bedrock_agentcore_iam_runtime_mcp_server

des1-gner/bedrock_agentcore_iam_runtime_mcp_server

3.3

If you are the rightful owner of bedrock_agentcore_iam_runtime_mcp_server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

This guide demonstrates how to deploy a Model Context Protocol (MCP) server to Amazon Bedrock AgentCore Runtime using IAM authentication.

Tools
3
Resources
0
Prompts
0

MCP Server on Amazon Bedrock AgentCore with IAM Authentication

This guide demonstrates how to deploy a Model Context Protocol (MCP) server to Amazon Bedrock AgentCore Runtime using IAM authentication instead of OAuth/Cognito tokens.

Prerequisites

  • Python 3.10 or higher
  • AWS account with appropriate permissions
  • AWS CLI configured with admin credentials

Project Structure

bedrock_agentcore_iam_runtime_mcp_server/
ā”œā”€ā”€ server/
ā”‚   ā”œā”€ā”€ my_iam_mcp_server.py    # MCP server implementation
ā”‚   ā””ā”€ā”€ requirements.txt        # Server dependencies
ā”œā”€ā”€ client/
ā”‚   ā”œā”€ā”€ test_mcp_client.py     # Test client
ā”‚   ā””ā”€ā”€ requirements.txt        # Client dependencies
ā”œā”€ā”€ iam/
ā”‚   ā””ā”€ā”€ mcp-access-policy.json # IAM policy for MCP access
ā””ā”€ā”€ README.md                  # This file

Note: If you're cloning this repository, you can skip to Step 3 (as well as a few later ones) as the files are already created.

Step 1: Create Your MCP Server

Create server/my_iam_mcp_server.py:

from mcp.server.fastmcp import FastMCP
import boto3

mcp = FastMCP("my_iam_mcp_server", host="0.0.0.0", stateless_http=True)

@mcp.tool()
def add_numbers(a: int, b: int) -> int:
    """Add two numbers together"""
    return a + b

@mcp.tool()
def multiply_numbers(a: int, b: int) -> int:
    """Multiply two numbers together"""
    return a * b

@mcp.tool()
def greet_user(name: str) -> str:
    """Greet a user by name"""
    return f"Hello, {name}! Nice to meet you."

@mcp.tool()
def get_aws_region() -> str:
    """Get the current AWS region using boto3"""
    session = boto3.Session()
    return session.region_name

if __name__ == "__main__":
    mcp.run(transport="streamable-http")

Step 2: Create Requirements Files

Create server/requirements.txt:

mcp
boto3
bedrock-agentcore
bedrock-agentcore-starter-toolkit

Create client/requirements.txt:

mcp
boto3
run-mcp-servers-with-aws-lambda

Step 3: Configure and Deploy

Navigate to the server directory and configure your MCP server:

cd server
agentcore configure -e my_iam_mcp_server.py --protocol MCP

During configuration:

  • Execution Role: Press Enter to auto-create
  • ECR Repository: Press Enter to auto-create
  • Dependency file: Press Enter to use detected requirements.txt
  • Authorization: Choose no for OAuth (uses IAM by default)

Deploy to AWS:

agentcore launch

After successful deployment, you'll receive an Agent ARN like:

arn:aws:bedrock-agentcore:<aws-region>:<account-id>:runtime/my_iam_mcp_server-<random-id>

Save this ARN - you'll need it in the next step.

Step 4: Test with Your Current Credentials

Navigate to the client directory and install dependencies:

cd ../client
pip install -r requirements.txt

Create client/test_mcp_client.py:

import boto3
import asyncio
from mcp import ClientSession
from mcp_lambda.client.streamable_http_sigv4 import streamablehttp_client_with_sigv4

def generate_mcp_url(agent_runtime_arn: str, region: str = "<aws-region>") -> str:
    encoded_arn = agent_runtime_arn.replace(':', '%3A').replace('/', '%2F')
    return f"https://bedrock-agentcore.{region}.amazonaws.com/runtimes/{encoded_arn}/invocations?qualifier=DEFAULT"

async def test_mcp_server():
    # Replace with your actual Agent ARN
    agent_arn = "arn:aws:bedrock-agentcore:<aws-region>:<account-id>:runtime/my_iam_mcp_server-<random-id>"
    
    mcp_url = generate_mcp_url(agent_arn, region="<aws-region>")
    print(f"Connecting to: {mcp_url}")

    session = boto3.Session()
    credentials = session.get_credentials()
    
    try:
        async with streamablehttp_client_with_sigv4(
            url=mcp_url,
            service="bedrock-agentcore",
            region="<aws-region>",
            credentials=credentials,
            timeout=120,
            terminate_on_close=False
        ) as (read_stream, write_stream, _):
            async with ClientSession(read_stream, write_stream) as mcp_session:
                print("Initializing MCP session...")
                await mcp_session.initialize()
                print("MCP session initialized successfully")
                
