dict, Optional
 
 
 class AwsHelper:
@@ -26,8 +27,17 @@ class AwsHelper:
 
     This class provides utility methods for interacting with AWS services,
     including region and profile management and client creation.
+
+    This class implements a singleton pattern with a client cache to avoid
+    creating multiple clients for the same service.
     """
 
+    # Singleton instance
+    _instance = None
+
+    # Client cache with AWS service name as key
+    _client_cache: Dict[str, Any] = {}
+
     @staticmethod
     def get_aws_region() -> Optional[str]:
         """Get the AWS region from the environment if set."""
@@ -40,10 +50,11 @@ class AwsHelper:
 
     @classmethod
     def create_boto3_client(cls, service_name: str, region_name: Optional[str] = None) -> Any:
-        """Create a boto3 client with the appropriate profile and region.
+        """Create or retrieve a cached boto3 client with the appropriate profile and region.
 
         The client is configured with a custom user agent suffix 'awslabs/mcp/eks-mcp-server/{version}'
-        to identify API calls made by the EKS MCP Server.
+        to identify API calls made by the EKS MCP Server. Clients are cached to improve performance
+        and reduce resource usage.
 
         Args:
             service_name: The AWS service name (e.g., 'ec2', 's3', 'eks')
@@ -51,25 +62,47 @@ class AwsHelper:
 
         Returns:
             A boto3 client for the specified service
+
+        Raises:
+            Exception: If there's an error creating the client
         """
-        # Get region from parameter or environment if set
-        region: Optional[str] = region_name if region_name is not None else cls.get_aws_region()
+        try:
+            # Get region from parameter or environment if set
+            region: Optional[str] = (
+                region_name if region_name is not None else cls.get_aws_region()
+            )
 
-        # Get profile from environment if set
-        profile = cls.get_aws_profile()
+            # Get profile from environment if set
+            profile = cls.get_aws_profile()
 
-        # Create config with user agent suffix
-        config = Config(user_agent_extra=f'awslabs/mcp/eks-mcp-server/{__version__}')
+            # Use service name as the cache key
+            cache_key = service_name
 
-        # Create session with profile if specified
-        if profile:
-            session = boto3.Session(profile_name=profile)
-            if region is not None:
-                return session.client(service_name, region_name=region, config=config)
-            else:
-                return session.client(service_name, config=config)
-        else:
-            if region is not None:
-                return boto3.client(service_name, region_name=region, config=config)
+            # Check if client is already in cache
+            if cache_key in cls._client_cache:
+                logger.info(f'Using cached boto3 client for {service_name}')
+                return cls._client_cache[cache_key]
+
+            # Create config with user agent suffix
+            config = Config(user_agent_extra=f'awslabs/mcp/eks-mcp-server/{__version__}')
+
+            # Create session with profile if specified
+            if profile:
+                session = boto3.Session(profile_name=profile)
+                if region is not None:
+                    client = session.client(service_name, region_name=region, config=config)
+                else:
+                    client = session.client(service_name, config=config)
             else:
-                return boto3.client(service_name, config=config)
+                if region is not None:
+                    client = boto3.client(service_name, region_name=region, config=config)
+                else:
+                    client = boto3.client(service_name, config=config)
+
+            # Cache the client
+            cls._client_cache[cache_key] = client
+
+            return client
+        except Exception as e:
+            # Re-raise with more context
+            raise Exception(f'Failed to create boto3 client for {service_name}: {str(e)}')

awslabs/eks_mcp_server/iam_handler.py

@@ -44,7 +44,6 @@ class IAMHandler:
             allow_write: Whether to enable write access (default: False)
         """
         self.mcp = mcp
-        self.iam_client = AwsHelper.create_boto3_client('iam')
         self.allow_write = allow_write
 
         # Register tools
@@ -94,15 +93,18 @@ class IAMHandler:
         try:
             log_with_request_id(ctx, LogLevel.INFO, f'Describing IAM role: {role_name}')
 
+            # Get IAM client
+            iam_client = AwsHelper.create_boto3_client('iam')
+
             # Get role details
-            role_response = self.iam_client.get_role(RoleName=role_name)
+            role_response = iam_client.get_role(RoleName=role_name)
             role = role_response['Role']
 
