Skip to content

feat: allow iam mcp client to take a botocore credentials object #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 11, 2025
Merged

feat: allow iam mcp client to take a botocore credentials object #84

merged 1 commit into from
Nov 11, 2025
+98 −17

Conversation

@wzxxing
Copy link
Contributor

@wzxxing wzxxing commented Nov 11, 2025

Summary

Changes

Please provide a summary of what's being changed

Summary

Adds an optional credentials parameter to aws_iam_streamablehttp_client() that accepts botocore Credentials objects, enabling programmatic credential management without requiring boto3 session creation.

Motivation

When integrating MCP servers into AI frameworks, users may already have AWS credentials from existing boto3 sessions or credential providers. Creating a new boto3 session is unnecessary overhead and limits flexibility in credential management scenarios such as:

  • Using credentials from existing boto3 clients/sessions
  • Implementing custom credential rotation logic
  • Testing with mock credentials
  • Cross-account access patterns with assumed roles

User experience

Please share what the user experience looks like before and after this change

API Changes

Added new optional parameter to aws_iam_streamablehttp_client():

  • credentials: Optional[Credentials] - When provided, takes precedence over aws_profile

Behavior

When credentials is provided:

  • Bypasses boto3.Session creation entirely
  • Requires aws_region to be explicitly specified (raises ValueError if missing)
  • Uses provided credentials directly for SigV4 signing

When credentials is NOT provided:

  • Maintains existing behavior (creates boto3.Session with profile/region)
  • Backward compatible with all existing code

Example Usage

from botocore.credentials import Credentials
from mcp_proxy_for_aws.client import aws_iam_streamablehttp_client

# Use existing credentials
creds = boto3.Session().get_credentials()

async with aws_iam_streamablehttp_client(
    endpoint="https://example.amazonaws.com/mcp",
    aws_service="bedrock-agentcore",
    aws_region="us-east-1",
    credentials=creds
) as (read, write, session_id_callback):
    # Use the client
    pass

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Is this a breaking change? (Y/N)

  • Yes
  • No

Please add details about how this change was tested.

  • Did integration tests succeed?
  • If the feature is a new use case, is it necessary to add a new integration test case?

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@wzxxing wzxxing marked this pull request as ready for review November 11, 2025 12:19
@wzxxing wzxxing requested a review from a team as a code owner November 11, 2025 12:19
@wzxxing wzxxing requested review from bidesh and kyoncal November 11, 2025 12:19
@wzxxing wzxxing force-pushed the wzxxing/feat-inject-credentials-mcp-client branch from 17ab627 to d614a4d Compare November 11, 2025 15:41
@wzxxing wzxxing enabled auto-merge (squash) November 11, 2025 15:41
@wzxxing wzxxing merged commit 39ff9fa into main Nov 11, 2025
7 checks passed
@wzxxing wzxxing deleted the wzxxing/feat-inject-credentials-mcp-client branch November 11, 2025 15:48
harv-aws pushed a commit to harv-aws/mcp-proxy-for-aws that referenced this pull request Nov 11, 2025
@wzxxing
feat: allow iam mcp client to take a botocore credentials object (aws#84
0afc595 
)
arangatang added a commit that referenced this pull request Nov 13, 2025
@harv-aws @kyoncal
@arangatang @wzxxing
feat: Add Automated PyPI Publishing Workflow (#83)
1ff8763 
* pypi release automation through github actions

* Forward region via meta (#71)

* feat(sigv4_helper): inject AWS_REGION in _meta

* Override the sigv4 signature when adding _meta.

* feat(sigv4_helper): add region and service argument to _inject_metadata_hook to allow for proper resigning of sigv4 to work

* feat(server.py): add forwarding region as optional argument

* feat: replace forwarding region with metadata forwarding

* refactor: move the hooks from sigv4_helper.py into a new folder and add tests

* refactor(siv4_helper.py): move signing logic from client creation to an event hook

* test(test_hooks.py): add assertions

* refactor(sigv4_helper.py): remove hooks.py module and move hooks to sigv4_helper.py

This refactor was needed in order to avoid a circular depdency, which resulted in a mid-module import.

---------

Co-authored-by: Kyon Caldera <kyonc@amazon.com>
Co-authored-by: Leonardo Araneda Freccero <araneda@amazon.com>

* docs: mention creating issues first before sending large PR with new feature (#76)

* feat: allow iam mcp client to take a botocore credentials object (#84)

* pypi release automation through github actions

* chore: pypi publishing added to development.md

* chore: simplifying uv install

* fix: adding input commit id for integ tests, and passing it in publish workflows.

---------

Co-authored-by: Harvish N S <harvishn@amazon.com>
Co-authored-by: Kyon <91875365+kyoncal@users.noreply.github.com>
Co-authored-by: Kyon Caldera <kyonc@amazon.com>
Co-authored-by: Leonardo Araneda Freccero <araneda@amazon.com>
Co-authored-by: wzxxing <169175349+wzxxing@users.noreply.github.com>
Co-authored-by: Leonardo Araneda Freccero <arangatang@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arangatang arangatang arangatang approved these changes

@kyoncal kyoncal kyoncal approved these changes

@bidesh bidesh Awaiting requested review from bidesh bidesh is a code owner automatically assigned from aws/aws-mcp

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wzxxing @arangatang @kyoncal