When AI brokers connect with instruments by means of the Mannequin Context Protocol (MCP), they achieve entry to capabilities that vary from database queries and API calls to file operations and third-party service integrations. In manufacturing, these interactions want correct governance, controls, and observability aligned with a corporation’s safety insurance policies. This contains sanitizing software inputs earlier than they attain backend methods, producing audit trails in particular codecs, or redacting delicate information on the protocol layer. These necessities are formed by inside governance requirements, trade rules, and the specifics of every manufacturing setting. This publish reveals you how you can deploy a serverless MCP proxy on Amazon Bedrock AgentCore Runtime that provides you a programmable layer to implement these controls.
Amazon Bedrock AgentCore Gateway offers centralized governance and management for agent-tool integration, together with semantic software discovery, managed credentials, and coverage enforcement. For organizations that must embed customized logic within the Gateway request path, Gateway helps Lambda interceptors. These interceptors allow you to run validation, transformation, or filtering code as AWS Lambda capabilities on each software invocation. This lets you hold your customized logic self-contained and managed alongside your Gateway configuration.
Nevertheless, some organizations have invested in customized MCP filtering logic that’s tightly coupled with inside libraries or on-premises compliance methods. They need to reuse that logic on AgentCore Runtime with out refactoring it into Lambda capabilities. Others function throughout a number of methods or hybrid environments the place working controls as a standalone MCP server presents extra portability than a system-specific interceptor. In these instances, a serverless MCP proxy working on AgentCore Runtime can present a complementary sample.
AgentCore Runtime is a completely managed compute setting for deploying AI brokers and MCP servers. It offers serverless infrastructure with computerized scaling, built-in observability by means of Amazon CloudWatch and OpenTelemetry, and AgentCore Identification for authentication and authorization. As a result of Runtime natively helps the MCP protocol, it means that you can host MCP servers, together with MCP proxies that add customized controls to MCP visitors.
We present you how you can construct and deploy a stateless MCP proxy on AgentCore Runtime that means that you can add programmable controls to MCP visitors. The proxy runs as a serverless workload on Runtime, discovers instruments from an upstream MCP server at startup, re-exposes them along with your customized logic utilized, and forwards requests transparently. The upstream MCP server could be your alternative of MCP-compatible endpoint, together with MCP servers working on AgentCore Runtime, self-hosted MCP servers, or third-party MCP companies. It’s also possible to join this proxy to Amazon Bedrock AgentCore Gateway. This allows you to benefit from Gateway’s managed software discovery, credential administration, and coverage enforcement throughout MCP servers, Lambda capabilities, and SaaS integrations.
Utilizing an open supply GitHub implementation as a basis, we stroll you thru the structure, clarify how authorization works at every layer, deploy the proxy with an automatic script, and take a look at the end-to-end move with a pattern agent. By the tip, you’ve a working deployment sample for including customized controls to MCP visitors utilizing AgentCore Runtime.
Answer overview
The customized MCP proxy runs on AgentCore Runtime and acts as an middleman between MCP shoppers and upstream MCP servers. MCP shoppers work together with the proxy as they might with different MCP servers; the proxy applies your specialised logic and forwards requests to the upstream server. This separation means that you can introduce customized controls on the protocol layer with out modifying the upstream MCP server or the shopper.
Structure parts
The answer includes three logical layers that work collectively by means of MCP: the MCP shopper, the MCP proxy on AgentCore Runtime, and the upstream MCP server. The request move strikes by means of these layers sequentially: the shopper sends MCP requests to the proxy, the proxy applies your customized logic and forwards the request to the upstream MCP server, and the upstream server processes the request and returns the response again by means of the identical path.
The upstream MCP server could be hosted anyplace, together with on AgentCore Runtime, by yourself infrastructure, or as a third-party service. On this publish, we use an AgentCore Gateway because the upstream MCP server as a result of it offers a ready-made, MCP-compatible software endpoint with registered targets, letting you comply with the walkthrough end-to-end with out standing up a separate MCP server. The proxy sample applies to different MCP-compatible upstream endpoints, and we talk about options all through the publish, together with upstream MCP servers working on AgentCore Runtime.
The next diagram reveals the structure, together with each the request and authentication flows:
Determine 1: Structure diagram exhibiting the request and authentication flows. This walkthrough makes use of AgentCore Gateway because the upstream MCP server.
The MCP shopper in Runtime treats the customized MCP proxy as its software server, sending customary MCP requests to find and invoke instruments. From the shopper’s perspective, the proxy is indistinguishable from different MCP servers. AgentCore Runtime offers managed compute, computerized scaling, and built-in observability for the shopper workload.
