Replace Modal OIDC helper with manual STS assume role flow

[r33drichards]

Summary

Updated the AWS credential acquisition flow in the Modal app to manually exchange Modal's OIDC token for temporary AWS credentials using STS assume_role_with_web_identity, replacing the previous modal.oidc.assume_role() helper method.

Changes

• Replaced modal.oidc.assume_role() call with explicit STS token exchange flow
• Extract MODAL_IDENTITY_TOKEN from environment variable (provided by Modal runtime)
• Use boto3 STS client to call assume_role_with_web_identity() with the OIDC token
• Updated credential field access from object attributes to dictionary keys (e.g., creds.access_key_id → creds["AccessKeyId"])
• Added validation to ensure MODAL_IDENTITY_TOKEN is set, with helpful error message

Implementation Details

• The Modal runtime automatically provides the OIDC identity token via the MODAL_IDENTITY_TOKEN environment variable
• STS response credentials are returned as a dictionary with capitalized keys (AccessKeyId, SecretAccessKey, SessionToken)
• Session name is set to "modal-docs-mcp-upload" for audit trail clarity
• Maintains the same AWS region configuration and S3 client initialization

https://claude.ai/code/session_013E7ycxMooFL1t9wkgbN7UA

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Feb 2, 2026 9:53am