本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon ECS MCP 伺服器入門
本指南會逐步引導您設定 AI 程式碼助理並使用 Amazon ECS MCP Server 的步驟。您將了解如何設定環境、連線至伺服器,並透過自然語言互動開始管理您的 Amazon ECS 叢集。
**注意**
Amazon ECS MCP 伺服器目前為預覽版本,可能會有所變更。
## 先決條件
開始前,請確保您具備以下條件:
+ [建立可存取 Amazon ECS AWS 的帳戶](https://aws.amazon.com/resources/create-account/)
+ [AWS CLI 使用登入資料安裝和設定](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)
+ [已安裝 Python 3.10\+](https://www.python.org/)
+ [已安裝的 uv](https://docs.astral.sh/uv/getting-started/installation/)
## 設定
### 確認 先決條件
檢查您的 Python 版本是否為 3.10 或更新版本
```
python3 --version
```
檢查 uv 安裝
```
uv --version
```
驗證 AWS CLI 組態
```
aws configure list
```
### 設定 IAM 許可
您需要 [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) 許可才能對 AWS 服務提出唯讀請求,並與 MCP 伺服器互動。您可以利用[AWS 受管政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)或單一自訂政策進行更精細的控制。
**選項 1:合併受管和自訂政策**
1. 連接 AWS 受管政策 **ReadOnlyAccess** 以唯讀存取所有 AWS 服務
1. 建立並連接 MCP 許可的其他自訂政策 (請參閱下面的 MCP 許可 JSON)
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MCPServerAccess",
"Effect": "Allow",
"Action": [
"ecs-mcp:InvokeReadOnlyTools",
"ecs-mcp:UseMcp"
],
"Resource": "*"
}
]
}
```
**選項 2:單一自訂政策 (最精細的控制)**
或者,您可以建立並連接包含 AWS 服務許可和 MCP 許可的單一自訂 JSON 政策:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MCPServerAccess",
"Effect": "Allow",
"Action": [
"ecs-mcp:InvokeReadOnlyTools",
"ecs-mcp:UseMcp"
],
"Resource": "*"
},
{
"Sid": "ECSReadOnlyAccess",
"Effect": "Allow",
"Action": [
"ecs:ListAccountSettings",
"ecs:ListClusters",
"ecs:ListContainerInstances",
"ecs:ListTaskDefinitions",
"ecs:ListServices",
"ecs:ListServiceDeployments",
"ecs:ListTasks",
"ecs:DescribeClusters",
"ecs:DescribeCapacityProviders",
"ecs:DescribeContainerInstances",
"ecs:DescribeTaskDefinition",
"ecs:DescribeServices",
"ecs:DescribeServiceDeployments",
"ecs:DescribeServiceRevisions",
"ecs:DescribeTaskSets",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Sid": "CloudWatchLogsReadOnlyAccess",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
},
{
"Sid": "ELBReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeListeners"
],
"Resource": "*"
},
{
"Sid": "EC2ReadOnlyAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Sid": "ECRReadOnlyAccess",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:DescribeImages"
],
"Resource": "*"
}
]
}
```
### 選擇並設定 AI 助理
安裝 MCP 相容 AI 助理或任何 MCP 相容工具。例如,您可以使用 [Kiro](https://kiro.dev/)、[Cline](https://cline.bot/)、[游標](https://cursor.com/)或 [Claude Code](https://www.claude.com/product/claude-code)。然後將您的 AI 程式碼助理設定為透過 MCP Proxy 使用 Amazon ECS MCP 伺服器 AWS,這是安全、經過驗證的 Amazon ECS MCP 伺服器存取的必要項目。代理充當用戶端橋接器,使用本機 AWS 登入資料處理 AWS SigV4 身分驗證。以下範例使用 Kiro CLI。請遵循[此連結](https://kiro.dev/docs/cli/mcp/),進一步了解如何在 Kiro 中設定 MCP。
