AWS Integration

The AWS MCP server provides AWS operations using the AWS CLI with Azure AD On-Behalf-Of (OBO) authentication.

Authentication: Azure AD token exchanged for AWS credentials via STS AssumeRoleWithWebIdentity

Tools

call_aws

Execute AWS CLI commands:

Input:
  cli_command: string - AWS CLI command
  max_results?: number - Limit results
  meta?: object - Request metadata

Output: JSON or text output from AWS CLI

Examples:

# List EC2 instances
aws ec2 describe-instances

# List S3 buckets
aws s3 ls

# List Lambda functions
aws lambda list-functions

# Describe RDS instances
aws rds describe-db-instances

# List ECS clusters
aws ecs list-clusters

suggest_aws_commands

Get command suggestions from natural language:

aws_list_accounts

List Identity Center accounts:

Authentication Flow

  1. User authenticates with Azure AD

  2. Azure AD token passed to MCP server

  3. Token exchanged via AWS STS AssumeRoleWithWebIdentity

  4. Temporary AWS credentials returned

  5. AWS CLI command executed with credentials

  6. Credentials cached for 50 minutes

Credential Caching

  • Cache key: User ID

  • TTL: 50 minutes (10 min buffer before expiry)

  • Storage: Redis + in-memory

Fallback

When no user token is available:

  • Falls back to environment variable credentials

  • Uses AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

Common Commands

EC2

S3

Lambda

CloudWatch

IAM

Error Handling

  • Invalid credentials: Re-authenticates via OBO

  • Expired token: Automatic credential refresh

  • Permission denied: Returns error with required permissions

  • Service unavailable: Returns service status

PreviousAdmin ToolsNextAzure Integration

Last updated