awslabs.eks-mcp-server 0.1.4__tar.gz → 0.1.5__tar.gz

{awslabs_eks_mcp_server-0.1.4 → awslabs_eks_mcp_server-0.1.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: awslabs.eks-mcp-server
-Version: 0.1.4
+Version: 0.1.5
 Summary: An AWS Labs Model Context Protocol (MCP) server for EKS
 Project-URL: homepage, https://awslabs.github.io/mcp/
 Project-URL: docs, https://awslabs.github.io/mcp/servers/eks-mcp-server/
@@ -128,7 +128,7 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 
 1. Open Cursor.
 2. Click the gear icon (⚙️) in the top right to open the settings panel, click **MCP**, **Add new global MCP server**.
-3. Paste your MCP server definition. For example, this example shows how to configure the EKS MCP Server, including enabling mutating actions by adding the `--allow-write` flag to the server arguments:
+3. Paste your MCP server definition. For example, this example shows how to configure the EKS MCP Server, including enabling mutating actions with the `--allow-write` flag and access to sensitive data with the `--allow-sensitive-data-access` flag (see the Arguments section for more details):
 
    **For Mac/Linux:**
 
@@ -141,7 +141,8 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	      "command": "uvx",
 	      "args": [
 	        "awslabs.eks-mcp-server@latest",
-	        "--allow-write"
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
 	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
@@ -165,7 +166,8 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	        "--from",
 	        "awslabs.eks-mcp-server@latest",
 	        "awslabs.eks-mcp-server.exe",
-	        "--allow-write"
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
 	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
@@ -183,7 +185,9 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 **Set up the Amazon Q Developer CLI**
 
 1. Install the [Amazon Q Developer CLI](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-installing.html) .
-2. The Q Developer CLI supports MCP servers for tools and prompts out-of-the-box. Edit your Q developer CLI's MCP configuration file named mcp.json following [these instructions](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-mcp-configuration.html). For example:
+2. The Q Developer CLI supports MCP servers for tools and prompts out-of-the-box. Edit your Q developer CLI's MCP configuration file named mcp.json following [these instructions](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-mcp-configuration.html).
+
+The example below includes both the `--allow-write` flag for mutating operations and the `--allow-sensitive-data-access` flag for accessing logs and events (see the Arguments section for more details):
 
    **For Mac/Linux:**
 
@@ -192,7 +196,11 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	  "mcpServers": {
 	    "awslabs.eks-mcp-server": {
 	      "command": "uvx",
-	      "args": ["awslabs.eks-mcp-server@latest"],
+	      "args": [
+	        "awslabs.eks-mcp-server@latest",
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
+	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
 	      },
@@ -210,7 +218,13 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	  "mcpServers": {
 	    "awslabs.eks-mcp-server": {
 	      "command": "uvx",
-	      "args": ["--from", "awslabs.eks-mcp-server@latest", "awslabs.eks-mcp-server.exe"],
+	      "args": [
+	        "--from",
+	        "awslabs.eks-mcp-server@latest",
+	        "awslabs.eks-mcp-server.exe",
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
+	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
 	      },
@@ -294,7 +308,7 @@ Enables write access mode, which allows mutating operations (e.g., create, updat
 
 #### `--allow-sensitive-data-access` (optional)
 
-Enables access to sensitive data such as logs, events, and Kubernetes Secrets.
+Enables access to sensitive data such as logs, events, and Kubernetes Secrets. This flag is required for tools that access potentially sensitive information, such as get_pod_logs, get_k8s_events, get_cloudwatch_logs, and manage_k8s_resource (when used to read Kubernetes secrets).
 
 * Default: false (Access to sensitive data is restricted by default)
 * Example: Add `--allow-sensitive-data-access` to the `args` list in your MCP server definition.

