Merge pull request #35 from keycardai/feat/extra-eks-vars

Feat/extra eks vars

Author: kamil-keycard

docs/sdk/keycardai-mcp-server-auth-application_credentials.mdx

@@ -276,6 +276,13 @@ via initialization parameters or environment variables.
 The token is read fresh on each token exchange request, allowing for token rotation
 without requiring application restart.
 
+**Environment Variables:**
+
+When configured via `KEYCARD_APPLICATION_CREDENTIAL_TYPE="eks_workload_identity"`, the token file path is discovered from:
+1. `KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE` - Custom token file path (highest priority)
+2. `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` - AWS EKS default location
+3. `AWS_WEB_IDENTITY_TOKEN_FILE` - AWS fallback location
+
 
 **Methods:**
 

packages/mcp-fastmcp/README.md

@@ -406,7 +406,8 @@ export KEYCARD_CLIENT_SECRET="your_client_secret"
 ```bash
 # For EKS Workload Identity
 export KEYCARD_APPLICATION_CREDENTIAL_TYPE="eks_workload_identity"
-export AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE="/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
+# Optional: Custom token file path (defaults to AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE or AWS_WEB_IDENTITY_TOKEN_FILE)
+export KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE="/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
 
 # For Web Identity
 export KEYCARD_APPLICATION_CREDENTIAL_TYPE="web_identity"

packages/mcp-fastmcp/pyproject.toml

@@ -12,7 +12,7 @@ dependencies = [
     "httpx>=0.27.2",
     "keycardai-oauth>=0.5.0",
     "fastmcp==2.13.0",
-    "keycardai-mcp>=0.14.0",
+    "keycardai-mcp>=0.15.0",
 ]
 keywords = ["fastmcp", "mcp", "model-context-protocol", "oauth", "token-exchange", "authentication", "keycard"]
 classifiers = [

packages/mcp-fastmcp/src/keycardai/mcp/integrations/fastmcp/provider.py

@@ -330,7 +330,8 @@ def _discover_application_credential(self, application_credential: ApplicationCr
 
         application_credential_type = os.getenv("KEYCARD_APPLICATION_CREDENTIAL_TYPE")
         if application_credential_type == "eks_workload_identity":
-            return EKSWorkloadIdentity()
+            custom_token_file_path = os.getenv("KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE")
+            return EKSWorkloadIdentity(token_file_path=custom_token_file_path)
         elif application_credential_type == "web_identity":
             key_storage_dir = os.getenv("KEYCARD_WEB_IDENTITY_KEY_STORAGE_DIR")
             return WebIdentity(
@@ -343,8 +344,7 @@ def _discover_application_credential(self, application_credential: ApplicationCr
             )
 
         # detect workload identity from environment variables
-        workload_identity_token = os.getenv(EKSWorkloadIdentity.default_env_var_name)
-        if workload_identity_token:
+        if any(os.getenv(env_name) for env_name in EKSWorkloadIdentity.default_env_var_names):
             return EKSWorkloadIdentity()
 
         return None

packages/mcp/README.md

@@ -260,7 +260,8 @@ export KEYCARD_WEB_IDENTITY_KEY_STORAGE_DIR="./mcp_keys"  # Optional
 
 # Option C: EKS Workload Identity
 export KEYCARD_APPLICATION_CREDENTIAL_TYPE="eks_workload_identity"
-export AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE="/var/run/secrets/token"
+# Optional: Custom token file path (defaults to AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE or AWS_WEB_IDENTITY_TOKEN_FILE)
+export KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE="/var/run/secrets/token"
 ```
 
 With environment variables configured, create the `AuthProvider` without explicit credentials:
@@ -293,7 +294,9 @@ When multiple configuration methods are present, the SDK follows this precedence
 | `KEYCARD_CLIENT_SECRET` | OAuth client secret | `ClientSecret` | None |
 | `KEYCARD_APPLICATION_CREDENTIAL_TYPE` | Explicit credential type selection | All | None |
 | `KEYCARD_WEB_IDENTITY_KEY_STORAGE_DIR` | Directory for private key storage | `WebIdentity` | `"./mcp_keys"` |
-| `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` | Path to EKS token file | `EKSWorkloadIdentity` | None |
+| `KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE` | Custom path to EKS token file | `EKSWorkloadIdentity` | None |
+| `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` | Path to EKS token file (AWS default) | `EKSWorkloadIdentity` | None |
+| `AWS_WEB_IDENTITY_TOKEN_FILE` | Path to EKS token file (AWS fallback) | `EKSWorkloadIdentity` | None |
 
 ##### Running Without Application Credentials
 

packages/mcp/src/keycardai/mcp/server/auth/application_credentials.py

@@ -409,8 +409,13 @@ class EKSWorkloadIdentity:
     The token is read fresh on each token exchange request, allowing for token rotation
     without requiring application restart.
 
