MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

V
Vpullela Hosted Aws MCP Server
by @venkatakrishna-pullela
GitHub Repo(1 stars)

Infrastructure-as-Code framework for deploying Model Context Protocol (MCP) servers as containerized AWS Lambda functions with Bedrock AgentCore Gateway and Cognito OAuth2 authentication

Created 2/17/2026
Updated about 9 hours ago
README
View Source
Repository documentation and setup instructions

AWS MCP Server Deployment Framework

Infrastructure-as-Code for Model Context Protocol Servers on AWS Lambda

License: MIT AWS Python

Quick StartConfigurationArchitectureIntegration

Overview

This repository provides production-grade infrastructure automation for deploying Model Context Protocol (MCP) servers as containerized AWS Lambda functions. The framework integrates Amazon Bedrock AgentCore Gateway with Amazon Cognito for OAuth2 authentication, enabling secure, scalable access to AWS services through standardized MCP interfaces.

What is Model Context Protocol?

Model Context Protocol (MCP) is an open standard that enables AI assistants and applications to securely connect to external data sources and tools. By deploying MCP servers on AWS Lambda, organizations can expose AWS service capabilities—such as CloudWatch metrics, Cost Explorer data, or custom business logic—to AI systems while maintaining enterprise-grade security and compliance.

Use Cases

This deployment framework supports various integration scenarios:

  • AI Assistant Integration: Connect Claude, ChatGPT, or custom AI agents to AWS services through standardized MCP interfaces
  • Analytics Platforms: Enable Amazon Quick Suite and other analytics tools to query AWS operational data
  • Workflow Automation: Provide programmatic access to AWS resources for automation frameworks
  • Multi-Tenant Applications: Deploy isolated MCP server instances with tenant-specific permissions

Tested Implementations

The framework has been validated with the following MCP servers:

  • CloudWatch MCP Server - Query metrics, logs, and alarms
  • Cost Explorer MCP Server - Analyze AWS spending and usage patterns

Additional AWS service integrations can be deployed by modifying the configuration file.

Quick Start

Deploy a complete MCP server infrastructure in three steps:

# 1. Validate AWS permissions
./validate-permissions.sh

# 2. Configure deployment parameters
nano mcp-config.env

# 3. Execute deployment
./deploy.sh

Deployment completes in 5-10 minutes and provisions all required AWS resources automatically.

Prerequisites

Required Tools

| Tool | Version | Purpose | |------|---------|---------| | AWS CLI | 2.x+ | AWS resource management | | Python | 3.8+ | Deployment script execution | | Bash | 4.x+ | Shell script execution |

AWS Permissions

The deployment requires specific IAM permissions to create and manage AWS resources. Review the complete permission requirements in PERMISSIONS.md.

AWS Credentials

Configure AWS credentials using one of the following methods:

# AWS CLI configuration
aws configure

# Environment variables
export AWS_ACCESS_KEY_ID="your-access-key"
export AWS_SECRET_ACCESS_KEY="your-secret-key"
export AWS_DEFAULT_REGION="us-east-1"

# AWS SSO
aws sso login --profile your-profile

Configuration

The deployment is configured through a single environment file: mcp-config.env

Configuration Parameters

# Project identifier - base name for all AWS resources
PROJECT_NAME="cloudwatch-mcp-server"

# MCP server package details
MCP_PACKAGE="awslabs.cloudwatch_mcp_server"
MCP_PACKAGE_PIP="awslabs.cloudwatch-mcp-server"

# IAM permissions for Lambda execution role
SERVICE_PERMISSIONS="cloudwatch:*"

# OAuth2 callback URL for client applications
QUICKSUITE_CALLBACK_URL="https://us-east-1.quicksight.aws.amazon.com/sn/oauthcallback"

Parameter Reference

| Parameter | Description | Constraints | |-----------|-------------|-------------| | PROJECT_NAME | Identifier used to name all AWS resources | Lowercase letters, numbers, hyphens only; maximum 30 characters | | MCP_PACKAGE | Python import path for the MCP server | Must match the package's module structure | | MCP_PACKAGE_PIP | pip package name for installation | Must be available on PyPI or configured package index | | SERVICE_PERMISSIONS | IAM actions granted to Lambda | Use least-privilege principle; supports wildcards | | QUICKSUITE_CALLBACK_URL | OAuth2 redirect URI | Must match client application configuration |

Resource Naming Convention

All AWS resources are named using the PROJECT_NAME as a base:

Lambda Function:    {project-name}
IAM Role:           {ProjectName}Role
ECR Repository:     {project-name}
CodeBuild Project:  {project-name}-build
Gateway:            {project-name}-gw

Architecture

The deployment creates a serverless architecture that integrates multiple AWS services:

┌─────────────────────────────────────────────────────────────┐
│                     Client Application                      │
│              (Amazon Quick Suite / Custom Client)           │
└────────────────────────┬────────────────────────────────────┘
                         │
                         │ OAuth2 Authorization Code Flow
                         ▼
         ┌───────────────────────────────────┐
         │     Amazon Cognito User Pool      │
         │   • User Authentication           │
         │   • JWT Token Issuance            │
         └───────────────┬───────────────────┘
                         │
                         │ JWT Bearer Token
                         ▼
┌────────────────────────────────────────────────────────────┐
│              Amazon Bedrock AgentCore Gateway              │
│   • JWT Validation  • MCP Protocol Handler                 │
└────────────────────────┬───────────────────────────────────┘
                         │
                         │ Lambda Invocation
                         ▼
         ┌───────────────────────────────────┐
         │      AWS Lambda Function          │
         │   • MCP Server (Container)        │
         │   • AWS SDK Integration           │
         └───────────────┬───────────────────┘
                         │
                         │ AWS API Calls
                         ▼
         ┌───────────────────────────────────┐
         │        AWS Service APIs           │
         │   (CloudWatch, Cost Explorer...)  │
         └───────────────────────────────────┘

