Catalog
huggingface/hf-cloud-aws-context-discovery

huggingface

hf-cloud-aws-context-discovery

Discover the user's local AWS context (active profile, region, account ID, caller identity) at the start of any AWS task. Use this skill before any other AWS work — deploying to SageMaker, creating resources, calling AWS APIs, or anything that touches an AWS account. Use it especially when the user has not specified a region or profile explicitly, when they say things like "use my AWS account", "deploy to AWS", "use my profile", or when about to make any AWS CLI or SDK call. Never guess the region or account ID — always use this skill to read it from the local configuration first.

global
New~974
v1.0Saved Jul 11, 2026

AWS Context Discovery

Before doing any AWS work, read the user's local AWS config. Don't guess the region, and don't ask the user for things their config already answers.

What to discover

Run these at the start of the AWS work and remember the results for the rest of the session.

1. Active profile

AWS_PROFILE env var, else default. If the user mentioned a profile in their prompt, that overrides. If the named profile doesn't exist in ~/.aws/config, surface that clearly.

2. Region

Resolution order — stop at the first one that produces a value:

  1. Region the user explicitly named in this conversation
  2. AWS_REGION env var
  3. AWS_DEFAULT_REGION env var
  4. region field on the active profile in ~/.aws/config
  5. Ask the user — but only after the first four have failed

Do not fall back to us-east-1 or any other hardcoded default.

3. Credentials, account ID, caller ARN

aws sts get-caller-identity --profile <profile> --region <region>

Three purposes in one call: confirms credentials are valid (stop if not), returns the Account ID (needed for ARN construction), returns the Arn of the caller.

4. Identify SSO / assumed-role principals

The Arn field tells you what kind of principal this is. The pattern matters because it determines what IAM operations the caller can do.

ARN pattern Type IAM write capability
arn:aws:iam::<acct>:user/<name> IAM user Depends on attached policies
arn:aws:sts::<acct>:assumed-role/AWSReservedSSO_<...>/<email> SSO assumed-role Typically none — can't create/modify IAM roles
arn:aws:sts::<acct>:assumed-role/<role>/<session> Regular assumed-role Depends on the role

If the caller is SSO, surface this immediately before later skills hit iam:CreateRole and fail:

Heads up: you're authenticated via SSO (AWSReservedSSO_<PermissionSet>_...). SSO principals usually can't create IAM roles directly. If we need a SageMaker execution role, I'll look for an existing one first — if none exists, you'll need to ask whoever manages your AWS access to create one.

This is the highest-leverage thing this skill does. Surfacing it now turns a confusing mid-deployment error into a five-second conversation.

Commands to run

# Effective profile and region (faster than parsing config files)
aws configure list

# Validate credentials and get identity
aws sts get-caller-identity
aws sts get-caller-identity --profile <profile-name>  # if a profile was named

aws configure list handles env-var overrides and shows the resolved effective values. Prefer it over parsing ~/.aws/config yourself. If you need to read raw config (e.g. to list profiles), ~/.aws/config and ~/.aws/credentials are plain INI files — read-only.

What to report back

One or two lines, not a wall of text:

Working with profile my-profile in eu-west-1, account 123456789012. You're authenticated via SSO, so we'll need to use an existing IAM role rather than create one.

Don't ask the user to confirm the region you just read from their config — they configured it; that is the confirmation.

If something is wrong (credentials expired, profile doesn't exist, no region anywhere), stop and surface the specific error before continuing.

Files1
1 files · 11.1 KB

Select a file to preview

Overall Score

88/100

Grade

A

Excellent

Safety

90

Quality

88

Clarity

89

Completeness

82

Summary

This skill guides an agent to discover and validate the user's local AWS context (active profile, region, account ID, and caller identity) before executing any AWS work. It runs AWS CLI commands to resolve configuration from environment variables, config files, and STS, then surfaces critical information like SSO/role-based authentication limitations upfront to prevent downstream deployment failures.

Detected Capabilities

read AWS config filesread AWS credentials filesrun AWS CLI commands (aws configure list, aws sts get-caller-identity)parse command output (JSON, INI)read environment variables (AWS_PROFILE, AWS_REGION, AWS_DEFAULT_REGION)display parsed identity information to user

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

aws context discoverycheck aws credentialsvalidate aws profileaws region resolutionsso authentication checkaws account identityaws deployment prerequisites

Risk Signals

INFO

Read AWS credentials from ~/.aws/credentials file

Commands to run section
INFO

Read AWS config from ~/.aws/config file

Commands to run section
INFO

Run aws sts get-caller-identity to validate credentials

Commands to run section
INFO

Environment variable reads (AWS_PROFILE, AWS_REGION, AWS_DEFAULT_REGION)

Region section

Referenced Domains

External domains referenced in skill content, detected by static analysis.

www.apache.org

Use Cases

  • Validate AWS credentials and configuration before deploying to SageMaker, Lambda, EC2, or other AWS services
  • Determine the effective AWS region and profile when the user hasn't specified them explicitly
  • Identify SSO-authenticated principals early to flag IAM role creation limitations
  • Resolve caller identity and account ID to enable ARN construction and permission analysis
  • Prevent credential expiration or profile misconfiguration errors mid-deployment

Quality Notes

  • Excellent scope definition — skill is narrowly focused on context discovery only, not actual AWS operations
  • Clear resolution order for region selection (explicit > env var > config file > ask user) prevents ambiguity
  • Strong real-world example of SSO limitation surfacing — shows understanding of common deployment failure modes
  • Well-structured ARN pattern table provides educational value and enables informed downstream decisions
  • Explicit instruction to prefer 'aws configure list' over manual config parsing is a good practice pattern
  • Security-conscious guidance: 'Don't ask the user to confirm the region you just read' respects user intent and avoids second-guessing configuration
  • Error handling documented (credentials expired, profile missing, no region found) with clear stopping point
  • Output format guidance keeps responses concise and actionable — no unnecessary verbosity
Model: claude-haiku-4-5-20251001Analyzed: Jul 11, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add huggingface/hf-cloud-aws-context-discovery to your library

Command Palette

Search for a command to run...