AWS IAM MCP client with SigV4 auth

[DennisTraub]

Enables IAM (SigV4) authentication for MCP clients connecting to AWS-hosted MCP servers. This client is a drop-in replacement for existing MCP client usage and works with agent frameworks like Strands Agents, LangChain, LlamaIndex, and the Microsoft Agent Framework.

• Adds aws_iam_mcp_client: an async context manager creating a streamable MCP HTTP client signed with SigV4
• Establishes a boto3.Session with optional AWS region and profile
• Uses existing SigV4HTTPXAuth with resolved credentials, service, and region
• Connects via MCP’s streamablehttp_client
• Allows injecting a custom httpx_client_factory for transport customization

Unit tests cover:

• Parameterization of boto3.Session (region/profile)
• Creation and wiring of SigV4HTTPXAuth
• Forwarding of client parameters to the underlying streamable client
• Proper cleanup behavior of the async context manager

Follow-ups:

• Integration tests
• Documentation update
• Usage examples

[wzxxing]

Previously in our discussion, we were thinking if the mcp client or transport is the level of abstraction. But seems from the PR, in order to make this feature available to both mcp python sdk and fastmcp v2, the two SDKs needs to be handled separately.

Final comment, would you be able to update the README to include a section of using this feature with popular agent SDKs?

[wzxxing]

This is using the official streamablehttp_client.

Do you know if this will be compatible for the users using fastmcp 2.0?

[DennisTraub]

Yes, the client uses the standard MCP SDK's streamablehttp_client, which speaks the core MCP protocol over HTTP. FastMCP 2.0 servers are MCP-compliant, so any standard MCP client, including this one, will work seamlessly.

If users want to use fastmcp.Client, they'd bypass aws_iam_mcp_client() and use SigV4HTTPXAuth directly.

[DennisTraub]

@wzxxing re:

Final comment, would you be able to update the README to include a section of using this feature with popular agent SDKs?

Absolutely. I'll update the README and will switch the PR to "ready for review"

[wzxxing]

There are some issues found by the CI: https://github.com/aws/mcp-proxy-for-aws/actions/runs/19081826894/job/54560828478?pr=65

[arangatang]

Heya thank you for the great examples and the readme in this pass! Codewise I think we are pretty much good to go, but I have concerns about the naming. Due to trademark we shouldn't really have this as a seperate entity in the package. I provided some suggestions of how we could rephrase examples and READMES.

tldr: We can use MCP Proxy for AWS but MCP Client Library and similar would i believe require a new trademark, so to keep it simple lets rephrase.

[wzxxing]

Hi Dennis, I forgot to point you to the contributing guide. https://github.com/aws/mcp-proxy-for-aws/blob/main/CONTRIBUTING.md

You need to run uv run pre-commit run --all-files to format all the files.

I see the CI failed because uv.lock file was deleted.

[DennisTraub]

There are some issues found by the CI: https://github.com/aws/mcp-proxy-for-aws/actions/runs/19081826894/job/54560828478?pr=65

Should be fixed

[arangatang]

Some more changes:

1. Add license header to examples
2. Fix mcp-proxy-for-aws reference in examples.

[wzxxing]

We probably don't need README in unit tests.

[DennisTraub]

Yeah, I guess I can remove it.

[wzxxing]

I think these should be covered by pyright, if the example code can be validated by pyright, we don't need to do these unit tests.

[arangatang]

I was the one who asked to add these. Imo lets leave them for now, we can pivot later?

[wzxxing]

Yeah, we can. but CI failed: https://github.com/aws/mcp-proxy-for-aws/actions/runs/19107321050/job/54594703458?pr=65