The MCP proxy acts as an middleman between the shopper and the upstream MCP server. It receives MCP requests from the shopper, applies your customized logic, and forwards the requests to the upstream server. The proxy runs as a separate MCP server in Runtime, utilizing the identical serverless managed infrastructure because the shopper itself.
The proxy connects to the upstream MCP server as a typical MCP shopper. The upstream server treats the proxy as an authenticated MCP shopper, no totally different from different approved callers. The upstream server handles entry to downstream companies and MCP instruments.
The instruments themselves, whether or not hosted as MCP servers, AWS Lambda capabilities, or third-party SaaS integrations, are registered with and managed by the upstream server. For organizations on the lookout for a completely managed path to software integration, AgentCore Gateway offers a simple and safe means for builders to construct, deploy, uncover, and connect with instruments at scale.
How the MCP proxy works
We implement the proxy utilizing FastMCP to find instruments from the upstream MCP server at startup and ahead each shopper request at runtime. The proxy doesn’t outline instruments of its personal and has no prior data of what the upstream server exposes.
When the proxy course of begins, it sends a typical MCP instruments/record request to the upstream server. The server returns the complete catalog of accessible instruments. For every software, the proxy dynamically registers an area FastMCP software with the identical identify and outline. Every software is backed by a handler perform that forwards instruments/name requests to the upstream server and returns the response. MCP shoppers connecting to the proxy see the identical software catalog and get the identical outcomes as in the event that they have been connecting to the upstream server instantly.
As a result of the proxy is a typical Python MCP server that you simply personal and deploy, you possibly can insert customized logic earlier than forwarding a software name or after receiving the response. The upstream server handles software execution, whereas the proxy provides a programmable layer in entrance with out changing the upstream server’s native capabilities.
Authorization between parts
Authorization is enforced independently at every layer of the structure, creating distinct belief boundaries all through the move.
- Agent to MCP proxy: When an agent connects to the MCP proxy, it makes use of AgentCore Identification for authentication and authorization. The proxy makes use of the capabilities that AgentCore Identification offers, together with centralized administration of agent identities and safe credentials storage. You management which brokers and principals can invoke the proxy utilizing the identical id framework you utilize in your different workloads in AgentCore Runtime.
- Proxy to upstream MCP server: The proxy should authenticate to the upstream MCP server it connects to. The authentication methodology is dependent upon the upstream server’s necessities. AgentCore Identification offers inbound authorization for workloads hosted on AgentCore Runtime by means of each AWS Identification and Entry Administration (IAM) utilizing AWS Signature Model 4 (SigV4) and JSON Internet Token (JWT)-based authorization utilizing OAuth 2.0 shopper credentials. With JWT-based authorization, you configure the upstream server with a discovery URL, allowed audiences, and allowed shoppers. AgentCore Identification validates the bearer token on each request. The proxy obtains tokens by means of the OAuth 2.0 shopper credentials grant and contains them as Authorization: Bearer headers.
For IAM-based authorization, the proxy indicators requests utilizing AWS SigV4 with the IAM execution position it inherits from AgentCore Runtime. The particular permissions differ by upstream server sort. If the upstream MCP server is hosted on AgentCore Runtime, you scope the bedrock-agentcore:InvokeAgentRuntime permission to regulate which callers can attain it. Alternatively, if the upstream server is an AgentCore Gateway, as on this walkthrough, you scope the bedrock-agentcore:InvokeGateway permission to particular gateways and caller identities. This ensures that solely trusted proxies can entry the software catalog.
The accompanying GitHub undertaking makes use of IAM-based authorization because the default methodology. The deployment script additionally helps JWT-based authorization for this integration.
- Upstream server to instruments: The upstream MCP server authenticates to downstream instruments utilizing AgentCore Identification credential suppliers, which handle OAuth 2.0 tokens, API keys, and credential rotation transparently. Outbound authorization operates the identical means no matter whether or not requests originate from the proxy or from a direct shopper.
Every layer on this structure authenticates independently. You inject customized logic on the MCP protocol layer by means of the proxy, whereas the upstream server continues to deal with software execution and its personal authorization. The result’s an structure the place customized controls and upstream capabilities function in separate, well-defined layers.
Conditions
To implement the answer, you could have the next:
Deploy the answer
Full the next steps to deploy the undertaking in your AWS account:
- Begin by cloning the GitHub repository and reviewing the undertaking construction.
