# 开始使用 Amazon ECS MCP 服务器
<a name="ecs-mcp-getting-started"></a>

本指南将指导您完成通过 AI 代码助手设置和使用 Amazon ECS MCP 服务器的步骤。您将了解如何配置环境、连接到服务器以及通过自然语言交互开始管理 Amazon ECS 集群。

**注意**  
Amazon ECS MCP 服务器目前为预览版，可能会发生变化。

## 先决条件
<a name="ecs-mcp-prerequisites"></a>

在开始之前，请确保您满足以下条件：
+ [创建了有权访问 Amazon ECS 的 AWS 账户](https://aws.amazon.com/resources/create-account/)
+ [使用凭据安装和配置了 AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)
+ [安装了 Python 3.10\$1](https://www.python.org/)
+ [安装了 uv](https://docs.astral.sh/uv/getting-started/installation/)

## 设置
<a name="ecs-mcp-setup"></a>

### 验证 先决条件
<a name="ecs-mcp-verify-prerequisites"></a>

检查您的 Python 版本是否为 3.10 或更高版本

```
python3 --version
```

检查 uv 安装

```
uv --version
```

验证 AWS CLI 配置

```
aws configure list
```

### 设置 IAM 权限
<a name="ecs-mcp-iam-permissions"></a>

您需要拥有 [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) 权限才能向 AWS 服务发出只读请求并与 MCP 服务器进行交互。您可以利用 [AWS 托管策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)，也可以使用单个自定义策略来实现更精细的控制。

**选项 1：组合托管策略和自定义策略**

1. 附加 AWS 托管策略 **ReadOnlyAccess**，以获得对所有 AWS 服务的只读访问权限

1. 针对 MCP 权限创建并附加一个额外自定义策略（请参阅下面的 MCP 权限 JSON）

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "MCPServerAccess",
      "Effect": "Allow",
      "Action": [
        "ecs-mcp:InvokeReadOnlyTools",
        "ecs-mcp:UseMcp"
      ],
      "Resource": "*"
    }
  ]
}
```

**选项 2：单个自定义策略（最精细的控制）**

或者，您可以创建并附加一个包含 AWS 服务权限和 MCP 权限的自定义 JSON 策略。

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "MCPServerAccess",
      "Effect": "Allow",
      "Action": [
        "ecs-mcp:InvokeReadOnlyTools",
        "ecs-mcp:UseMcp"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECSReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "ecs:ListAccountSettings",
        "ecs:ListClusters",
        "ecs:ListContainerInstances",
        "ecs:ListTaskDefinitions",
        "ecs:ListServices",
        "ecs:ListServiceDeployments",
        "ecs:ListTasks",
        "ecs:DescribeClusters",
        "ecs:DescribeCapacityProviders",
        "ecs:DescribeContainerInstances",
        "ecs:DescribeTaskDefinition",
        "ecs:DescribeServices",
        "ecs:DescribeServiceDeployments",
        "ecs:DescribeServiceRevisions",
        "ecs:DescribeTaskSets",
        "ecs:DescribeTasks"
      ],
      "Resource": "*"
    },
    {
      "Sid": "CloudWatchLogsReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ELBReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeListeners"
      ],
      "Resource": "*"
    },
    {
      "Sid": "EC2ReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeRouteTables",
        "ec2:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ECRReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "ecr:DescribeRepositories",
        "ecr:DescribeImages"
      ],
      "Resource": "*"
    }
  ]
}
```

### 选择和配置 AI 助手
<a name="ecs-mcp-configure-assistant"></a>

安装与 MCP 兼容的 AI 助手或任何与 MCP 兼容的工具。例如，您可以使用 [Kiro](https://kiro.dev/)、[Cline](https://cline.bot/)、[Cursor](https://cursor.com/) 或 [Claude Code](https://www.claude.com/product/claude-code)。然后设置您的 AI 代码助手，以通过 MCP Proxy for AWS 使用 Amazon ECS MCP 服务器，这是安全、经过身份验证地访问 Amazon ECS MCP 服务器所必需的。该代理充当客户端桥梁，使用您的本地 AWS 凭证处理 AWS SigV4 身份验证。以下示例使用 Kiro CLI。点击此[链接](https://kiro.dev/docs/cli/mcp/)了解关于在 Kiro 中设置 MCP 的更多信息。

#### 找到 MCP 配置文件
<a name="ecs-mcp-kiro-config-file"></a>
+ **macOS/Linux：**

  ```
  ~/.kiro/settings/mcp.json
  ```
+ **（Windows）**

  ```
  %USERPROFILE%\.kiro\settings\mcp.json
  ```