{awslabs_eks_mcp_server-0.1.4 → awslabs_eks_mcp_server-0.1.5}/README.md

@@ -94,7 +94,7 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 
 1. Open Cursor.
 2. Click the gear icon (⚙️) in the top right to open the settings panel, click **MCP**, **Add new global MCP server**.
-3. Paste your MCP server definition. For example, this example shows how to configure the EKS MCP Server, including enabling mutating actions by adding the `--allow-write` flag to the server arguments:
+3. Paste your MCP server definition. For example, this example shows how to configure the EKS MCP Server, including enabling mutating actions with the `--allow-write` flag and access to sensitive data with the `--allow-sensitive-data-access` flag (see the Arguments section for more details):
 
    **For Mac/Linux:**
 
@@ -107,7 +107,8 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	      "command": "uvx",
 	      "args": [
 	        "awslabs.eks-mcp-server@latest",
-	        "--allow-write"
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
 	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
@@ -131,7 +132,8 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	        "--from",
 	        "awslabs.eks-mcp-server@latest",
 	        "awslabs.eks-mcp-server.exe",
-	        "--allow-write"
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
 	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
@@ -149,7 +151,9 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 **Set up the Amazon Q Developer CLI**
 
 1. Install the [Amazon Q Developer CLI](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-installing.html) .
-2. The Q Developer CLI supports MCP servers for tools and prompts out-of-the-box. Edit your Q developer CLI's MCP configuration file named mcp.json following [these instructions](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-mcp-configuration.html). For example:
+2. The Q Developer CLI supports MCP servers for tools and prompts out-of-the-box. Edit your Q developer CLI's MCP configuration file named mcp.json following [these instructions](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-mcp-configuration.html).
+
+The example below includes both the `--allow-write` flag for mutating operations and the `--allow-sensitive-data-access` flag for accessing logs and events (see the Arguments section for more details):
 
    **For Mac/Linux:**
 
@@ -158,7 +162,11 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	  "mcpServers": {
 	    "awslabs.eks-mcp-server": {
 	      "command": "uvx",
-	      "args": ["awslabs.eks-mcp-server@latest"],
+	      "args": [
+	        "awslabs.eks-mcp-server@latest",
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
+	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
 	      },
@@ -176,7 +184,13 @@ This quickstart guide walks you through the steps to configure the Amazon EKS MC
 	  "mcpServers": {
 	    "awslabs.eks-mcp-server": {
 	      "command": "uvx",
-	      "args": ["--from", "awslabs.eks-mcp-server@latest", "awslabs.eks-mcp-server.exe"],
+	      "args": [
+	        "--from",
+	        "awslabs.eks-mcp-server@latest",
+	        "awslabs.eks-mcp-server.exe",
+	        "--allow-write",
+	        "--allow-sensitive-data-access"
+	      ],
 	      "env": {
 	        "FASTMCP_LOG_LEVEL": "ERROR"
 	      },
@@ -260,7 +274,7 @@ Enables write access mode, which allows mutating operations (e.g., create, updat
 
 #### `--allow-sensitive-data-access` (optional)
 
-Enables access to sensitive data such as logs, events, and Kubernetes Secrets.
+Enables access to sensitive data such as logs, events, and Kubernetes Secrets. This flag is required for tools that access potentially sensitive information, such as get_pod_logs, get_k8s_events, get_cloudwatch_logs, and manage_k8s_resource (when used to read Kubernetes secrets).
 
 * Default: false (Access to sensitive data is restricted by default)
 * Example: Add `--allow-sensitive-data-access` to the `args` list in your MCP server definition.