- Open deploy_config.json and set the values in your setting:
Determine 2: Configuration screenshot exhibiting deployment settingsReplace the worth in gateway_endpoint with the MCP endpoint URL of your upstream MCP server (AgentCore Gateway on this instance). Set area to the AWS Area the place the upstream server is deployed. The gateway_api_id area is elective. In case your upstream server is an AgentCore Gateway and also you present its Amazon Useful resource Identify (ARN), the deployment script scopes the IAM permissions to that particular useful resource. If you happen to go away it as null, the script grants permissions to invoke all Gateways within the account.The auth_mode area determines how the proxy authenticates to the upstream server and defaults to “iam” for IAM-based authentication. If you happen to set auth_mode to “jwt” for OAuth-based authentication, you could configure the Cognito fields (cognito_user_pool_id, cognito_client_id, and cognito_domain) with values out of your Cognito person pool. Then move the Cognito shopper secret by means of the –cognito-client-secret flag when working the deploy script. When utilizing IAM authentication, go away all Cognito fields as null.
- Run the automated deployment script setup_and_deploy.py, from the undertaking root. It automates the complete deployment workflow, which performs the next steps in sequence:
- Validates stipulations — checks that the AWS CLI, Python, and Docker can be found, and that AWS credentials are configured.
- Creates an IAM execution position — creates a job with a belief coverage that enables bedrock-agentcore.amazonaws.com to imagine it. The position contains permissions for invoking the Gateway, writing to Amazon CloudWatch Logs, and pulling photographs from Amazon ECR.
- Configures the agent with the AgentCore CLI — runs agentcore configure with the MCP protocol, pointing to the proxy entrypoint at mcp_proxy/primary.py. Throughout this step, the CLI prompts you to pick an ECR repository and make sure the authentication mode.
- Launches the agent to AgentCore Runtime — runs agentcore launch and passes the upstream server endpoint as an setting variable (GATEWAY_ENDPOINT). AgentCore Runtime builds the container picture, pushes it to Amazon ECR, and begins the agent.
- Examine the MCP proxy agent standing: agentcore standing –agent mcp_proxy.
Be aware the agent ARN from the output. You utilize this ARN within the take a look at shopper agent to later invoke the proxy.
The right way to configure the proxy authentication methodology
The authentication mode between the MCP proxy and the upstream server is dependent upon how the inbound authorization to the upstream server is configured. AgentCore Identification helps each IAM and JWT inbound authentication for workloads hosted on AgentCore. The proxy code on GitHub implements every mode in a single perform _send_gateway_request, the place outbound HTTP calls to the upstream server are made.
IAM authorization
The proxy indicators each outbound request to the upstream server utilizing AWS SigV4. As a result of the proxy runs on AgentCore Runtime, it inherits the IAM execution position you specified throughout deployment. The deployment script grants this position bedrock-agentcore:InvokeGateway permissions, with the Useful resource area scoped to the Gateway. No further credentials or tokens are required. The proxy makes use of the runtime’s boto3 session to signal requests routinely.
OAuth authorization
In case your upstream server makes use of a JWT authorizer, the proxy replaces SigV4 signing with a bearer token obtained by means of the OAuth 2.0 shopper credentials grant. This mode is constructed into the proxy and requires no code modifications. It’s good to set auth_mode to jwt within the deployment configuration and supply your Cognito person pool particulars.
When you choose JWT, the script collects the Cognito person pool ID, app shopper ID, app shopper secret, and area prefix. These values are handed to the AgentCore Runtime container as setting variables in the course of the agentcore launch step. It’s also possible to set these values instantly in deploy_config.json to skip the interactive prompts.
At startup, the proxy reads the AUTH_MODE setting variable. When set to jwt, the proxy requests an entry token utilizing HTTP authentication with the shopper credentials. The token is cached in reminiscence and refreshed routinely when it approaches expiration. Every outbound request to the upstream MCP server contains the token as an Authorization: Bearer header as an alternative of SigV4 signature headers.
The remainder of the proxy (software discovery, software forwarding, and the FastMCP server) operates identically whatever the authentication mode. The one distinction is how _send_gateway_request authenticates its outbound calls.
Check the answer
The repository contains test_agent.py, a Strands Brokers script that connects to the MCP proxy working on AgentCore Runtime and makes use of the found instruments.
The agent connects to the proxy, not the upstream server, by invoking the AgentCore Runtime endpoint for the deployed proxy. It sends MCP JSON-RPC requests to find instruments and name them. The next display recording demonstrates a CLI session the place the agent discovers instruments from the proxy and makes use of them to reply questions interactively.
On this instance, the upstream server (an AgentCore Gateway) exposes instruments to function arithmetic operations, and the agent acts as a calculator that makes use of these instruments to do primary math.
