{"id":"aws-mcp-proxy-for-aws","name":"mcp-proxy-for-aws","homepage":null,"repo_url":"https://github.com/aws/mcp-proxy-for-aws","category":"api-gateway","subcategories":[],"tags":["mcp","aws","sigv4","iam","proxy","python","agent-integration"],"what_it_does":"Provides an MCP proxy server and a Python client library that connect MCP clients/frameworks to MCP servers running on AWS that require AWS IAM (SigV4) authentication, by signing MCP/HTTP requests using local AWS credentials.","use_cases":["Connect MCP clients (e.g., Claude Desktop, Kiro CLI) to AWS-hosted MCP servers that use SigV4/IAM auth","Programmatically integrate IAM-secured MCP servers into Python agent frameworks (LangChain, LlamaIndex, etc.)","Avoid implementing SigV4 signing logic in MCP client tooling"],"not_for":["MCP servers that use OAuth-based authentication without AWS IAM/SigV4","Environments that do not have valid AWS credentials/permissions available to the proxy/library"],"best_when":"You need MCP tool access to AWS-hosted services where authentication is via AWS IAM SigV4 and your MCP client/framework cannot natively sign requests.","avoid_when":"You cannot provide AWS credentials securely (or cannot restrict them via IAM) and you require strict auditability of every request without local credential usage.","alternatives":["Build a custom MCP client/transport that performs SigV4 signing directly","Use or implement an OAuth-capable MCP layer if the AWS MCP server supports switching auth modes","Place an authenticated reverse proxy in front of the AWS MCP server that handles SigV4"],"af_score":59.0,"security_score":68.8,"reliability_score":33.8,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:35:34.582161+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["Python"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["AWS IAM SigV4 (via local AWS credentials)"],"oauth":false,"scopes":false,"notes":"Auth is handled by signing upstream MCP requests using AWS credentials sourced from AWS CLI/profile, environment variables, or IAM roles."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"No pricing information provided; costs (if any) are likely limited to your own AWS usage for the upstream MCP server."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":59.0,"security_score":68.8,"reliability_score":33.8,"mcp_server_quality":60.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":80.0,"rate_limit_clarity":20.0,"tls_enforcement":70.0,"auth_strength":85.0,"scope_granularity":40.0,"dependency_hygiene":70.0,"secret_handling":75.0,"security_notes":"Uses SigV4 signing with AWS credentials (strong cryptographic auth) but scope granularity is largely determined by IAM permissions of the credentials you provide. Proxy requires access to AWS secrets/role credentials locally; avoid logging them and ensure least-privilege IAM policies. README indicates credentials can come from environment variables or profiles; secure secret handling practices depend on runtime configuration.","uptime_documented":0.0,"version_stability":55.0,"breaking_changes_history":40.0,"error_recovery":40.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Proxy behavior depends on correct AWS credentials/region/service inference; misconfiguration may lead to auth/signing failures.","If using Cline, README warns against using --log-level because Cline scans stderr for the word 'error'."]}}