             # Get attached managed policies
-            managed_policies = self._get_managed_policies(ctx, role_name)
+            managed_policies = self._get_managed_policies(ctx, iam_client, role_name)
 
             # Get inline policies
-            inline_policies = self._get_inline_policies(ctx, role_name)
+            inline_policies = self._get_inline_policies(ctx, iam_client, role_name)
 
             # Parse the assume role policy document if it's a string, otherwise use it directly
             if isinstance(role['AssumeRolePolicyDocument'], str):
@@ -210,8 +212,11 @@ class IAMHandler:
                     permissions_added={},
                 )
 
+            # Get IAM client
+            iam_client = AwsHelper.create_boto3_client('iam')
+
             # Create the inline policy
-            return self._create_inline_policy(ctx, role_name, policy_name, permissions)
+            return self._create_inline_policy(ctx, iam_client, role_name, policy_name, permissions)
 
         except Exception as e:
             error_message = f'Failed to create inline policy: {str(e)}'
@@ -226,27 +231,28 @@ class IAMHandler:
                 permissions_added={},
             )
 
-    def _get_managed_policies(self, ctx, role_name):
+    def _get_managed_policies(self, ctx, iam_client, role_name):
         """Get managed policies attached to a role.
 
         Args:
             ctx: The MCP context
+            iam_client: IAM client to use
             role_name: Name of the IAM role
 
         Returns:
             List of PolicySummary objects
         """
         managed_policies = []
-        managed_policies_response = self.iam_client.list_attached_role_policies(RoleName=role_name)
+        managed_policies_response = iam_client.list_attached_role_policies(RoleName=role_name)
 
         for policy in managed_policies_response.get('AttachedPolicies', []):
             policy_arn = policy['PolicyArn']
-            policy_details = self.iam_client.get_policy(PolicyArn=policy_arn)['Policy']
+            policy_details = iam_client.get_policy(PolicyArn=policy_arn)['Policy']
 
             # Get the policy version details to get the policy document
             policy_version = None
             try:
-                policy_version_response = self.iam_client.get_policy_version(
+                policy_version_response = iam_client.get_policy_version(
                     PolicyArn=policy_arn, VersionId=policy_details.get('DefaultVersionId', 'v1')
                 )
                 policy_version = policy_version_response.get('PolicyVersion', {})
@@ -265,21 +271,22 @@ class IAMHandler:
 
         return managed_policies
 
-    def _get_inline_policies(self, ctx, role_name):
+    def _get_inline_policies(self, ctx, iam_client, role_name):
         """Get inline policies embedded in a role.
 
         Args:
             ctx: The MCP context
+            iam_client: IAM client to use
             role_name: Name of the IAM role
 
         Returns:
             List of PolicySummary objects
         """
         inline_policies = []
-        inline_policies_response = self.iam_client.list_role_policies(RoleName=role_name)
+        inline_policies_response = iam_client.list_role_policies(RoleName=role_name)
 
         for policy_name in inline_policies_response.get('PolicyNames', []):
-            policy_response = self.iam_client.get_role_policy(
+            policy_response = iam_client.get_role_policy(
                 RoleName=role_name, PolicyName=policy_name
             )
 
@@ -293,11 +300,12 @@ class IAMHandler:
 
         return inline_policies
 
-    def _create_inline_policy(self, ctx, role_name, policy_name, permissions):
+    def _create_inline_policy(self, ctx, iam_client, role_name, policy_name, permissions):
         """Create a new inline policy with the specified permissions.
 