awslabs_eks_mcp_server-0.1.5/awslabs/eks_mcp_server/aws_helper.py

@@ -0,0 +1,108 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""AWS helper for the EKS MCP Server."""
+
+import boto3
+import os
+from awslabs.eks_mcp_server import __version__
+from botocore.config import Config
+from loguru import logger
+from typing import Any, Dict, Optional
+
+
+class AwsHelper:
+    """Helper class for AWS operations.
+
+    This class provides utility methods for interacting with AWS services,
+    including region and profile management and client creation.
+
+    This class implements a singleton pattern with a client cache to avoid
+    creating multiple clients for the same service.
+    """
+
+    # Singleton instance
+    _instance = None
+
+    # Client cache with AWS service name as key
+    _client_cache: Dict[str, Any] = {}
+
+    @staticmethod
+    def get_aws_region() -> Optional[str]:
+        """Get the AWS region from the environment if set."""
+        return os.environ.get('AWS_REGION')
+
+    @staticmethod
+    def get_aws_profile() -> Optional[str]:
+        """Get the AWS profile from the environment if set."""
+        return os.environ.get('AWS_PROFILE')
+
+    @classmethod
+    def create_boto3_client(cls, service_name: str, region_name: Optional[str] = None) -> Any:
+        """Create or retrieve a cached boto3 client with the appropriate profile and region.
+
+        The client is configured with a custom user agent suffix 'awslabs/mcp/eks-mcp-server/{version}'
+        to identify API calls made by the EKS MCP Server. Clients are cached to improve performance
+        and reduce resource usage.
+
+        Args:
+            service_name: The AWS service name (e.g., 'ec2', 's3', 'eks')
+            region_name: Optional region name override
+
+        Returns:
+            A boto3 client for the specified service
+
+        Raises:
+            Exception: If there's an error creating the client
+        """
+        try:
+            # Get region from parameter or environment if set
+            region: Optional[str] = (
+                region_name if region_name is not None else cls.get_aws_region()
+            )
+
+            # Get profile from environment if set
+            profile = cls.get_aws_profile()
+
+            # Use service name as the cache key
+            cache_key = service_name
+
+            # Check if client is already in cache
+            if cache_key in cls._client_cache:
+                logger.info(f'Using cached boto3 client for {service_name}')
+                return cls._client_cache[cache_key]
+
+            # Create config with user agent suffix
+            config = Config(user_agent_extra=f'awslabs/mcp/eks-mcp-server/{__version__}')
+
+            # Create session with profile if specified
+            if profile:
+                session = boto3.Session(profile_name=profile)
+                if region is not None:
+                    client = session.client(service_name, region_name=region, config=config)
+                else:
+                    client = session.client(service_name, config=config)
+            else:
+                if region is not None:
+                    client = boto3.client(service_name, region_name=region, config=config)
+                else:
+                    client = boto3.client(service_name, config=config)
+
+            # Cache the client
+            cls._client_cache[cache_key] = client
+
+            return client
+        except Exception as e:
+            # Re-raise with more context
+            raise Exception(f'Failed to create boto3 client for {service_name}: {str(e)}')

{awslabs_eks_mcp_server-0.1.4 → awslabs_eks_mcp_server-0.1.5}/awslabs/eks_mcp_server/iam_handler.py

@@ -44,7 +44,6 @@ class IAMHandler:
             allow_write: Whether to enable write access (default: False)
         """
         self.mcp = mcp
-        self.iam_client = AwsHelper.create_boto3_client('iam')
         self.allow_write = allow_write
 
         # Register tools
@@ -94,15 +93,18 @@ class IAMHandler:
         try:
             log_with_request_id(ctx, LogLevel.INFO, f'Describing IAM role: {role_name}')
 
+            # Get IAM client
+            iam_client = AwsHelper.create_boto3_client('iam')
+
             # Get role details
-            role_response = self.iam_client.get_role(RoleName=role_name)
+            role_response = iam_client.get_role(RoleName=role_name)
             role = role_response['Role']
 
             # Get attached managed policies
-            managed_policies = self._get_managed_policies(ctx, role_name)
+            managed_policies = self._get_managed_policies(ctx, iam_client, role_name)
 
             # Get inline policies
-            inline_policies = self._get_inline_policies(ctx, role_name)
+            inline_policies = self._get_inline_policies(ctx, iam_client, role_name)
 
             # Parse the assume role policy document if it's a string, otherwise use it directly
             if isinstance(role['AssumeRolePolicyDocument'], str):
@@ -210,8 +212,11 @@ class IAMHandler:
                     permissions_added={},
                 )
 
