home / mcp / aws sso mcp server
Provides AWS SSO-based access to accounts and commands across AWS resources via MCP-enabled AI assistants.
Configuration
View docs{
"mcpServers": {
"aashari-mcp-server-aws-sso": {
"url": "http://localhost:3000/mcp",
"headers": {
"DEBUG": "true",
"AWS_REGION": "us-east-1",
"AWS_SSO_REGION": "us-east-1",
"AWS_SSO_START_URL": "https://your-company.awsapps.com/start"
}
}
}
}You connect AI copilots to your AWS IAM Identity Center (SSO) setup so you can query accounts, list resources, and run AWS commands or remote shell actions directly from your AI assistant. This MCP server handles authentication, credential management, and command execution across multiple accounts, enabling practical, natural-language workflows for DevOps, cloud architecture, and operations teams.
Use an MCP-compatible AI assistant to authenticate with AWS SSO and issue commands through the MCP server. You can ask to list accounts and roles, run AWS CLI commands, describe EC2/VPC/RDS resources, switch between accounts, monitor running resources, and execute shell commands on EC2 instances via Systems Manager. Start by logging in, listing available accounts, then choosing an account/role to run a command.
Prerequisites: Node.js v18+ and an AWS IAM Identity Center setup in your organization.
Step 1: Install the MCP server package globally so your AI assistant can connect to it.
Step 2: Configure access to AWS SSO by providing your Start URL and region when prompted or via environment variables.
Step 3: Start the MCP server in STDIO mode for local MCP clients, or run in HTTP mode for server-based integrations.
Step 4: Point your MCP client to the server transport and begin issuing commands.
{
"aws-sso": {
"type": "http",
"name": "aws_sso_server",
"url": "http://localhost:3000/mcp",
"args": []
}
}{
"aws-sso": {
"type": "stdio",
"name": "aws_sso_client",
"command": "npx",
"args": ["-y", "@aashari/mcp-server-aws-sso"],
"env": {
"AWS_SSO_START_URL": "https://your-company.awsapps.com/start",
"AWS_REGION": "us-east-1"
}
}
}The MCP server uses environment variables to configure AWS SSO access. Common keys include AWS_SSO_START_URL for the start URL, AWS_SSO_REGION or AWS_REGION for the AWS region, and AWS_PROFILE for CLI compatibility. Enable debug logging with DEBUG=true if you need detailed output.
All credentials are temporary and cached with automatic refresh. The tool runs locally on your machine and does not send your data to third-party servers unless you explicitly interact with network-enabled MCP transports. Ensure your AWS permissions align with the actions you perform and monitor token lifetimes.
If authentication fails, re-authenticate with AWS SSO, verify the Start URL and region, and confirm your account and role permissions are active. If AWS CLI commands fail due to missing CLI, install AWS CLI v2 and verify the aws command is accessible. For EC2/SSM issues, ensure the target instance has the SSM Agent installed and the proper IAM role.
The MCP server supports both HTTP and STDIO transport modes. Use HTTP for server-based integrations and STDIO for local MCP clients. Environment variables and example commands shown here guide you through typical setups.
Initiates the AWS SSO device authorization flow, caches tokens, and handles re-authentication when needed.
Checks current authentication status and token expiration.
Lists all accessible AWS accounts and the roles you can assume.
Executes an AWS CLI command using SSO credentials for a specified account/role, with optional region.
Executes a shell command on an EC2 instance via AWS Systems Manager (SSM) without SSH.