Model Context Protocol (MCP) implementation using AWS Lambda and SAM.
This project provides a serverless implementation of the Model Context Protocol, with two distinct interfaces:
-
System Configuration (Administrative):
- Registration of MCP tools, resources, and prompts
- IAM permission management
- Infrastructure setup and configuration
-
System Usage (Client):
- Establishing SSE connections
- Sending commands
- Receiving streaming responses
You can visualize the system using this Mermaid syntax:
graph TD
Client --> MCP[/"MCP Lambda\n(/sse & /message)"/]
MCP -->|read/write| SessionTable[(Session Table)]
MCP -->|query| RegistrationTable[(Registration Table)]
MCP -->|invoke| RegisteredLambda["Registered Lambda Tool"]
Admin[Administrator] --> RegistrationLambda[/"Registration Lambda\n(/register)"/]
RegistrationLambda -->|write| RegistrationTable
- The MCP Lambda reads registrations from the Registration Table on startup and when handling requests.
- It uses the Session Table to persist session state.
- It invokes registered Lambda tools dynamically using the ARNs stored in the Registration Table.
This section is for system administrators who need to configure and manage the MCP server.
npx @markvp/mcp-lambda-sam deployThe command will interactively prompt for administrative configuration:
- Stack name (for multiple instances)
- AWS Region
- VPC configuration (optional)
To access MCP endpoints, users and clients must have IAM permission to invoke the relevant Function URLs.
- Administrators: must be allowed to invoke the
mcp-registrationfunction URL - Clients: must be allowed to invoke the
mcpfunction URL
You can grant access using either an IAM policy or aws lambda add-permission (see below).
To grant permission to invoke the registration function URL:
aws lambda add-permission \
--function-name <registration-function-name> \
--statement-id allow-registration \
--action lambda:InvokeFunctionUrl \
--principal "*" \
--function-url-auth-type IAMTo grant permission to invoke the MCP function URL (SSE and message):
aws lambda add-permission \
--function-name <mcp-function-name> \
--statement-id allow-mcp \
--action lambda:InvokeFunctionUrl \
--principal "*" \
--function-url-auth-type IAMReplace <registration-function-name> and <mcp-function-name> with the actual Lambda function names.
Use these endpoints to manage MCP tools, resources, and prompts:
awscurl -X POST ${REGISTRATION_URL}/register \
--region ap-southeast-2 \
--service lambda \
-H "Content-Type: application/json" \
-d '{
"type": "tool",
"name": "example",
"description": "Example tool",
"lambdaArn": "arn:aws:lambda:region:account:function:name",
"parameters": {
"input": "string"
}
}'awscurl -X PUT ${REGISTRATION_URL}/register/{id} \
--region ap-southeast-2 \
--service lambda \
-d '...'awscurl -X DELETE ${REGISTRATION_URL}/register/{id} \
--region ap-southeast-2 \
--service lambdaawscurl ${REGISTRATION_URL}/register \
--region ap-southeast-2 \
--service lambdaAdministrators need these permissions to manage registrations:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:${region}:${account}:function:${stack-id}-mcp-registration",
"Condition": {
"StringEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
}]
}
This section is for clients who want to use the MCP server.
Clients need these permissions to use the MCP server:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunctionUrl",
"Resource": [
"arn:aws:lambda:${region}:${account}:function:${stack-id}-mcp",
],
"Condition": {
"StringEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
}
]
}- Establish SSE Connection:
const sse = new EventSource(SSE_URL, {
headers: {
Authorization: 'AWS4-HMAC-SHA256 ...', // Must be AWS SigV4 signed
}
});
sse.onmessage = (event) => {
console.log(JSON.parse(event.data));
};awscurl -X GET "${MCP_URL}/sse" \
--region ap-southeast-2 \
--service lambdaThe first event will include a sessionId. Use this when sending messages.
- Send Commands:
awscurl -X POST "${MCP_URL}/message?sessionId=session-123" \
--region ap-southeast-2 \
--service lambda \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": "1",
"method": "example",
"params": {
"input": "hello"
}
}'401: Invalid/missing AWS credentials403: Insufficient permissions404: Invalid session ID429: Rate limit exceeded
-
Connection Issues:
- Verify AWS credentials
- Check IAM permissions
- Ensure network connectivity
-
Command Execution Errors:
- Verify session ID is active
- Check command format matches tool registration
- Ensure parameters match schema
- AWS CLI installed and configured
- AWS SAM CLI installed
- Node.js 20.x or later
- An AWS account with permissions to create:
- Lambda functions
- DynamoDB tables
- IAM roles
- SQS queues
To deploy this application locally or to AWS using the AWS SAM CLI:
- Install the AWS SAM CLI: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.html
- Ensure it's available in your PATH:
sam --version
- Build and deploy the application:
sam build sam deploy --guided
- Follow the prompts to configure the stack name, region, capabilities, and parameter overrides.
You can rerun sam deploy without --guided to use saved configuration.
You can install and deploy this application in four ways:
The easiest way to deploy the MCP server is through the AWS Serverless Application Repository (SAR):
- Go to the SAR Console
- Search for mcp-lambda-sam by Mark Van Proctor
- Click Deploy
- Set your parameters:
StackIdentifier: Unique ID for this MCP server instanceVpcEnabled: Set totrueif deploying in a VPCVpcIdandSubnetIds: Provide only ifVpcEnabledistrue
- Follow the prompts to deploy
Alternatively, you can deploy from the AWS CLI:
aws serverlessrepo create-cloud-formation-change-set \
--application-id arn:aws:serverlessrepo:ap-southeast-2:522814717816:applications/mcp-lambda-sam \
--stack-name your-stack-name \
--capabilities CAPABILITY_IAM \
--parameter-overrides '[{"name":"StackIdentifier","value":"your-stack-id"}]'npx @markvp/mcp-lambda-sam deployThe command will interactively prompt for administrative configuration:
- Stack name (for multiple instances)
- AWS Region
- VPC configuration (optional)
Install the package:
npm install @markvp/mcp-lambda-samAfter installing the package, you can use it programmatically:
import { deploy } from '@markvp/mcp-lambda-sam';
// Usage example
deploy();Install the package:
npm install @markvp/mcp-lambda-samAfter making development changes, you can deploy it manually:
npm run deploy# Install dependencies
npm install
# Lint
npm run lint
# Run tests
npm test
# Build
npm run build
# Deploy
npm run deployIf you're contributing to this project and need to publish updates to SAR:
- Package the application:
npm run package:sar- Publish to SAR:
npm run publish:sar- Make the application public (one-time setup):
- Go to AWS Console > Serverless Application Repository
- Select the application
- Click "Share" and choose "Public"
- Apply the following sharing policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "serverlessrepo:CreateCloudFormationTemplate", "Resource": "arn:aws:serverlessrepo:${region}:${account-id}:applications/mcp-lambda-sam" } ] }
MIT
- Fork the repository
- Create your feature branch
- Commit your changes
- Push to the branch
- Create a new Pull Request