                # List available tools
                print("\n=== Available Tools ===")
                tool_result = await mcp_session.list_tools()
                for tool in tool_result.tools:
                    print(f"  - {tool.name}: {tool.description}")
                
                # Test the tools
                print("\n=== Testing add_numbers tool ===")
                result = await mcp_session.call_tool("add_numbers", {"a": 5, "b": 3})
                print(f"add_numbers(5, 3) = {result.content}")
                
                print("\n=== Testing multiply_numbers tool ===")
                result = await mcp_session.call_tool("multiply_numbers", {"a": 4, "b": 7})
                print(f"multiply_numbers(4, 7) = {result.content}")
                
                print("\n=== Testing greet_user tool ===")
                result = await mcp_session.call_tool("greet_user", {"name": "Alice"})
                print(f"greet_user('Alice') = {result.content}")
                
                # Test the boto3 tool
                print("\n=== Testing get_aws_region tool (uses boto3) ===")
                result = await mcp_session.call_tool("get_aws_region", {})
                print(f"get_aws_region() = {result.content}")
                
    except Exception as e:
        print(f"Error connecting to MCP server {e}")
        raise

if __name__ == "__main__":
    asyncio.run(test_mcp_server())

Before running, update the following placeholders in test_mcp_client.py:

  • Replace <aws-region> with your AWS region (e.g., us-east-1)
  • Replace <account-id> with your AWS account ID
  • Replace <random-id> with the random ID from your Agent ARN

Test with your current credentials:

python3 test_mcp_client.py

Step 5: Create Separate IAM User for Testing

Create IAM User

# Create the IAM user
aws iam create-user --user-name mcp-test-user

# Create access keys for the user
aws iam create-access-key --user-name mcp-test-user

Save the AccessKeyId and SecretAccessKey from the output.

Create IAM Policy

Create iam/mcp-access-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "bedrock-agentcore:InvokeAgentRuntime"
            ],
            "Resource": "arn:aws:bedrock-agentcore:<aws-region>:<account-id>:runtime/my_iam_mcp_server-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "bedrock-agentcore:InvokeAgentRuntime"
            ],
            "Resource": "arn:aws:bedrock-agentcore:<aws-region>:<account-id>:runtime/*"
        }
    ]
}

Before creating the policy, update the following placeholders in mcp-access-policy.json:

  • Replace <aws-region> with your AWS region (e.g., us-east-1)
  • Replace <account-id> with your AWS account ID

Create and attach the policy:

# Create the policy
aws iam create-policy \
    --policy-name MCPServerAccessPolicy \
    --policy-document file://iam/mcp-access-policy.json

# Attach the policy to the user (replace <account-id> with your AWS account ID)
aws iam attach-user-policy \
    --user-name mcp-test-user \
    --policy-arn arn:aws:iam::<account-id>:policy/MCPServerAccessPolicy

Before running the attach command, replace <account-id> with your AWS account ID.

Test with New IAM User

Open a new terminal to not use your Admin Credentials and set your environment variables with the new user's credentials:

export AWS_ACCESS_KEY_ID="<access-key-id>"
export AWS_SECRET_ACCESS_KEY="<secret-access-key>"
export AWS_DEFAULT_REGION="<aws-region>"

# Run the test
python3 test_mcp_client.py

Before running, replace the following:

  • <access-key-id> with the AccessKeyId from the create-access-key command
  • <secret-access-key> with the SecretAccessKey from the create-access-key command
  • <aws-region> with your AWS region (e.g., us-east-1)

Expected Output

Connecting to: https://bedrock-agentcore.<aws-region>.amazonaws.com/runtimes/arn%3Aaws%3Abedrock-agentcore%3A<aws-region>%3A<account-id>%3Aruntime%2Fmy_iam_mcp_server-<random-id>/invocations?qualifier=DEFAULT

Initializing MCP session...
MCP session initialized successfully

=== Available Tools ===
  - add_numbers: Add two numbers together
  - multiply_numbers: Multiply two numbers together
  - greet_user: Greet a user by name
  - get_aws_region: Get the current AWS region using boto3

=== Testing add_numbers tool ===
add_numbers(5, 3) = [TextContent(type='text', text='8', annotations=None, meta=None)]

=== Testing multiply_numbers tool ===
multiply_numbers(4, 7) = [TextContent(type='text', text='28', annotations=None, meta=None)]

=== Testing greet_user tool ===
greet_user('Alice') = [TextContent(type='text', text='Hello, Alice! Nice to meet you.', annotations=None, meta=None)]

=== Testing get_aws_region tool (uses boto3) ===
get_aws_region() = [TextContent(type='text', text='us-east-1', annotations=None, meta=None)]

Key Benefits

  • No OAuth/Cognito setup required - Uses standard AWS IAM authentication
  • SigV4 signing - Automatic AWS request signing with boto3 credentials
  • Separated dependencies - Server and client dependencies are isolated
  • boto3 support - Demonstrates using AWS SDK within MCP server tools

References