Interact with AWS resources using Single Sign-On (SSO). Supports SSO login, listing accounts/roles, and executing AWS CLI commands.
A Node.js/TypeScript Model Context Protocol (MCP) server for AWS Single Sign-On (SSO). Enables AI systems (e.g., LLMs like Claude or Cursor AI) to securely interact with AWS resources by initiating SSO login, listing accounts/roles, and executing AWS CLI commands using temporary credentials.
Model Context Protocol (MCP) is an open standard for securely connecting AI systems to external tools and data sources. This server implements MCP for AWS SSO, enabling AI assistants to manage AWS resources programmatically.
https://your-sso-portal.awsapps.com/start
).Edit or create ~/.mcp/configs.json
:
{
"aws-sso": {
"environments": {
"AWS_REGION": "us-east-1",
"AWS_SSO_START_URL": "https://your-sso-portal.awsapps.com/start",
"DEBUG": "true"
}
}
}
export AWS_REGION=us-east-1
export AWS_SSO_START_URL=https://your-sso-portal.awsapps.com/start
export DEBUG=true
npx
npx -y @aashari/mcp-server-aws-sso login
npm install -g @aashari/mcp-server-aws-sso
mcp-aws-sso login
Configure your MCP-compatible client (e.g., Claude, Cursor AI):
{
"mcpServers": {
"aws-sso": {
"command": "npx",
"args": ["-y", "@aashari/mcp-server-aws-sso"]
}
}
}
MCP tools use snake_case
names, camelCase
parameters, and return Markdown-formatted responses.
launchBrowser
: bool opt, autoPoll
: bool opt). Use: Log in to AWS SSO.accountId
: str req, roleName
: str req, command
: str req, region
: str opt). Use: Run aws s3 ls
.instanceId
: str req, accountId
: str req, roleName
: str req, command
: str req, region
: str opt). Use: Check EC2 disk space.aws_sso_login
Basic Login:
{}
Custom Login Options:
{
"launchBrowser": false,
"autoPoll": true
}
aws_sso_status
Check Authentication Status:
{}
aws_sso_ls_accounts
List All Accounts and Roles:
{}
aws_sso_exec_command
List S3 Buckets:
{
"accountId": "123456789012",
"roleName": "ReadOnly",
"command": "aws s3 ls"
}
Describe EC2 Instances in a Specific Region:
{
"accountId": "123456789012",
"roleName": "AdminRole",
"command": "aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,InstanceType]' --output table",
"region": "us-west-2"
}
aws_sso_ec2_exec_command
Check System Resources:
{
"instanceId": "i-0a69e80761897dcce",
"accountId": "123456789012",
"roleName": "InfraOps",
"command": "uptime && df -h && free -m"
}
This server supports two transport modes for different integration scenarios:
# Run with STDIO transport (default for AI assistants)
TRANSPORT_MODE=stdio npx @aashari/mcp-server-aws-sso
# Using npm scripts (after installation)
npm run mcp:stdio
# Run with HTTP transport (default when no CLI args)
TRANSPORT_MODE=http npx @aashari/mcp-server-aws-sso
# Using npm scripts (after installation)
npm run mcp:http
# Test with MCP Inspector
npm run mcp:inspect
Transport Configuration:
TRANSPORT_MODE
: Set to stdio
or http
(default: http
for server mode, stdio
for MCP clients)PORT
: HTTP server port (default: 3000)DEBUG
: Enable debug logging (default: false)Authentication:
AWS_SSO_START_URL
: Your AWS SSO start URLAWS_SSO_REGION
: Your AWS SSO regionAWS_PROFILE
: Your AWS profile name (optional)AWS_REGION
: Your AWS region (optional)CLI commands use kebab-case
. Run --help
for details (e.g., mcp-aws-sso login --help
).
--no-launch-browser
, --no-auto-poll
). Ex: mcp-aws-sso login
.mcp-aws-sso status
.mcp-aws-sso ls-accounts
.--account-id
, --role-name
, --command
, --region
). Ex: mcp-aws-sso exec-command --account-id 123456789012 --role-name ReadOnly --command "aws s3 ls"
.--instance-id
, --account-id
, --role-name
, --command
, --region
). Ex: mcp-aws-sso ec2-exec-command --instance-id i-0a69e80761897dcce --account-id 123456789012 --role-name InfraOps --command "uptime"
.Standard Login (launches browser and polls automatically):
mcp-aws-sso login
Login without Browser Launch:
mcp-aws-sso login --no-launch-browser
List S3 Buckets:
mcp-aws-sso exec-command \
--account-id 123456789012 \
--role-name ReadOnly \
--command "aws s3 ls"
List EC2 Instances with Specific Region:
mcp-aws-sso exec-command \
--account-id 123456789012 \
--role-name AdminRole \
--region us-west-2 \
--command "aws ec2 describe-instances --output table"
Check System Resources:
mcp-aws-sso ec2-exec-command \
--instance-id i-0a69e80761897dcce \
--account-id 123456789012 \
--role-name InfraOps \
--command "uptime && df -h && free -m"
All responses are Markdown-formatted, including:
aws_sso_exec_command
)# AWS SSO: Command Result
**Account/Role:** 123456789012/ReadOnly
**Region:** us-east-1 (Default: ap-southeast-1)
## Command
aws s3 ls
## Output
2023-01-15 08:42:53 my-bucket-1
2023-05-22 14:18:19 my-bucket-2
2024-02-10 11:05:37 my-logs-bucket
*Executed: 2025-05-19 06:21:49 UTC*
# ❌ AWS SSO: Command Error
**Account/Role:** 123456789012/ReadOnly
**Region:** us-east-1 (Default: ap-southeast-1)
## Command
aws s3api get-object --bucket restricted-bucket --key secret.txt output.txt
## Error: Permission Denied
The role `ReadOnly` does not have permission to execute this command.
## Error Details
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
### Troubleshooting
#### Available Roles
- AdminAccess
- PowerUserAccess
- S3FullAccess
Try executing the command again using one of the roles listed above that has appropriate permissions.
*Executed: 2025-05-19 06:17:49 UTC*
# Clone repository
git clone https://github.com/aashari/mcp-server-aws-sso.git
cd mcp-server-aws-sso
# Install dependencies
npm install
# Run in development mode
npm run dev:server
# Run tests
npm test
Contributions are welcome! Please:
git checkout -b feature/xyz
).git commit -m "Add xyz feature"
).git push origin feature/xyz
).See CONTRIBUTING.md for details.
Yunxiao MCP Server provides AI assistants with the ability to interact with the Yunxiao platform.
Manage DigitalOcean resources and perform actions using the DigitalOcean API.
An MCP server for interacting with various NASA APIs and data sources. Requires a NASA API key.
List and analyze Netbird network peers, groups, policies, and more.
Server for using HuggingFace Spaces, supporting Images, Audio, Text and more. Claude Desktop mode for ease-of-use.
Automate Akamai resource actions using a conversational AI client. Requires Akamai API credentials.
Backs up Cloudflare projects to a specified GitHub repository.
Accurate weather forecasts via the AccuWeather API (free tier available).
Interact with the Eyevinn Open Source Cloud API. Requires a Personal Access Token (OSC_ACCESS_TOKEN).
An MCP server for managing ONOS (Open Network Operating System) networks.