+            # Get IAM client
+            iam_client = AwsHelper.create_boto3_client('iam')
+
             # Create the inline policy
-            return self._create_inline_policy(ctx, role_name, policy_name, permissions)
+            return self._create_inline_policy(ctx, iam_client, role_name, policy_name, permissions)
 
         except Exception as e:
             error_message = f'Failed to create inline policy: {str(e)}'
@@ -226,27 +231,28 @@ class IAMHandler:
                 permissions_added={},
             )
 
-    def _get_managed_policies(self, ctx, role_name):
+    def _get_managed_policies(self, ctx, iam_client, role_name):
         """Get managed policies attached to a role.
 
         Args:
             ctx: The MCP context
+            iam_client: IAM client to use
             role_name: Name of the IAM role
 
         Returns:
             List of PolicySummary objects
         """
         managed_policies = []
-        managed_policies_response = self.iam_client.list_attached_role_policies(RoleName=role_name)
+        managed_policies_response = iam_client.list_attached_role_policies(RoleName=role_name)
 
         for policy in managed_policies_response.get('AttachedPolicies', []):
             policy_arn = policy['PolicyArn']
-            policy_details = self.iam_client.get_policy(PolicyArn=policy_arn)['Policy']
+            policy_details = iam_client.get_policy(PolicyArn=policy_arn)['Policy']
 
             # Get the policy version details to get the policy document
             policy_version = None
             try:
-                policy_version_response = self.iam_client.get_policy_version(
+                policy_version_response = iam_client.get_policy_version(
                     PolicyArn=policy_arn, VersionId=policy_details.get('DefaultVersionId', 'v1')
                 )
                 policy_version = policy_version_response.get('PolicyVersion', {})
@@ -265,21 +271,22 @@ class IAMHandler:
 
         return managed_policies
 
-    def _get_inline_policies(self, ctx, role_name):
+    def _get_inline_policies(self, ctx, iam_client, role_name):
         """Get inline policies embedded in a role.
 
         Args:
             ctx: The MCP context
+            iam_client: IAM client to use
             role_name: Name of the IAM role
 
         Returns:
             List of PolicySummary objects
         """
         inline_policies = []
-        inline_policies_response = self.iam_client.list_role_policies(RoleName=role_name)
+        inline_policies_response = iam_client.list_role_policies(RoleName=role_name)
 
         for policy_name in inline_policies_response.get('PolicyNames', []):
-            policy_response = self.iam_client.get_role_policy(
+            policy_response = iam_client.get_role_policy(
                 RoleName=role_name, PolicyName=policy_name
             )
 
@@ -293,11 +300,12 @@ class IAMHandler:
 
         return inline_policies
 
-    def _create_inline_policy(self, ctx, role_name, policy_name, permissions):
+    def _create_inline_policy(self, ctx, iam_client, role_name, policy_name, permissions):
         """Create a new inline policy with the specified permissions.
 
         Args:
             ctx: The MCP context
+            iam_client: IAM client to use
             role_name: Name of the role
             policy_name: Name of the new policy to create
             permissions: Permissions to include in the policy
@@ -313,7 +321,7 @@ class IAMHandler:
 
         # Check if the policy already exists
         try:
-            self.iam_client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
+            iam_client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
             # If we get here, the policy exists
             error_message = f'Policy {policy_name} already exists in role {role_name}. Cannot modify existing policies.'
             log_with_request_id(ctx, LogLevel.ERROR, error_message)
@@ -324,7 +332,7 @@ class IAMHandler:
                 role_name=role_name,
                 permissions_added={},
             )
-        except self.iam_client.exceptions.NoSuchEntityException:
+        except iam_client.exceptions.NoSuchEntityException:
             # Policy doesn't exist, we can create it
             pass
 
@@ -335,7 +343,7 @@ class IAMHandler:
         self._add_permissions_to_document(policy_document, permissions)
 
         # Create the policy
-        self.iam_client.put_role_policy(
+        iam_client.put_role_policy(
             RoleName=role_name, PolicyName=policy_name, PolicyDocument=json.dumps(policy_document)
         )
 

