MCP.so
Sign In
Servers

secured-remote-mcp-server-on-aws

@komination

Overview

What is secured-remote-mcp-server-on-aws?

secured-remote-mcp-server-on-aws is a solution that securely publishes an MCP Server using API Gateway (HTTP) with OAuth2 authentication as the entry point, routing through a private Lambda inside a VPC to access S3. It provides a simple example returning S3 file lists but can be extended by implementing different MCP Server logic in Lambda.

How to use secured-remote-mcp-server-on-aws?

Clone the repository, set up the devcontainer environment, configure .env and .auto.tfvars, bootstrap HCP Terraform with terraform init/plan/apply, then obtain an OAuth access token using the just get-token command. Finally, configure an MCP Client (e.g., VSCode's mcp.json) with the API Gateway endpoint URL and Bearer token.

Key features of secured-remote-mcp-server-on-aws

  • OAuth2 authentication via API Gateway and Cognito
  • Private Lambda execution inside a VPC
  • S3 access through VPC endpoints
  • Terraform-based infrastructure as code
  • Devcontainer for reproducible development environment
  • HCP Terraform for deployment management
  • Supports both local and remote MCP clients

Use cases of secured-remote-mcp-server-on-aws

  • Securely exposing an MCP Server to external clients with authentication
  • Accessing private S3 buckets through a Lambda-based MCP endpoint
  • Portfolio demonstration of production-grade AWS infrastructure deployment
  • Extending the Lambda to access various other AWS resources via MCP

FAQ from secured-remote-mcp-server-on-aws

What authentication mechanism does it use?

OAuth2. The API Gateway entry point requires a Bearer token issued by AWS Cognito. Obtain the token via the provided just get-token command.

What are the prerequisites?

A devcontainer runtime environment, a GitHub-linked HCP Terraform account, and an AWS account with an IAM Identity Center user.

Where is the MCP Server code located?

In the /src directory, implemented with FastMCP in Python (main.py), with dependencies managed via uv and packaged as a Lambda Layer in /src/deps.

Does the server run inside a VPC?

Yes. The Lambda function is placed inside a VPC with private subnets. VPC endpoints for Lambda and S3 are used to avoid internet exposure.

What transport does the MCP server use?

HTTP. The server is exposed via API Gateway (HTTP type) and clients connect using the HTTP transport with a Bearer token in the Authorization header.

More from Cloud & Infrastructure