View a markdown version of this page

Setting up the AWS MCP Server - Agent Toolkit for AWS
PrerequisitesSet up the AWS MCP ServerTroubleshooting authentication errors

Setting up the AWS MCP Server

This section outlines how you can set up your AWS MCP Server.

Prerequisites

Before you begin, you must ensure that you have set up an AWS account.

Sign up for an AWS account

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Create a user with administrative access

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

Secure your AWS account root user

  1. Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.

  2. Turn on multi-factor authentication (MFA) for your root user.

    For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

Create a user with administrative access

  1. Enable IAM Identity Center.

    For instructions, see Enabling AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

  2. In IAM Identity Center, grant administrative access to a user.

    For a tutorial about using the IAM Identity Center directory as your identity source, see Configure user access with the default IAM Identity Center directory in the AWS IAM Identity Center User Guide.

Sign in as the user with administrative access

  • To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

    For help signing in using an IAM Identity Center user, see Signing in to the AWS access portal in the AWS Sign-In User Guide.

Assign access to additional users

  1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

    For instructions, see Create a permission set in the AWS IAM Identity Center User Guide.

  2. Assign users to a group, and then assign single sign-on access to the group.

    For instructions, see Add groups in the AWS IAM Identity Center User Guide.

Set up the AWS MCP Server

To set up AWS MCP Server, use the steps in the following sections.

Step 1: (If applicable) Remove conflicting MCP servers

If you currently have AWS API MCP Server or AWS Knowledge MCP Server installed, we recommend removing them before setting up the AWS MCP Server to avoid tool conflicts that can confuse AI agents and reduce performance.

To remove existing AWS MCP servers:

  1. Open your MCP client configuration file.

  2. Remove any entries for these servers:

    • aws-api-mcp-server

    • aws-knowledge-mcp-server

  3. Save the configuration file.

  4. Restart your MCP client to apply the changes.

Step 2: Configure AWS credentials

Before connecting to AWS MCP Server, you need to configure AWS credentials on your local machine. The server uses these credentials to authenticate your requests.

You can use the SigV4 via Proxy to authenticate the AWS MCP Server. SigV4 via Proxy uses your available AWS credentials and requires the MCP Proxy for AWS. The MCP Proxy for AWS handles SigV4 signing and credential management between your MCP client and the AWS MCP Server. No separate installation is required — the uvx mcp-proxy-for-aws@latest command in your MCP client configuration automatically downloads and runs the latest version of the proxy each time your MCP client starts. For the full list of configuration options, see the MCP Proxy for AWS repository on GitHub.

For detailed information about configuring AWS credentials, see Sign in with the aws login command in the AWS CLI User Guide.

Important

AWS MCP Server requires valid AWS credentials for the duration of your development session. We strongly recommend using a credential method that supports automatic renewal, such as aws login or aws configure sso. Expired credentials would prevent the MCP server from being initialized, making all AWS tools unavailable until you restart your MCP client with valid AWS credentials.

Note

If your authentication step worked previously but you have encountered an authentication error, you might need to refresh your credentials and try again. See Troubleshooting authentication errors for common authentication errors and how to resolve them.

  1. Install the AWS CLI by following the instructions at Installing the AWS CLI.

  2. Configure your AWS credentials using one of these methods:

    For users with AWS Management Console credentials (Recommended)

    From the AWS CLI, run the following command:

    aws login

    This is the recommended method because the AWS SDK automatically rotates your credentials every 15 minutes within the session, eliminating credential expiry during normal use. Your session remains valid for up to 12 hours without any manual intervention.

    Note

    AWS Management Console credentials means that you have a username and password that allows you to sign in to the console. To use this method, you need the AWS CLI version 2.32.0 or later.

    For SSO users (Recommended)

    aws configure sso

    Follow the prompts to set up your SSO configuration. SSO credentials support automatic renewal through cached refresh tokens. The SDK silently obtains new access tokens and role session credentials without requiring you to re-authenticate.

    Tip

    For administrators: The default SSO session duration is 1 hour. You can extend this up to 12 hours in your IAM Identity Center settings to reduce the frequency of re-authentication for your team.