{awslabs_eks_mcp_server-0.1.4 → awslabs_eks_mcp_server-0.1.5}/awslabs/eks_mcp_server/k8s_client_cache.py

@@ -55,24 +55,17 @@ class K8sClientCache:
         # Client cache with TTL to handle token expiration
         self._client_cache = TTLCache(maxsize=100, ttl=TOKEN_TTL)
 
-        # Clients for credential retrieval
-        self._eks_client = None
-        self._sts_client = None
+        # Flag to track if STS event handlers have been registered
+        self._sts_event_handlers_registered = False
 
         self._initialized = True
 
-    def _get_eks_client(self):
-        """Get or create the EKS client."""
-        if self._eks_client is None:
-            self._eks_client = AwsHelper.create_boto3_client('eks')
-        return self._eks_client
-
     def _get_sts_client(self):
-        """Get or create the STS client with event handlers registered."""
-        if self._sts_client is None:
-            sts_client = AwsHelper.create_boto3_client('sts')
+        """Get the STS client with event handlers registered."""
+        sts_client = AwsHelper.create_boto3_client('sts')
 
-            # Register STS event handlers
+        # Register STS event handlers only once
+        if not self._sts_event_handlers_registered:
             sts_client.meta.events.register(
                 'provide-client-params.sts.GetCallerIdentity',
                 self._retrieve_k8s_aws_id,
@@ -81,10 +74,9 @@ class K8sClientCache:
                 'before-sign.sts.GetCallerIdentity',
                 self._inject_k8s_aws_id_header,
             )
+            self._sts_event_handlers_registered = True
 
-            self._sts_client = sts_client
-
-        return self._sts_client
+        return sts_client
 
     def _retrieve_k8s_aws_id(self, params, context, **kwargs):
         """Retrieve the Kubernetes AWS ID from parameters."""
@@ -109,7 +101,7 @@ class K8sClientCache:
             ValueError: If the cluster credentials are invalid
             Exception: If there's an error getting the cluster credentials
         """
-        eks_client = self._get_eks_client()
+        eks_client = AwsHelper.create_boto3_client('eks')
         sts_client = self._get_sts_client()
 
         # Get cluster details

{awslabs_eks_mcp_server-0.1.4 → awslabs_eks_mcp_server-0.1.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "awslabs.eks-mcp-server"
-version = "0.1.4"
+version = "0.1.5"
 description = "An AWS Labs Model Context Protocol (MCP) server for EKS"
 readme = "README.md"
 requires-python = ">=3.10"

{awslabs_eks_mcp_server-0.1.4 → awslabs_eks_mcp_server-0.1.5}/tests/test_aws_helper.py

@@ -23,6 +23,11 @@ from unittest.mock import ANY, MagicMock, patch
 class TestAwsHelper:
     """Tests for the AwsHelper class."""
 
