From huggingface-skills
Discovers active AWS profile, region, and caller identity from local config. Prevents guesswork and SSO-related deployment errors by surfacing context before any AWS operation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/huggingface-skills:hf-cloud-aws-context-discoveryThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Before doing any AWS work, read the user's local AWS config. Don't guess the region, and don't ask the user for things their config already answers.
Before doing any AWS work, read the user's local AWS config. Don't guess the region, and don't ask the user for things their config already answers.
Run these at the start of the AWS work and remember the results for the rest of the session.
AWS_PROFILE env var, else default. If the user mentioned a profile in their prompt, that overrides. If the named profile doesn't exist in ~/.aws/config, surface that clearly.
Resolution order — stop at the first one that produces a value:
AWS_REGION env varAWS_DEFAULT_REGION env varregion field on the active profile in ~/.aws/configDo not fall back to us-east-1 or any other hardcoded default.
aws sts get-caller-identity --profile <profile> --region <region>
Three purposes in one call: confirms credentials are valid (stop if not), returns the Account ID (needed for ARN construction), returns the Arn of the caller.
The Arn field tells you what kind of principal this is. The pattern matters because it determines what IAM operations the caller can do.
| ARN pattern | Type | IAM write capability |
|---|---|---|
arn:aws:iam::<acct>:user/<name> | IAM user | Depends on attached policies |
arn:aws:sts::<acct>:assumed-role/AWSReservedSSO_<...>/<email> | SSO assumed-role | Typically none — can't create/modify IAM roles |
arn:aws:sts::<acct>:assumed-role/<role>/<session> | Regular assumed-role | Depends on the role |
If the caller is SSO, surface this immediately before later skills hit iam:CreateRole and fail:
Heads up: you're authenticated via SSO (
AWSReservedSSO_<PermissionSet>_...). SSO principals usually can't create IAM roles directly. If we need a SageMaker execution role, I'll look for an existing one first — if none exists, you'll need to ask whoever manages your AWS access to create one.
This is the highest-leverage thing this skill does. Surfacing it now turns a confusing mid-deployment error into a five-second conversation.
# Effective profile and region (faster than parsing config files)
aws configure list
# Validate credentials and get identity
aws sts get-caller-identity
aws sts get-caller-identity --profile <profile-name> # if a profile was named
aws configure list handles env-var overrides and shows the resolved effective values. Prefer it over parsing ~/.aws/config yourself. If you need to read raw config (e.g. to list profiles), ~/.aws/config and ~/.aws/credentials are plain INI files — read-only.
One or two lines, not a wall of text:
Working with profile
my-profileineu-west-1, account123456789012. You're authenticated via SSO, so we'll need to use an existing IAM role rather than create one.
Don't ask the user to confirm the region you just read from their config — they configured it; that is the confirmation.
If something is wrong (credentials expired, profile doesn't exist, no region anywhere), stop and surface the specific error before continuing.
npx claudepluginhub calumba-holding/huggingface-skills5plugins reuse this skill
First indexed Jul 7, 2026
Discovers active AWS profile, region, and caller identity from local config. Prevents guesswork and SSO-related deployment errors by surfacing context before any AWS operation.
Verifies correct AWS credentials and profile before Terraform or AWS operations to prevent cross-environment accidents. Supports SSO login, assume role, and named profile switching.
Queries, audits, and monitors AWS resources via CLI with read-only defaults and safe change proposals requiring confirmation.