Setting up the AWS MCP Server
If you already have an AWS account, skip to Set up the AWS MCP Server. If you are new to AWS,
sign up for an AWS account
Set up the AWS MCP Server
AWS MCP Server supports two authentication methods. The following describes both options, followed by a decision guide to help you choose.
-
Option A: OAuth (simple) — Connect to AWS MCP Server using OAuth. If you are a human user, you authenticate in your browser. If you are running an automated agent, it authenticates by requesting a token. Works for web clients (such as Claude.ai and ChatGPT.com) and most IDE, terminal, or desktop-based clients. Use this option if you are new to AWS and use a single account, or if you interact through web clients.
-
Option B: SigV4 (advanced) — Authenticate using the AWS CLI, then use the MCP Proxy for AWS to sign requests with SigV4 credentials. Use this option if you use terminal or IDE-based coding agents (such as Claude Code, Kiro, and Codex), or if you need to switch between AWS accounts frequently.
Choosing an authentication method
Use the following questions to determine which authentication method fits your use case:
| Question | Use |
|---|---|
Do you want to get started without installing uvx,
installing the AWS CLI, or configuring local credentials? |
OAuth |
| Does your client only support remote MCP servers (no local process)? | OAuth |
| Does your agent need access across multiple AWS accounts in the same session? | SigV4 |
| Do you need read-only mode (hide write-capable tools from the agent entirely)? | SigV4 |
Does your organization restrict the signin:AuthorizeOAuth2Access
and signin:CreateOAuth2Token permissions needed for
browser-based OAuth login? |
SigV4 |
| Do you need to set a default AWS Region for your agentic session (without specifying it in every query)? | SigV4 |
| Does your client not support the OAuth flow but can run a local MCP proxy? | SigV4 |
Topics
Step 1: (If applicable) Remove conflicting MCP servers
If you are currently using the AWS API MCP Server or AWS Knowledge MCP Server, we recommend switching to the AWS MCP Server. The AWS MCP Server is a managed remote MCP server that reduces setup and maintenance effort and offers enhanced security controls through IAM condition keys.
To switch, remove the older servers from your MCP client configuration to avoid tool conflicts that can confuse AI agents and reduce performance.
To remove existing AWS MCP servers:
-
Open your MCP client configuration file (for example,
~/.kiro/settings/mcp.jsonfor Kiro). -
Remove any entries for these servers:
aws-api-mcp-serveraws-knowledge-mcp-server
-
Save the configuration file.
-
Restart your MCP client to apply the changes.
Step 2: Configure authentication and connect
AWS MCP Server supports the following AWS Regions:
-
US East (N. Virginia) –
us-east-1:https://aws-mcp.us-east-1.api.aws/mcp -
Europe (Frankfurt) –
eu-central-1:https://aws-mcp.eu-central-1.api.aws/mcp
Step 3: Test your connection
-
Start your MCP client (Kiro CLI, Cursor, Claude Desktop, or a similar client).
-
Wait for the MCP server to initialize (this might take a few minutes on the first connection).
-
Test the connection by asking your AI assistant:
Example: What AWS Regions are available?
-
Verify that tools are loaded by running (in Kiro CLI):
/toolsOr to see installed MCP servers:
/mcp
You should see tools like aws___search_documentation and aws___retrieve_skill listed. For
more information about the tools, see Understanding the MCP Server tools.
Troubleshooting authentication errors
Authentication errors can prevent the MCP server from initializing. When this happens, your AI agent cannot use AWS MCP tools. If your AI agent is not using AWS MCP tools, an expired or missing credential is the most likely cause.
Use the following table to identify and resolve common authentication errors.
| Error | Cause | Resolution |
|---|---|---|
ExpiredTokenException: Your AWS session token has expired. |
Your temporary AWS credentials have expired. This is the most common authentication error. Short-lived session tokens (default 1 hour) typically expire during development. |
Refresh your credentials based on your authentication method:
After refreshing, restart your MCP client to re-initialize the server. |
UnrecognizedClientException: The security token included in the request
is not recognized. |
Your credentials are invalid. This can happen when credentials have been revoked, are from a different AWS partition, are malformed, or belong to a deleted IAM user or role. |
Verify your credentials are valid:
|
InvalidSignatureException: The request signature we calculated does not
match the signature you provided. |
The SigV4 signature does not match. Common causes include credentials scoped to the wrong service or Region, clock skew on your machine, or a request body modified after signing. |
Try the following steps:
|
| 400 error page after OAuth sign-in | Your IAM principal does not have the required OAuth permissions
(signin:AuthorizeOAuth2Access and
signin:CreateOAuth2Token). |
Attach the
For more information, see AWS managed policies for AWS MCP Server. |
| No AWS credentials found. | AWS credentials are not configured on your machine, or the credential provider chain cannot locate them. |
Configure your credentials by following Step 2: Configure authentication and connect.
We recommend using |
Note
To learn more about how AWS IAM authorizes AWS MCP Server requests, including how to use
IAM condition context keys to restrict agent actions, see
Understanding
IAM for managed AWS MCP servers