#### 尋找 MCP 組態檔案
+ **macOS/Linux:**
```
~/.kiro/settings/mcp.json
```
+ **Windows**:
```
%USERPROFILE%\.kiro\settings\mcp.json
```
如果組態檔案不存在,請建立組態檔案。
#### 新增 MCP 伺服器組態
請務必將區域 (`{region}`) 預留位置取代為您想要的區域 (例如 `us-west-2`)。如需區域的完整清單[AWS Fargate 上的 Linux 容器](AWS_Fargate-Regions.md#linux-regions),請參閱 。也請務必將`{profile}`預留位置取代為您的[AWS CLI 設定檔名稱](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html),例如 `default`。
**對於 Mac/Linux:**
```
{
"mcpServers": {
"ecs-mcp": {
"disabled": false,
"type": "stdio",
"command": "uvx",
"args": [
"mcp-proxy-for-aws@latest",
"https://ecs-mcp.{region}.api.aws/mcp",
"--service",
"ecs-mcp",
"--profile",
"{profile}",
"--region",
"{region}"
]
}
}
}
```
**用於 Windows:**
```
{
"mcpServers": {
"ecs-mcp": {
"disabled": false,
"type": "stdio",
"command": "uvx",
"args": [
"--from",
"mcp-proxy-for-aws@latest",
"mcp-proxy-for-aws.exe",
"https://ecs-mcp.{region}.api.aws/mcp",
"--service",
"ecs-mcp",
"--profile",
"{profile}",
"--region",
"{region}"
]
}
}
}
```
#### 驗證組態
重新啟動 Kiro CLI`kiro-cli`、,確認 MCP 伺服器已載入,`/mcp`並檢查可用的工具`/tools`。
#### 驗證您的設定
**測試連線**
向您的 AI 助理詢問一個簡單的問題來驗證連線:
```
List all ECS clusters in my AWS account
```
您應該會看到 Amazon ECS 叢集的清單。
#### 與使用 Amazon ECS MCP 伺服器的 AI 助理交談
**範例 1:監控部署**
```
Check deployment status for my web-service in production-cluster
Show me the ALB URL for my deployed service
Get service events for the last hour
```
**範例 2:調查容器運作狀態**
```
Show me all tasks that failed in the last 2 hours
Why are my containers failing health checks?
Display container logs for my api-service
```
**範例 3:故障診斷**
```
Analyze task failures in my production cluster
Check for image pull errors in the last 30 minutes
Why is my task definition stuck in DELETE_IN_PROGRESS state?
```
**範例 4:檢查組態**
```
Show me the network configuration for my web-service
What security groups are attached to my service?
List all VPC and subnet details for my ECS service
```
## 常見組態和最佳實務
### 多個 AWS 設定檔
如果您使用多個 AWS 帳戶,請建立個別的 MCP 伺服器組態。
**對於 Mac/Linux:**
```
{
"mcpServers": {
"ecs-mcp-prod": {
"disabled": false,
"type": "stdio",
"command": "uvx",
"args": [
"mcp-proxy-for-aws@latest",
"https://ecs-mcp.{region}.api.aws/mcp",
"--service",
"ecs-mcp",
"--profile",
"production",
"--region",
"us-west-2"
]
},
"ecs-mcp-dev": {
"disabled": false,
"type": "stdio",
"command": "uvx",
"args": [
"mcp-proxy-for-aws@latest",
"https://ecs-mcp.{region}.api.aws/mcp",
"--service",
"ecs-mcp",
"--profile",
"development",
"--region",
"us-east-1"
]
}
}
}
```
### 安全最佳實務
請勿透過允許的輸入機制傳遞秘密或敏感資訊:
+ 請勿在任何組態檔案中包含秘密或登入資料
+ 請勿在提示中直接將敏感資訊傳遞給模型
+ 請勿在任務定義或服務組態中包含秘密
+ 避免在應用程式日誌中記錄敏感資訊
+ 使用 或 參數存放區來存放敏感資訊
## 工具組態
如需工具和組態的完整清單,請參閱 [Amazon ECS MCP 伺服器工具組態](ecs-mcp-tool-configurations.md)。