Determine 3: Testing display recording exhibiting CLI interplay
Customization alternatives
The proxy structure means that you can intercept and remodel MCP visitors between the shopper and the upstream MCP server. The next examples exhibit two widespread customization patterns:
Tokenization
Device name arguments might comprise personally identifiable data (PII) that ought to not attain backend methods in cleartext. The proxy’s forwarding move provides you a pure interception level so as to add tokenization.
Right here’s how the move works: when a shopper calls a software, the proxy’s _make_tool_handler perform in primary.py receives the arguments as a kwargs dictionary, passes them to _send_gateway_request which wraps them in a JSON-RPC payload and sends them (SigV4-signed) to the upstream MCP server, then codecs the response again to the shopper. The related code path appears like this:
def _make_tool_handler(tool_name: str):
“””Create a software handler perform that forwards calls to the gateway.”””
def handler(**kwargs) -> str:
# — Tokenize: scan kwargs for PII and change with tokens —
consequence = _send_gateway_request(
“instruments/name”, {“identify”: tool_name, “arguments”: kwargs}
)
content material = consequence.get(“content material”, [])
# — Detokenize: reverse tokens in content material earlier than returning —
if content material and isinstance(content material, record):
texts = [c.get(“text”, str(c)) for c in content if isinstance(c, dict)]
return “n”.be part of(texts) if texts else json.dumps(consequence)
return json.dumps(consequence)
return handler
You possibly can add tokenization in two locations contained in the handler closure. Earlier than the decision to _send_gateway_request, you scan the kwargs values for PII patterns and change them with reversible tokens (discuss with Steering for Tokenization to Enhance Information Safety and Cut back Audit Scope on AWS). After _send_gateway_request returns, you reverse the tokens within the response content material earlier than returning it to the shopper. This retains PII out of the backend targets whereas preserving the end-to-end information move for the agent.
Device-level entry management
You could need to limit which instruments a given caller can invoke, despite the fact that the upstream server exposes the complete catalog. You possibly can implement this by including a coverage examine originally of the handler perform created by _make_tool_handler. The proxy already receives the software identify as a parameter when the handler is constructed. Earlier than forwarding the instruments/name request to the upstream server, the handler evaluates the caller’s id in opposition to an entry coverage. The id could be extracted from the inbound request headers or the MCP session context. If the caller isn’t approved for that software, the handler returns an error response with out contacting the upstream server. It’s also possible to filter the instruments/record response within the register_gateway_tools perform to reveal solely the instruments that match a given coverage. This manner, unauthorized instruments by no means seem within the shopper’s software catalog.
Clear up
To keep away from recurrent prices, delete the assets created for those who now not want them past testing this resolution. The AgentCore CLI offers a destroy command that removes the agent and its related assets. Run the next instructions from the undertaking root:
- Delete the AgentCore Runtime agent and its ECR photographs:
agentcore destroy –agent –delete-ecr-repo –force - Delete the inline IAM coverage and the execution position:
aws iam delete-role-policy –role-name –policy-name
aws iam delete-role –role-name - If you happen to created an AgentCore Gateway particularly for this walkthrough and now not want it, delete the Gateway and its targets:
agentcore gateway delete-mcp-gateway –name –force
Change the agent identify, position identify, and Gateway identify with the values you used throughout deployment.
Conclusion
This publish demonstrated how you can construct and deploy a serverless MCP proxy on Amazon Bedrock AgentCore Runtime that provides customized controls to MCP visitors. The proxy dynamically discovers instruments from an upstream MCP server at startup, re-exposes them as a typical MCP server, and forwards software invocations at runtime. This provides you a programmable layer the place you possibly can apply customized logic reminiscent of enter validation, logging, fee limiting, or response enrichment.
We walked by means of the end-to-end workflow utilizing an AgentCore Gateway because the upstream server, and coated how you can adapt the proxy for gateways configured with both IAM or JWT inbound authorization. The proxy is stateless and runs as a typical container on AgentCore Runtime. You possibly can join it to different MCP-compatible upstream server, chain a number of upstream endpoints, or add middleware logic particular to your workload. The complete supply code, deployment scripts, and take a look at agent can be found on GitHub.
To get began, clone the repository, configure your upstream MCP server endpoint, and run the automated deployment script. To be taught extra about constructing and deploying brokers on AgentCore and utilizing Strands Brokers framework, discover the Amazon Bedrock AgentCore documentation and the Strands Brokers SDK.
Concerning the authors
Nizar Kheir
Nizar is a Senior Options Architect at AWS with greater than 15 years of expertise spanning varied trade segments. He presently works with public sector prospects in France and throughout EMEA to assist them modernize their IT infrastructure and foster innovation by harnessing the ability of the AWS Cloud.
