MCP (Model Context Protocol) server exposing Tools, Resources, and Prompts for the AI platform. Agent-api calls this server via an MCP client.
- RAG service: Running and reachable. Set
RAG_SERVICE_URL(e.g.http://rag-service.dev.svc.cluster.localin-cluster, orhttp://localhost:8000for local rag-service). - AWS: Credentials (IRSA in EKS, or env/instance profile) for ECS/S3/CloudWatch summary tools and resources.
- Infrastructure: ECR repo
mcp-serverand IRSA roleMcpServiceIRSA-devcreated by Terraform (Deploy to Dev pipeline). Do not push mcp-server app until that pipeline has completed.
pip install -r requirements.txt
export RAG_SERVICE_URL=http://localhost:8000 # or your rag-service URL
export AWS_REGION=eu-central-1
python -m app.mainMCP endpoint: http://localhost:8000/mcp. Use MCP Inspector to test.
rag_query_tool(question, top_k=5)— Query the RAG knowledge base.get_ecs_summary_tool()— ECS clusters summary.get_s3_summary_tool()— S3 buckets summary.
aws://summary/ecs— ECS clusters text.aws://summary/s3— S3 buckets text.aws://summary/cloudwatch— CloudWatch alarms text.
ask_kb(question)— Prompt template to ask the knowledge base.
After Deploy to Dev has finished (ECR + IRSA for mcp-server exist), push to main. The workflow runs tests, builds the image, pushes to ECR, and deploys via Helm into the dev namespace.
If "Configure AWS credentials (OIDC)" fails with Not authorized to perform sts:AssumeRoleWithWebIdentity: the IAM role GitHubOIDCRole must trust this repo. In AWS IAM → Roles → GitHubOIDCRole → Trust relationships, ensure the policy includes repo:LevKesha/mcp-server:* in the token.actions.githubusercontent.com:sub condition (e.g. add it alongside your other repos like repo:LevKesha/infrastructure:*, repo:LevKesha/rag-service:*).
The Destroy Dev Infrastructure workflow uninstalls all Helm releases (including mcp-server) and preserves ECR + IRSA per Theme 3 plan.