         Args:
             ctx: The MCP context
+            iam_client: IAM client to use
             role_name: Name of the role
             policy_name: Name of the new policy to create
             permissions: Permissions to include in the policy
@@ -313,7 +321,7 @@ class IAMHandler:
 
         # Check if the policy already exists
         try:
-            self.iam_client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
+            iam_client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
             # If we get here, the policy exists
             error_message = f'Policy {policy_name} already exists in role {role_name}. Cannot modify existing policies.'
             log_with_request_id(ctx, LogLevel.ERROR, error_message)
@@ -324,7 +332,7 @@ class IAMHandler:
                 role_name=role_name,
                 permissions_added={},
             )
-        except self.iam_client.exceptions.NoSuchEntityException:
+        except iam_client.exceptions.NoSuchEntityException:
             # Policy doesn't exist, we can create it
             pass
 
@@ -335,7 +343,7 @@ class IAMHandler:
         self._add_permissions_to_document(policy_document, permissions)
 
         # Create the policy
-        self.iam_client.put_role_policy(
+        iam_client.put_role_policy(
             RoleName=role_name, PolicyName=policy_name, PolicyDocument=json.dumps(policy_document)
         )
 

awslabs/eks_mcp_server/k8s_client_cache.py

@@ -55,24 +55,17 @@ class K8sClientCache:
         # Client cache with TTL to handle token expiration
         self._client_cache = TTLCache(maxsize=100, ttl=TOKEN_TTL)
 
-        # Clients for credential retrieval
-        self._eks_client = None
-        self._sts_client = None
+        # Flag to track if STS event handlers have been registered
+        self._sts_event_handlers_registered = False
 
         self._initialized = True
 
-    def _get_eks_client(self):
-        """Get or create the EKS client."""
-        if self._eks_client is None:
-            self._eks_client = AwsHelper.create_boto3_client('eks')
-        return self._eks_client
-
     def _get_sts_client(self):
-        """Get or create the STS client with event handlers registered."""
-        if self._sts_client is None:
-            sts_client = AwsHelper.create_boto3_client('sts')
+        """Get the STS client with event handlers registered."""
+        sts_client = AwsHelper.create_boto3_client('sts')
 
-            # Register STS event handlers
+        # Register STS event handlers only once
+        if not self._sts_event_handlers_registered:
             sts_client.meta.events.register(
                 'provide-client-params.sts.GetCallerIdentity',
                 self._retrieve_k8s_aws_id,
@@ -81,10 +74,9 @@ class K8sClientCache:
                 'before-sign.sts.GetCallerIdentity',
                 self._inject_k8s_aws_id_header,
             )
+            self._sts_event_handlers_registered = True
 
-            self._sts_client = sts_client
-
-        return self._sts_client
+        return sts_client
 
     def _retrieve_k8s_aws_id(self, params, context, **kwargs):
         """Retrieve the Kubernetes AWS ID from parameters."""
@@ -109,7 +101,7 @@ class K8sClientCache:
             ValueError: If the cluster credentials are invalid
             Exception: If there's an error getting the cluster credentials
         """
-        eks_client = self._get_eks_client()
+        eks_client = AwsHelper.create_boto3_client('eks')
         sts_client = self._get_sts_client()
 
         # Get cluster details

{awslabs_eks_mcp_server-0.1.4.dist-info → awslabs_eks_mcp_server-0.1.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: awslabs.eks-mcp-server
-Version: 0.1.4
+Version: 0.1.5
 Summary: An AWS Labs Model Context Protocol (MCP) server for EKS
 Project-URL: homepage, https://awslabs.github.io/mcp/
 Project-URL: docs, https://awslabs.github.io/mcp/servers/eks-mcp-server/
@@ -128,7 +128,7 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 
 1. Open Cursor.
 2. Click the gear icon (⚙️) in the top right to open the settings panel, click **MCP**, **Add new global MCP server**.
-3. Paste your MCP server definition. For example, this example shows how to configure the EKS MCP Server, including enabling mutating actions by adding the `--allow-write` flag to the server arguments:
+3. Paste your MCP server definition. For example, this example shows how to configure the EKS MCP Server, including enabling mutating actions with the `--allow-write` flag and access to sensitive data with the `--allow-sensitive-data-access` flag (see the Arguments section for more details):
 
    **For Mac/Linux:**
 
@@ -141,7 +141,8 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	      "command": "uvx",
 	      "args": [
 	        "awslabs.eks-mcp-server@latest",
-	        "--allow-write"
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
 	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
@@ -165,7 +166,8 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	        "--from",
 	        "awslabs.eks-mcp-server@latest",
 	        "awslabs.eks-mcp-server.exe",
-	        "--allow-write"
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
 	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
@@ -183,7 +185,9 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 **Set up the Amazon Q Developer CLI**
 