+    def setup_method(self):
+        """Set up the test environment."""
+        # Clear the client cache before each test
+        AwsHelper._client_cache = {}
+
     @patch.dict(os.environ, {'AWS_REGION': 'us-west-2'})
     def test_get_aws_region_from_env(self):
         """Test that get_aws_region returns the region from the environment."""
@@ -151,3 +156,107 @@ class TestAwsHelper:
                     assert config is not None
                     expected_user_agent = f'awslabs/mcp/eks-mcp-server/{__version__}'
                     assert config.user_agent_extra == expected_user_agent
+
+    @patch('boto3.client')
+    def test_client_caching(self, mock_boto3_client):
+        """Test that clients are cached and reused."""
+        # Create a mock client
+        mock_client = MagicMock()
+        mock_boto3_client.return_value = mock_client
+
+        # Mock the get_aws_profile and get_aws_region methods
+        with patch.object(AwsHelper, 'get_aws_profile', return_value=None):
+            with patch.object(AwsHelper, 'get_aws_region', return_value='us-west-2'):
+                # Call create_boto3_client twice with the same parameters
+                client1 = AwsHelper.create_boto3_client('cloudformation')
+                client2 = AwsHelper.create_boto3_client('cloudformation')
+
+                # Verify that boto3.client was called only once
+                mock_boto3_client.assert_called_once()
+
+                # Verify that the same client instance was returned both times
+                assert client1 is client2
+
+    @patch('boto3.client')
+    def test_different_services_not_cached_together(self, mock_boto3_client):
+        """Test that different services get different cached clients."""
+        # Create mock clients
+        mock_cf_client = MagicMock()
+        mock_s3_client = MagicMock()
+        mock_boto3_client.side_effect = [mock_cf_client, mock_s3_client]
+
+        # Mock the get_aws_profile and get_aws_region methods
+        with patch.object(AwsHelper, 'get_aws_profile', return_value=None):
+            with patch.object(AwsHelper, 'get_aws_region', return_value='us-west-2'):
+                # Call create_boto3_client for different services
+                cf_client = AwsHelper.create_boto3_client('cloudformation')
+                s3_client = AwsHelper.create_boto3_client('s3')
+
+                # Verify that boto3.client was called twice
+                assert mock_boto3_client.call_count == 2
+
+                # Verify that different client instances were returned
+                assert cf_client is not s3_client
+
+    @patch('boto3.client')
+    def test_same_service_different_regions_cached_together(self, mock_boto3_client):
+        """Test that clients for the same service are cached together regardless of region."""
+        # Create mock client
+        mock_client = MagicMock()
+        mock_boto3_client.return_value = mock_client
+
+        # Mock the get_aws_profile method
+        with patch.object(AwsHelper, 'get_aws_profile', return_value=None):
+            # Call create_boto3_client for different regions
+            us_west_client = AwsHelper.create_boto3_client(
+                'cloudformation', region_name='us-west-2'
+            )
+            eu_west_client = AwsHelper.create_boto3_client(
+                'cloudformation', region_name='eu-west-1'
+            )
+
+            # Verify that boto3.client was called only once
+            mock_boto3_client.assert_called_once()
+
+            # Verify that the same client instance was returned both times
+            assert us_west_client is eu_west_client
+
+    @patch('boto3.client')
+    def test_error_handling(self, mock_boto3_client):
+        """Test that errors during client creation are handled properly."""
+        # Make boto3.client raise an exception
+        mock_boto3_client.side_effect = Exception('Test error')
+
+        # Mock the get_aws_profile and get_aws_region methods
+        with patch.object(AwsHelper, 'get_aws_profile', return_value=None):
+            with patch.object(AwsHelper, 'get_aws_region', return_value=None):
+                # Verify that the exception is re-raised with more context
+                try:
+                    AwsHelper.create_boto3_client('cloudformation')
+                    assert False, 'Exception was not raised'
+                except Exception as e:
+                    assert 'Failed to create boto3 client for cloudformation: Test error' in str(e)
+
+    @patch('boto3.Session')
+    def test_same_service_different_profiles_cached_together(self, mock_boto3_session):
+        """Test that clients for the same service are cached together regardless of profile."""
+        # Create mock session and client
+        mock_session = MagicMock()
+        mock_client = MagicMock()
+        mock_session.client.return_value = mock_client
+        mock_boto3_session.return_value = mock_session
+
+        # Call create_boto3_client with different profiles
+        with patch.object(AwsHelper, 'get_aws_profile', return_value='profile1'):
+            with patch.object(AwsHelper, 'get_aws_region', return_value=None):
+                client1 = AwsHelper.create_boto3_client('cloudformation')
+
+        with patch.object(AwsHelper, 'get_aws_profile', return_value='profile2'):
+            with patch.object(AwsHelper, 'get_aws_region', return_value=None):
+                client2 = AwsHelper.create_boto3_client('cloudformation')
+
+        # Verify that boto3.Session was called only once
+        mock_boto3_session.assert_called_once()
+
+        # Verify that the same client instance was returned both times
+        assert client1 is client2