AWS Context Discovery
Before doing any AWS work, read the user's local AWS config. Don't guess the region, and don't ask the user for things their config already answers.
What to discover
Run these at the start of the AWS work and remember the results for the rest of the session.
1. Active profile
AWS_PROFILE env var, else default. If the user mentioned a profile in their prompt, that overrides. If the named profile doesn't exist in ~/.aws/config, surface that clearly.
2. Region
Resolution order — stop at the first one that produces a value:
- Region the user explicitly named in this conversation
AWS_REGION env var
AWS_DEFAULT_REGION env var
region field on the active profile in ~/.aws/config
- Ask the user — but only after the first four have failed
Do not fall back to us-east-1 or any other hardcoded default.
3. Credentials, account ID, caller ARN
aws sts get-caller-identity --profile <profile> --region <region>
Three purposes in one call: confirms credentials are valid (stop if not), returns the Account ID (needed for ARN construction), returns the Arn of the caller.
4. Identify SSO / assumed-role principals
The Arn field tells you what kind of principal this is. The pattern matters because it determines what IAM operations the caller can do.
| ARN pattern | Type | IAM write capability |
|---|
arn:aws:iam::<acct>:user/<name> | IAM user | Depends on attached policies |
arn:aws:sts::<acct>:assumed-role/AWSReservedSSO_<...>/<email> | SSO assumed-role | Typically none — can't create/modify IAM roles |
arn:aws:sts::<acct>:assumed-role/<role>/<session> | Regular assumed-role | Depends on the role |
If the caller is SSO, surface this immediately before later skills hit iam:CreateRole and fail:
Heads up: you're authenticated via SSO (AWSReservedSSO_<PermissionSet>_...). SSO principals usually can't create IAM roles directly. If we need a SageMaker execution role, I'll look for an existing one first — if none exists, you'll need to ask whoever manages your AWS access to create one.
This is the highest-leverage thing this skill does. Surfacing it now turns a confusing mid-deployment error into a five-second conversation.
Commands to run
# Effective profile and region (faster than parsing config files)
aws configure list
# Validate credentials and get identity
aws sts get-caller-identity
aws sts get-caller-identity --profile <profile-name> # if a profile was named
aws configure list handles env-var overrides and shows the resolved effective values. Prefer it over parsing ~/.aws/config yourself. If you need to read raw config (e.g. to list profiles), ~/.aws/config and ~/.aws/credentials are plain INI files — read-only.
What to report back
One or two lines, not a wall of text:
Working with profile my-profile in eu-west-1, account 123456789012. You're authenticated via SSO, so we'll need to use an existing IAM role rather than create one.
Don't ask the user to confirm the region you just read from their config — they configured it; that is the confirmation.
If something is wrong (credentials expired, profile doesn't exist, no region anywhere), stop and surface the specific error before continuing.