 1. Install the [Amazon Q Developer CLI](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-installing.html) .
-2. The Q Developer CLI supports MCP servers for tools and prompts out-of-the-box. Edit your Q developer CLI's MCP configuration file named mcp.json following [these instructions](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-mcp-configuration.html). For example:
+2. The Q Developer CLI supports MCP servers for tools and prompts out-of-the-box. Edit your Q developer CLI's MCP configuration file named mcp.json following [these instructions](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-mcp-configuration.html).
+
+The example below includes both the `--allow-write` flag for mutating operations and the `--allow-sensitive-data-access` flag for accessing logs and events (see the Arguments section for more details):
 
    **For Mac/Linux:**
 
@@ -192,7 +196,11 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	  "mcpServers": {
 	    "awslabs.eks-mcp-server": {
 	      "command": "uvx",
-	      "args": ["awslabs.eks-mcp-server@latest"],
+	      "args": [
+	        "awslabs.eks-mcp-server@latest",
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
+	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
 	      },
@@ -210,7 +218,13 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	  "mcpServers": {
 	    "awslabs.eks-mcp-server": {
 	      "command": "uvx",
-	      "args": ["--from", "awslabs.eks-mcp-server@latest", "awslabs.eks-mcp-server.exe"],
+	      "args": [
+	        "--from",
+	        "awslabs.eks-mcp-server@latest",
+	        "awslabs.eks-mcp-server.exe",
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
+	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
 	      },
@@ -294,7 +308,7 @@ Enables write access mode, which allows mutating operations (e.g., create, updat
 
 #### `--allow-sensitive-data-access` (optional)
 
-Enables access to sensitive data such as logs, events, and Kubernetes Secrets.
+Enables access to sensitive data such as logs, events, and Kubernetes Secrets. This flag is required for tools that access potentially sensitive information, such as get_pod_logs, get_k8s_events, get_cloudwatch_logs, and manage_k8s_resource (when used to read Kubernetes secrets).
 
 * Default: false (Access to sensitive data is restricted by default)
 * Example: Add `--allow-sensitive-data-access` to the `args` list in your MCP server definition.

{awslabs_eks_mcp_server-0.1.4.dist-info → awslabs_eks_mcp_server-0.1.5.dist-info}/RECORD