+    Environment Variable Discovery (when token_file_path is not provided):
+        1. KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE - Custom token file path (highest priority)
+        2. AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE - AWS EKS default location
+        3. AWS_WEB_IDENTITY_TOKEN_FILE - AWS fallback location
+
     Example:
-        # Default configuration (uses AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE env var)
+        # Default configuration (discovers from environment variables)
         provider = EKSWorkloadIdentity()
 
         # Explicit token file path
@@ -423,39 +428,50 @@ class EKSWorkloadIdentity:
             env_var_name="MY_CUSTOM_TOKEN_FILE_ENV_VAR"
         )
     """
-    default_env_var_name = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"
+    default_env_var_names = ["AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE", "AWS_WEB_IDENTITY_TOKEN_FILE"]
 
     def __init__(
         self,
         token_file_path: str | None = None,
-        env_var_name: str = default_env_var_name,
+        env_var_name: str | None = None,
     ):
         """Initialize EKS workload identity provider.
 
         Args:
             token_file_path: Explicit path to the token file. If not provided,
                            reads from the environment variable specified by env_var_name.
             env_var_name: Name of the environment variable containing the token file path.
-                         Defaults to AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE.
 
         Raises:
             EKSWorkloadIdentityConfigurationError: If token file cannot be read or is empty.
         """
-        self.env_var_name = env_var_name
-
         if token_file_path is not None:
             self.token_file_path = token_file_path
+            self.env_var_name = env_var_name  # Store the env_var_name even when token_file_path is provided
         else:
-            self.token_file_path = os.environ.get(env_var_name)
+            self.token_file_path, self.env_var_name = self._get_token_file_path(env_var_name)
             if not self.token_file_path:
                 raise EKSWorkloadIdentityConfigurationError(
                     token_file_path=None,
                     env_var_name=env_var_name,
-                    error_details=f"Environment variable {env_var_name} is not set",
+                    error_details="Could not find token file path in environment variables",
                 )
 
         self._validate_token_file()
 
+    def _get_token_file_path(self, env_var_name: str | None) -> tuple[str, str]:
+        """Get the token file path from the environment variables.
+
+        Returns:
+            Tuple containing the token file path and the environment variable name.
+        """
+        env_names = self.default_env_var_names if env_var_name is None else [env_var_name, *self.default_env_var_names]
+        return next((
+            (os.environ.get(env_name), env_name)
+            for env_name in env_names
+            if os.environ.get(env_name)
+        ), (None, None))
+
     def _validate_token_file(self) -> None:
         """Validate that the token file exists and can be read.
 

packages/mcp/src/keycardai/mcp/server/auth/provider.py

@@ -293,7 +293,8 @@ def _discover_application_credential(self, application_credential: ApplicationCr
 
         application_credential_type = os.getenv("KEYCARD_APPLICATION_CREDENTIAL_TYPE")
         if application_credential_type == "eks_workload_identity":
-            return EKSWorkloadIdentity()
+            custom_token_file_path = os.getenv("KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE")
+            return EKSWorkloadIdentity(token_file_path=custom_token_file_path)
         elif application_credential_type == "web_identity":
             key_storage_dir = os.getenv("KEYCARD_WEB_IDENTITY_KEY_STORAGE_DIR")
             return WebIdentity(
@@ -306,8 +307,7 @@ def _discover_application_credential(self, application_credential: ApplicationCr
             )
 
         # detect workload identity from environment variables
-        workload_identity_token = os.getenv(EKSWorkloadIdentity.default_env_var_name)
-        if workload_identity_token:
+        if any(os.getenv(env_name) for env_name in EKSWorkloadIdentity.default_env_var_names):
             return EKSWorkloadIdentity()
 
         return None

packages/mcp/tests/keycardai/mcp/server/auth/test_application_identity.py

@@ -330,7 +330,7 @@ async def test_initialization_fails_when_env_var_not_set(self):
             EKSWorkloadIdentity()
 
         assert "Failed to initialize EKS workload identity" in str(exc_info.value)
-        assert "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE" in str(exc_info.value)
+        assert "Could not find token file path in environment variables" in str(exc_info.value)
 
     @pytest.mark.asyncio
     async def test_initialization_fails_when_token_file_empty(self):