feat(aws): expand SES/STS/Secrets Manager tool coverage, fix API alignment gaps#5450
Conversation
…nment gaps - SES: add suppression list management, email identity CRUD, template update, configuration set creation, custom verification email (10 new tools); fix silent httpsPolicy drop in create_configuration_set and unvalidated suppression reason enum in list_suppressed_destinations - STS: add AssumeRoleWithWebIdentity and AssumeRoleWithSAML (unsigned, no static credentials required); extend assume_role with policyArns/tags/transitiveTagKeys session params - Secrets Manager: add describe_secret, tag_resource, untag_resource, restore_secret, rotate_secret; fix list_secrets dropping rotation/version metadata fields; normalize tool versions to 1.0.0 and alphabetize registry entries All 31 tools verified param-by-param against live AWS API docs across two independent audit passes.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryHigh Risk Overview Secrets Manager adds describe (metadata without values), tag/untag, restore from scheduled delete, and rotate (schedule/Lambda options). List secrets now returns rotation rules, version-to-stage maps, and related dates that were previously dropped. SES adds template update, account suppression list management, email identity create/get/delete, configuration set creation, and custom verification email sends, with block UI fields and outputs wired for each. STS adds Assume Role With Web Identity and Assume Role With SAML (no static IAM keys on those paths via a placeholder-credentials client), and extends assume role with managed policy ARNs, session tags, and transitive tag keys. Validation fixes: SES create configuration set requires Reviewed by Cursor Bugbot for commit 6656103. Configure here. |
Greptile SummaryThis PR expands AWS tool coverage across SES, STS, and Secrets Manager by adding 17 new tools and fixing two real defects:
Confidence Score: 5/5Safe to merge — all 17 new tools follow established route/contract/utils patterns, the two fixed defects are correctly addressed, and no existing tool IDs or response fields were removed or renamed. Each new route validates inputs through a typed Zod contract before any AWS SDK call is made, sensitive tokens (SAML assertions, web identity tokens) are never logged, and the unauthenticated STS client pattern is technically sound for the two operations that AWS permits without a signed request. The list_secrets metadata fix and the suppression-reason enum guards are straightforward and correct. No files require special attention. Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Client as Sim Client
participant Route as Route Handler
participant Contract as Zod Contract
participant Utils as AWS Utils
participant AWS as AWS Service
Client->>Route: POST assume-role-with-web-identity
Route->>Route: checkInternalAuth()
Route->>Contract: parseToolRequest()
Contract-->>Route: validated params or 400
Route->>Utils: createUnauthenticatedSTSClient(region)
Note over Utils: placeholder credentials to bypass default chain
Route->>Utils: assumeRoleWithWebIdentity(...)
Utils->>AWS: AssumeRoleWithWebIdentityCommand
Note over AWS: signature not verified by AWS for this op
AWS-->>Utils: Credentials + metadata
Utils-->>Route: accessKeyId, sessionToken, expiration
Route-->>Client: 200 JSON
Client->>Route: POST create-configuration-set
Route->>Contract: parseToolRequest()
Note over Contract: superRefine enforces httpsPolicy needs customRedirectDomain
Contract-->>Route: validated params or 400
Route->>Utils: createConfigurationSet(...)
Utils->>AWS: CreateConfigurationSetCommand
AWS-->>Utils: success
Route-->>Client: 200 JSON
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Client as Sim Client
participant Route as Route Handler
participant Contract as Zod Contract
participant Utils as AWS Utils
participant AWS as AWS Service
Client->>Route: POST assume-role-with-web-identity
Route->>Route: checkInternalAuth()
Route->>Contract: parseToolRequest()
Contract-->>Route: validated params or 400
Route->>Utils: createUnauthenticatedSTSClient(region)
Note over Utils: placeholder credentials to bypass default chain
Route->>Utils: assumeRoleWithWebIdentity(...)
Utils->>AWS: AssumeRoleWithWebIdentityCommand
Note over AWS: signature not verified by AWS for this op
AWS-->>Utils: Credentials + metadata
Utils-->>Route: accessKeyId, sessionToken, expiration
Route-->>Client: 200 JSON
Client->>Route: POST create-configuration-set
Route->>Contract: parseToolRequest()
Note over Contract: superRefine enforces httpsPolicy needs customRedirectDomain
Contract-->>Route: validated params or 400
Route->>Utils: createConfigurationSet(...)
Utils->>AWS: CreateConfigurationSetCommand
AWS-->>Utils: success
Route-->>Client: 200 JSON
Reviews (7): Last reviewed commit: "fix(sts): supply placeholder credentials..." | Re-trigger Greptile |
…Manager rotation - ses_create_configuration_set: validate suppressedReasons against BOUNCE/COMPLAINT enum before calling AWS (was silently reaching AWS as a generic 500 for bad values); tags now a proper Zod array schema instead of a string with route-side JSON.parse - ses_create_email_identity: dkimSigningAttributes and tags now proper Zod object/array schemas instead of strings with route-side JSON.parse, matching the pattern used elsewhere (e.g. sts_assume_role tags, secrets_manager_tag_resource) - secrets_manager_rotate_secret: reject automaticallyAfterDays and scheduleExpression when both are supplied — AWS RotationRules accepts only one - sts createUnauthenticatedSTSClient: corrected a misleading comment claiming these calls are fully unsigned; the SDK still falls through its default credential provider chain
|
@greptile please re-review |
|
@cursor review |
The SES block declared the tags and dkimSigningAttributes block inputs as 'string' instead of 'json', so the generic block executor never parsed the JSON code-editor value before forwarding it — workflow runs sent a raw JSON string where the contract now expects a structured object/array, failing validation. Also corrected the corresponding tool param TypeScript types, which were still typed as string | null.
|
@greptile please re-review |
|
@cursor review |
…guration_set
Boolean('false') evaluates to true, so turning off the
reputationMetricsEnabled or sendingEnabled switch sent the opposite of
the user's choice to SES. Match the established === 'true' string
comparison pattern used elsewhere in the codebase.
|
@greptile please re-review |
|
@cursor review |
tags was declared as a 'json' block input, so the generic executor JSON.parse'd it before the switch-case handler ran — but that handler already converts the raw table-rows array (or a passthrough string) into the JSON string the sts_assume_role contract expects. Declaring it 'json' broke that conversion for non-string inputs. Reverted to 'string' so the handler's existing string/array disambiguation runs on the untouched raw value.
|
@greptile please re-review |
|
@cursor review |
createUnauthenticatedSTSClient omitted credentials entirely, so the SDK's signing middleware fell through the default credential provider chain and threw CredentialsProviderError before the request was sent in any environment with no ambient AWS identity — even though AssumeRoleWithWebIdentity/AssumeRoleWithSAML never check the signature. Static placeholder credentials skip that resolution without granting or requiring any real IAM identity.
|
@greptile please re-review |
|
@cursor review |
|
@greptile please re-review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 6656103. Configure here.
Summary
Type of Change
Testing
bunx tsc --noEmit,bun run lint,bun run check:api-validationall passChecklist