@@ -1,14 +1,14 @@
 awslabs/__init__.py,sha256=WuqxdDgUZylWNmVoPKiK7qGsTB_G4UmuXIrJ-VBwDew,731
 awslabs/eks_mcp_server/__init__.py,sha256=ghJqbcPKp3-jM8LmEQzU_KRSbVm6yKQFg7C0ZwxAdeA,668
-awslabs/eks_mcp_server/aws_helper.py,sha256=uiH-CSJPo_L903EzmV8HZB6xg_F4Jm_-BmJk_3AAH4g,2850
+awslabs/eks_mcp_server/aws_helper.py,sha256=Is0BCVPjhO-AqKFF0MnGpzNRjAe8E896VGrKWCz4gfo,4031
 awslabs/eks_mcp_server/cloudwatch_handler.py,sha256=k3GsORIFswOknxYM0reCBsCHXn--gSwl7WVtxkUTyzg,28853
 awslabs/eks_mcp_server/cloudwatch_metrics_guidance_handler.py,sha256=b0fFMvsGX98HKK4kVFI1YbhZqZC623lZ6TNXs3EiRSI,5283
 awslabs/eks_mcp_server/consts.py,sha256=XBat-KcMckueQQpDeLkD_Nv_9G9kX0_d48sMEHtZ5HQ,1380
 awslabs/eks_mcp_server/eks_kb_handler.py,sha256=6L3wS500AadKburhwf0zXEapXscd4VZCTY8t61u-j1Y,3548
 awslabs/eks_mcp_server/eks_stack_handler.py,sha256=gbZizqaumsAz5x-fLM-VJlmUCzTp7TwtbOGn8u6_omc,29721
-awslabs/eks_mcp_server/iam_handler.py,sha256=t2QIJVP61lAVTiTB9VCko9RDXjAtz8nuXr_MRdKG9pw,14586
+awslabs/eks_mcp_server/iam_handler.py,sha256=2mmyPyPLoIgIhA9y1QlpK3BamI3d0Xg6arKrWZutAvE,14860
 awslabs/eks_mcp_server/k8s_apis.py,sha256=YRx29w-7n3LX3DsniPgULuxNx_6Mkw-Jzh-PGetZDag,20448
-awslabs/eks_mcp_server/k8s_client_cache.py,sha256=Nh8V6IXvWltQwiBhFk8KgDUggmf9dqQ-sR3kENBnecM,5871
+awslabs/eks_mcp_server/k8s_client_cache.py,sha256=vm-8VKC3zaCqpW9pOUmRDFulxzYCX8p8OvyOgtvh96o,5697
 awslabs/eks_mcp_server/k8s_handler.py,sha256=vA08ONRDky7S5hINif8hxe_Y1KAArQDzOao1YLf4Uck,49447
 awslabs/eks_mcp_server/logging_helper.py,sha256=hr8xZhAZOKyR7dkwc7bhqkDVuSDI3BRK3-UzllQkWgE,1854
 awslabs/eks_mcp_server/models.py,sha256=UtMmZaRJNjV8I9A8jCD9vzU66tXYOLna8RzaMNQPddE,11930
@@ -18,9 +18,9 @@ awslabs/eks_mcp_server/scripts/update_eks_cloudwatch_metrics_guidance.py,sha256=
 awslabs/eks_mcp_server/templates/eks-templates/eks-with-vpc.yaml,sha256=_Lxk2MEXNA7N0-kvXckxwBamDEagjGvC6-Z5uxhVO5s,10774
 awslabs/eks_mcp_server/templates/k8s-templates/deployment.yaml,sha256=J2efYFISlT3sTvf8_BJV3p0_m51cltqiRhXdBXb9YJs,2343
 awslabs/eks_mcp_server/templates/k8s-templates/service.yaml,sha256=DA0Db_5yjUZmnnYy5Bljcv3hj7D6YvFFWFRB6GiIstY,414
-awslabs_eks_mcp_server-0.1.4.dist-info/METADATA,sha256=E8OHB-NvW_u6p-z4eHytjP5k3fBlPv0HZGIhdp3_1mk,29163
-awslabs_eks_mcp_server-0.1.4.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-awslabs_eks_mcp_server-0.1.4.dist-info/entry_points.txt,sha256=VydotfOJYck8o4TPsaF6Pjmc8Bp_doacYXSE_71qH4c,78
-awslabs_eks_mcp_server-0.1.4.dist-info/licenses/LICENSE,sha256=CeipvOyAZxBGUsFoaFqwkx54aPnIKEtm9a5u2uXxEws,10142
-awslabs_eks_mcp_server-0.1.4.dist-info/licenses/NOTICE,sha256=gnCtD34qTDnb2Lykm9kNFYkqZIvqJHGuq1ZJBkl6EgE,90
-awslabs_eks_mcp_server-0.1.4.dist-info/RECORD,,
+awslabs_eks_mcp_server-0.1.5.dist-info/METADATA,sha256=jRaI-c8WKjao0_9Kc5VPposShIpBMxtOuS6XJrOqOnA,29920
+awslabs_eks_mcp_server-0.1.5.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+awslabs_eks_mcp_server-0.1.5.dist-info/entry_points.txt,sha256=VydotfOJYck8o4TPsaF6Pjmc8Bp_doacYXSE_71qH4c,78
+awslabs_eks_mcp_server-0.1.5.dist-info/licenses/LICENSE,sha256=CeipvOyAZxBGUsFoaFqwkx54aPnIKEtm9a5u2uXxEws,10142
+awslabs_eks_mcp_server-0.1.5.dist-info/licenses/NOTICE,sha256=gnCtD34qTDnb2Lykm9kNFYkqZIvqJHGuq1ZJBkl6EgE,90
+awslabs_eks_mcp_server-0.1.5.dist-info/RECORD,,