    For IAM users

    aws configure

    Enter your Access Key ID, Secret Access Key, default region, and output format.

    Warning

    Static IAM access keys do not support automatic credential renewal and are not recommended for use with AWS MCP Server. If you must use IAM access keys, be aware that AWS recommends rotating them every 90 days. Where possible, use aws login or aws configure sso instead.

    For cross-account access (assume-role)

    If you need to access AWS resources in a different account, you can configure an assume-role profile in your ~/.aws/config file. The AWS SDK handles credential refresh transparently for this method.

    [profile my-role]
role_arn = arn:aws:iam::123456789012:role/MyRole
source_profile = default
region = us-east-1

    Then set the AWS_PROFILE environment variable or pass the profile name in your MCP client configuration.

  3. Test your configuration:

    aws sts get-caller-identity

  4. Install uv (if not already installed)

    On macOS and Linux

    curl -LsSf https://astral.sh/uv/install.sh | sh
    Windows

    powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"

Step 3: Configure your MCP client

AWS MCP Server is available in the following AWS Regions:

  • US East (N. Virginia) – us-east-1: https://aws-mcp.us-east-1.api.aws/mcp

  • Europe (Frankfurt) – eu-central-1: https://aws-mcp.eu-central-1.api.aws/mcp

Replace the endpoint URL in the configuration examples below with the endpoint for your preferred Region. When configuring the SigV4 proxy, append /mcp to the base endpoint URL as shown in the following examples.

The endpoint Region determines which MCP server you connect to, while the AWS_REGION metadata parameter sets the default Region for the AWS operations the server performs on your behalf. These can be different — for example, you can connect to the us-east-1 endpoint while operating on resources in us-west-2.

Set your default AWS Region by adding the --metadata parameter with AWS_REGION. Without this setting, all AWS operations default to us-east-1.

Note

Replace us-west-2 with your preferred default AWS Region.

Region behavior:

  • Without --metadata and AWS_REGION: Operations default to us-east-1

  • With --metadata and AWS_REGION: Operations use your specified Region

  • In queries: You can override by specifying a Region (example: "list my EC2 instances in eu-west-1")

Kiro CLI
{
  "mcpServers": {
    "aws-mcp": {
      "command": "uvx",
      "timeout": 100000,
      "transport": "stdio",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://aws-mcp.us-east-1.api.aws/mcp",
        "--metadata", "AWS_REGION=us-west-2"
      ]
    }
  }
}
Kiro IDE
{
  "mcpServers": {
    "aws-mcp": {
      "command": "uvx",
      "timeout": 100000,
      "transport": "stdio",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://aws-mcp.us-east-1.api.aws/mcp",
        "--metadata", "AWS_REGION=us-west-2"
      ]
    }
  }
}
Cursor IDE
{
  "mcpServers": {
    "aws-mcp": {
      "command": "uvx",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://aws-mcp.us-east-1.api.aws/mcp",
        "--metadata", "AWS_REGION=us-west-2"
      ]
    }
  }
}
Claude Desktop
{
  "mcpServers": {
    "aws-mcp": {
      "command": "uvx",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://aws-mcp.us-east-1.api.aws/mcp",
        "--metadata", "AWS_REGION=us-west-2"
      ]
    }
  }
}
Codex
[mcp_servers.aws_mcp]
command = "uvx"
args = [
  "mcp-proxy-for-aws@latest",
  "https://aws-mcp.us-east-1.api.aws/mcp",
  "--metadata", "AWS_REGION=us-west-2"
]
startup_timeout_sec = 60

Step 4: Understand IAM authorization

AWS MCP Server does not require separate IAM permissions to invoke the MCP server. Authorization occurs at the AWS service level using your existing IAM roles and policies. When an AI agent calls the AWS MCP Server, the server authenticates your request and forwards it to the appropriate AWS service. The AWS service then authorizes the request using your existing IAM permissions, just as it would for any direct API call.