Component Responsibilities

| Component | Function | |-----------|----------| | Amazon Cognito | Manages user authentication and OAuth2 token lifecycle | | AgentCore Gateway | Validates JWT tokens and translates MCP protocol requests | | AWS Lambda | Executes MCP server logic in containerized environment | | AWS CodeBuild | Builds Docker images with MCP server dependencies | | Amazon ECR | Stores container images for Lambda deployment | | AWS IAM | Enforces least-privilege access control |

Deployed Resources

The deployment script provisions the following AWS resources:

  • Amazon Cognito User Pool with OAuth2 app client
  • Amazon Bedrock AgentCore Gateway with MCP target
  • AWS Lambda function with container image
  • Amazon ECR repository for Docker images
  • AWS CodeBuild project for automated builds
  • IAM roles and policies for service permissions
  • Amazon CloudWatch log groups for monitoring
  • Test user account for integration testing

Amazon Quick Suite Integration

Configuration Steps

  1. Access Integration Settings

    • Open the Amazon Quick Suite console
    • Navigate to Integrations
    • Click Add (+) to create a new integration

  2. Configure Integration Details

    • Name: Descriptive identifier (e.g., "CloudWatch MCP Server")
    • Description: Optional purpose description
    • MCP server endpoint: Gateway URL from deployment output
    • Click Next

  3. Configure Authentication

    • Select authentication method (user or service)
    • Enter OAuth2 credentials from gateway-config.json:
      • Client ID
      • Client Secret
      • Authorization URL
      • Token URL
    • Click Create and continue

  4. Review and Share

    • Review integration configuration
    • Click Next
    • Optionally share with other users
    • Complete setup

OAuth2 Authentication Flow

The integration uses OAuth2 Authorization Code Flow:

  1. Client initiates authentication request
  2. User redirected to Cognito hosted UI
  3. User authenticates with credentials
  4. Cognito returns authorization code
  5. Client exchanges code for access token
  6. Access token used for Gateway API requests

Test Credentials

A test user account is created automatically during deployment:

  • Email: test@example.com
  • Password: TestPassword123!

These credentials can be used to verify the OAuth2 flow before configuring production users.

Adapting for Other MCP Servers

The framework supports deployment of different MCP server implementations by modifying the configuration file.

CloudWatch MCP Server

PROJECT_NAME="cloudwatch-mcp-server"
MCP_PACKAGE="awslabs.cloudwatch_mcp_server"
MCP_PACKAGE_PIP="awslabs.cloudwatch-mcp-server"
SERVICE_PERMISSIONS="cloudwatch:*"

Cost Explorer MCP Server

PROJECT_NAME="cost-explorer-mcp-server"
MCP_PACKAGE="awslabs.cost_explorer_mcp_server"
MCP_PACKAGE_PIP="awslabs.cost-explorer-mcp-server"
SERVICE_PERMISSIONS="ce:*"

Custom MCP Server

For custom implementations:

  1. Ensure the MCP server package is available via pip
  2. Identify required AWS service permissions
  3. Update mcp-config.env with appropriate values
  4. Execute deployment script

Resource Cleanup

Remove all deployed AWS resources:

./cleanup.sh

The cleanup script removes:

  • Amazon Bedrock AgentCore Gateway and targets
  • AWS Lambda function
  • Amazon ECR repository and container images
  • AWS CodeBuild project
  • IAM roles and policies
  • Amazon CloudWatch log groups
  • S3 build artifacts

Note: Amazon Cognito resources are preserved by default to prevent accidental deletion of user data. To remove Cognito resources, delete them manually through the AWS Console or CLI.

Troubleshooting

Permission Validation Failures

If permission validation fails:

# Review detailed permission requirements
./validate-permissions.sh

# Share PERMISSIONS.md with your security team for IAM policy creation

CodeBuild Failures

Monitor build progress and diagnose issues:

# View real-time build logs
aws logs tail /aws/codebuild/{project-name}-build --follow

# Common causes:
# - Invalid MCP package name in configuration
# - Package not available on PyPI
# - Network connectivity issues during build

Lambda Execution Errors

Access Lambda function logs:

# View recent Lambda invocations
aws logs tail /aws/lambda/{function-name} --follow

# Common issues:
# - Insufficient IAM permissions
# - MCP server initialization failures
# - Timeout errors (increase Lambda timeout if needed)

OAuth2 Authentication Issues

Verify OAuth2 configuration:

  • Confirm client ID matches Gateway configuration
  • Ensure access tokens have not expired (default: 1 hour)
  • Verify callback URL matches client application configuration exactly
  • Check Cognito user pool domain is accessible

Gateway Connection Failures

Validate Gateway status:

# Check Gateway state
aws bedrock-agentcore-control get-gateway \
  --gateway-identifier {gateway-id} \
  --region us-east-1

Ensure Gateway status is ACTIVE before attempting connections.

Documentation

License

This project is licensed under the MIT License. See the LICENSE file for complete terms.

Questions or Issues?

Report BugRequest FeatureView Documentation

Quick Setup
Installation guide for this server

Installation Command (package not published)

git clone https://github.com/venkatakrishna-pullela/vpullela-hosted-aws-mcp-server
Manual Installation: Please check the README for detailed setup instructions and any additional dependencies required.

Cursor configuration (mcp.json)

{ "mcpServers": { "venkatakrishna-pullela-vpullela-hosted-aws-mcp-server": { "command": "git", "args": [ "clone", "https://github.com/venkatakrishna-pullela/vpullela-hosted-aws-mcp-server" ] } } }