如果配置文件不存在，请创建该文件。

#### 添加 MCP 服务器配置
<a name="ecs-mcp-kiro-add-config"></a>

请务必将区域占位符 (`{region}`) 替换为您所需的区域（例如 `us-west-2`）。有关完整的区域列表，请参阅 [AWS Fargate 上的 Linux 容器](AWS_Fargate-Regions.md#linux-regions)。此外，请务必将 `{profile}` 占位符替换为您的 [AWS CLI CLI 配置文件名称](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html)（例如 `default`）。

**对于 Mac/Linux：**

```
{
  "mcpServers": {
    "ecs-mcp": {
      "disabled": false,
      "type": "stdio",
      "command": "uvx",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://ecs-mcp.{region}.api.aws/mcp",
        "--service",
        "ecs-mcp",
        "--profile",
        "{profile}",
        "--region",
        "{region}"
      ]
    }
  }
}
```

**对于 Windows：**

```
{
  "mcpServers": {
    "ecs-mcp": {
      "disabled": false,
      "type": "stdio",
      "command": "uvx",
      "args": [
        "--from",
        "mcp-proxy-for-aws@latest",
        "mcp-proxy-for-aws.exe",
        "https://ecs-mcp.{region}.api.aws/mcp",
        "--service",
        "ecs-mcp",
        "--profile",
        "{profile}",
        "--region",
        "{region}"
      ]
    }
  }
}
```

#### 验证配置
<a name="ecs-mcp-kiro-verify"></a>

重启 Kiro CLI `kiro-cli`，验证 MCP 服务器是否已加载 `/mcp`，并检查可用工具 `/tools`。

#### 验证您的设置
<a name="ecs-mcp-verify-setup"></a>

**测试连接**

向您的 AI 助手提一个简单问题来验证连接：

```
List all ECS clusters in my AWS account
```

您应该会看到您的 Amazon ECS 集群列表。

#### 与使用 Amazon ECS MCP 服务器的 AI 助手进行对话
<a name="ecs-mcp-first-tasks"></a>

**示例 1：监控部署**

```
Check deployment status for my web-service in production-cluster
Show me the ALB URL for my deployed service
Get service events for the last hour
```

**示例 2：调查容器运行状况**

```
Show me all tasks that failed in the last 2 hours
Why are my containers failing health checks?
Display container logs for my api-service
```

**示例 3：排查故障**

```
Analyze task failures in my production cluster
Check for image pull errors in the last 30 minutes
Why is my task definition stuck in DELETE_IN_PROGRESS state?
```

**示例 4：检查配置**

```
Show me the network configuration for my web-service
What security groups are attached to my service?
List all VPC and subnet details for my ECS service
```

## 常见配置和最佳实践
<a name="ecs-mcp-common-configs"></a>

### 多份 AWS 配置文件
<a name="ecs-mcp-multiple-profiles"></a>

如果您使用多个 AWS 账户，请创建单独的 MCP 服务器配置。

**对于 Mac/Linux：**

```
{
  "mcpServers": {
    "ecs-mcp-prod": {
      "disabled": false,
      "type": "stdio",
      "command": "uvx",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://ecs-mcp.{region}.api.aws/mcp",
        "--service",
        "ecs-mcp",
        "--profile",
        "production",
        "--region",
        "us-west-2"
      ]
    },
    "ecs-mcp-dev": {
      "disabled": false,
      "type": "stdio",
      "command": "uvx",
      "args": [
        "mcp-proxy-for-aws@latest",
        "https://ecs-mcp.{region}.api.aws/mcp",
        "--service",
        "ecs-mcp",
        "--profile",
        "development",
        "--region",
        "us-east-1"
      ]
    }
  }
}
```

### 安全最佳实践
<a name="ecs-mcp-security-best-practices"></a>

请勿通过允许的输入机制传递密钥或敏感信息：
+ 请勿在任何配置文件中包含密钥或凭证
+ 请勿在提示中将敏感信息直接传递给模型
+ 请勿在任务定义或服务配置中包含密钥
+ 避免在应用程序日志中记录敏感信息
+ 使用 Parameter Store 来存储敏感信息

## 工具配置
<a name="ecs-mcp-next-steps"></a>

有关工具和配置的完整列表，请参阅 [Amazon ECS MCP 服务器工具配置](ecs-mcp-tool-configurations.md)。