Two global condition context keys are automatically added to all requests made through the AWS MCP Server:

  • aws:ViaAWSMCPService – Set to true for any request that passes through an AWS managed MCP server.

  • aws:CalledViaAWSMCP – Contains the service principal of the specific AWS managed MCP server (for example, aws-mcp.amazonaws.com).

You can use these context keys in your IAM policies to allow or deny actions initiated through any AWS managed MCP server. For more information about these context keys, see IAM condition context keys in the IAM User Guide.

The following examples show how to restrict access using these context keys.

Deny all operations via any AWS managed MCP server

{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "Bool": {
            "aws:ViaAWSMCPService": "true"
        }
    }
}
Deny specific operations via a specific AWS managed MCP server

{
    "Effect": "Deny",
    "Action": ["s3:DeleteBucket", "s3:DeleteObject"],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "aws:CalledViaAWSMCP": "aws-mcp.amazonaws.com"
        }
    }
}
Note

If you previously configured IAM permissions using aws-mcp:InvokeMcp, aws-mcp:CallReadOnlyTool, or aws-mcp:CallReadWriteTool, we recommend that you remove these permissions from your policies as they no longer have any effect. If you used these permissions to deny access to AWS MCP Server, you must update your policies to use the context keys shown above.

Step 5: Test your connection

  1. Start your MCP client (Kiro CLI, Cursor, Claude Desktop, etc.).

  2. Wait for the MCP server to initialize (this may take a few minutes on first connection).

  3. Test the connection by asking your AI assistant:

    Example: What AWS Regions are available?

  4. Verify that tools are loaded by running (in Kiro CLI):

    /tools

    Or to see installed MCP servers:

    /mcp

You should see tools like aws___search_documentation and aws___retrieve_skill listed. For more information about the tools, see Understanding the MCP Server tools.

Troubleshooting authentication errors

Authentication errors can prevent the MCP server from initializing, which results in AWS MCP tools not being available to AI agents. If your AI agent is not using AWS MCP tools, an expired or missing credential is the most likely cause.

Use the following table to identify and resolve common authentication errors.

Common authentication errors
Error Cause Resolution
ExpiredTokenException: Your AWS session token has expired. Your temporary AWS credentials have expired. This is the most common authentication error, typically caused by short-lived session tokens (default 1 hour) expiring during development.

Refresh your credentials based on your authentication method:

  • aws login users: Run aws login again to start a new session. Consider switching to this method if you experience frequent expiry, as it auto-rotates credentials every 15 minutes.

  • SSO users: Run aws sso login --profile your-profile-name to refresh your SSO session.

  • Assume-role users: Refresh the source profile credentials, then the SDK will automatically re-assume the role.

After refreshing, restart your MCP client to re-initialize the server.
UnrecognizedClientException: The security token included in the request is not recognized. Your credentials are invalid. This can happen when credentials have been revoked, are from a different AWS partition, are malformed, or belong to a deleted IAM user or role.

Verify your credentials are valid:

  1. Run aws sts get-caller-identity to check if your credentials are recognized.

  2. If the command fails, reconfigure your credentials using aws login or aws configure sso.

  3. Ensure you are using credentials for the correct AWS partition (for example, aws vs. aws-cn).
InvalidSignatureException: The request signature we calculated does not match the signature you provided. The SigV4 signature does not match. Common causes include credentials scoped to the wrong service or Region, clock skew on your machine, or a request body that was modified after signing.

Try the following steps:

  1. Verify your system clock is accurate. Run date and compare with an authoritative time source. SigV4 requires your clock to be within 5 minutes of AWS servers.

  2. Ensure your credentials are configured for the correct AWS Region and service.

  3. Reconfigure your credentials and restart your MCP client.
No AWS credentials found. AWS credentials are not configured on your machine, or the credential provider chain cannot locate them.

Configure your credentials by following Step 2: Configure AWS credentials. We recommend using aws login for the simplest setup with automatic credential renewal.
Tip

To avoid credential expiry issues, use aws login (preferred) or aws configure sso. Both methods support automatic credential renewal, which prevents the most common authentication failures. For more information, see Step 2: Configure AWS credentials.