strands-on-lambda-with-auth0
If you are the rightful owner of strands-on-lambda-with-auth0 and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
This document provides a structured summary of an AI Agent with MCP Server implementation on AWS Lambda, utilizing Auth0 for authentication.
AI Agent with MCP Server on AWS Lambda, with Auth0 authentication
This repo contains a sample implementation of user-aware AI Agent and MCP Server running on AWS Lambda. The sample implements an AI-based Travel Agent for a fictitious corporation AcmeCorp. Auth0 is used for user authentication and access controls.
See two below artifacts to better understand the expected Agent behavior.
- for Agent's system prompt.
- for corporate travel policies the Agent is bound by.
(Skip to Running the project)
Frameworks and services
- AI Agent is implemented using Strands Agents SDK
- MCP Server is implemented using the official MCP TypeScript SDK and Lambda Web Adapter
- Amazon API Gateway is used to front AI Agent and MCP (see architecture diagram).
- Amazon DynamoDB is used to persist AI Agent session state.
- Amazon Bedrock and Claude Haiku 3.5 are used for inferrence.
- Gradio is used for Web UI.
Authentication and Authorization
- Auth0 is used for user authentication and authorization.
- During
terraform apply/cdk deploytwo users will be created in Auth0 -AliceandBob. Usealice@example.comandbob@example.comto login, as described below. The password is set toPassw0rd@. - Both AI Agent and Bookings MCP domains require JWT (bearer token) authorization, as enforced by API Gateway Lambda authorizers.
- AI Agent expects JWT issued by Auth0. The subject of this JWT is the user. Validation is done in the Agent Authorizer using Auth0 provider JWKs.
- Bookings MCP expects JWT generated by Strands Agent. The subject of this JWT is the agent with
user_idbeing an extra claim. This token is signed by a shared secret. Validation is done in the MCP Authorizer using shared secret. - To state explicitly - at no point in time user's identity is inferred from LLM's response. It is ALWAYS propagated using JWTs.
User-awareness and session management
- Both AI Agent and MCP Server are fully stateless, they do not maintain any internal state.
- Both AI Agent and MCP Server are aware of the current user and process requests within the user authorization context.
- AI Agent externalizes its state to DynamoDB, using
user_idas primary key. - New Strands Agent instance is created on every request with state that belongs to the current user.
- MCP Clients attached to the AI Agent are created per-user, holding user-specific JWT to communicate with MCP Server.
- MCP Server propagates authorized user context into all tools, making MCP tools user-aware.
Tools
Implemented in agent
- [Agent]
get-user-locationresolves user's IP address to users location. - [Agent]
get-todays-datetool returns today's date.
Implemented in MCP Server
- [MCP]
get-travel-policiesreturns AcmeCorp corporate travel policies. - [MCP]
get-available-carsreturns a list and categories of cars available to rent. - [MCP]
book-carbooks a car rental. - [MCP]
book-hotelbooks a hotel.
Running the project
The project is using arm64 architecture by default for better cost efficiency. Update IaC files if you want to change it to x86.
Prereqs
- AWS CLI, Git, Docker
- Terraform or CDK
- Node.js installed
- Access to
us.anthropic.claude-3-5-haiku-20241022-v1:0inus-east-1. Or update to use a different model/region. - Auth0 account
Clone the project
git clone https://github.com/aal80/strands-on-lambda-with-auth0
Install dependencies
(cd lambdas/agent-authorizer && npm install)
(cd lambdas/mcp-authorizer && npm install)
(cd lambdas/bookings-mcp && npm install)
Deploy to AWS with Terraform
Set Auth0 configuration with environment variables:
export TF_VAR_auth0_domain=your-auth0-domain
export TF_VAR_auth0_management_client_id=your-auth0-management-client-id
export TF_VAR_auth0_management_client_secret=your-auth0-management-client-secret
Terraform:
cd terraform
terraform init
terraform plan
terraform apply
Always make sure to carefully review required IAM permissions!
Run post-deploy script
Terraform:
# Make sure you're in the {project_root}/terraform directory
chmod +x prep-web.sh
./prep-web.sh
cd ..
Running this script will {project_root}/web/.env file with configuration required for running the Web UI.
Run Web UI
cd web
python3 -m venv .venv # Create virtual environment
source .venv/bin/activate # Active virtual environment
pip install -r requirements.txt # Install dependencies
python app.py # Start Web UI app
Open http://localhost:8000/chat/ in your browser
Login
You will be redirected to Auth0-provided login screen.
- Email:
alice@example.comorbob@example.com - Password:
Passw0rd@
Once logged in, start asking your AI Agent questions about corporate travel booking, for example
- What cars can I rent?
- Book me a trip to Paris
- I need to go to Dallas for three days starting next Monday, I also need a car
- Can I rent a Mercedes?
Clean-up
Terraform:
terraform destroy