# AWS Bedrock AgentCore Gateway - Lambda to MCP Tools

This notebook demonstrates how to create an AWS Bedrock AgentCore Gateway that exposes AWS Lambda functions as Model Context Protocol (MCP) tools, enabling seamless integration with AI agents using Strands Agents.

## Overview

This tutorial covers:
- Creating an AgentCore Gateway with Cognito-based OAuth authentication (EZAuth flow)
- Registering Lambda functions as MCP tools
- Connecting Strands Agents to the gateway
- Invoking Lambda-backed tools through AI agents

## Prerequisites

Before running this notebook, ensure you have:

1. **Python 3.12+** installed
2. **AWS CLI** configured with appropriate credentials
3. **AWS Account** with permissions for:
   - Bedrock AgentCore Gateway
   - AWS Lambda
   - Amazon Cognito
   - IAM (for role creation)
4. **AWS Profile** configured (or use default credentials)

---


In [119]:
!pip install bedrock_agentcore_starter_toolkit strands-agents strands-agents-tools


[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m A new release of pip is available: [0m[31;49m25.0.1[0m[39;49m -> [0m[32;49m25.3[0m
[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m To update, run: [0m[32;49mpip install --upgrade pip[0m
Note: you may need to restart the kernel to use updated packages.


## Step 2: Import Required Libraries

Import the necessary Python libraries for AWS operations, environment management, and logging.

In [120]:
import boto3
import os
import logging
import json

## Step 3: Configure AWS Environment

Set your AWS region and profile. **Note**: Replace these values with your own AWS configuration.

- `AWS_DEFAULT_REGION`: Your AWS region (e.g., 'us-east-1', 'eu-central-1')
- `AWS_PROFILE`: Your AWS profile name (optional, uses default if not specified)

In [121]:
# Configure AWS region and profile
# Replace with your AWS region and profile name
os.environ['AWS_DEFAULT_REGION'] = 'eu-central-1'  # Change to your region
os.environ['AWS_PROFILE'] = 'your-aws-profile'  # Optional: Change to your profile or remove to use default

## Step 4: Create AgentCore Gateway with Cognito Authentication

This step creates an AgentCore Gateway using the EZAuth flow, which automatically sets up:
- Amazon Cognito User Pool
- Cognito Domain
- OAuth 2.0 client configuration
- IAM execution role for the gateway

The gateway will expose Lambda functions as MCP tools that can be discovered and invoked by AI agents.

In [122]:
from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient

# Initialize the Gateway client
client = GatewayClient(region_name=os.environ['AWS_DEFAULT_REGION'])
client.logger.setLevel(logging.DEBUG)

# Create Cognito Authorizer using EZAuth flow
# This automatically creates Cognito User Pool, domain, and OAuth client
cognito_authorizer = client.create_oauth_authorizer_with_cognito("agentcore-gateway-test")

# Create the MCP Gateway with Cognito authentication
gateway = client.create_mcp_gateway(authorizer_config=cognito_authorizer["authorizer_config"])

# Extract gateway identifiers
gatewayID = gateway["gatewayId"]
gatewayUrl = gateway["gatewayUrl"]

print(f"✓ Gateway created successfully!")
print(f"Gateway ID: {gatewayID}")
print(f"Gateway URL: {gatewayUrl}")
print(f"\nNote: The gateway URL will be used to connect MCP clients.")

2026-01-27 16:12:29,394 - bedrock_agentcore.gateway - INFO - Starting EZ Auth setup: Creating Cognito resources...
2026-01-27 16:12:31,324 - bedrock_agentcore.gateway - INFO -   ✓ Created User Pool: eu-central-1_M0u24TQ8R
2026-01-27 16:12:32,455 - bedrock_agentcore.gateway - INFO -   ✓ Created domain: agentcore-f8b117b8
2026-01-27 16:12:32,456 - bedrock_agentcore.gateway - INFO -   ⏳ Waiting for domain to be available...
2026-01-27 16:12:32,532 - bedrock_agentcore.gateway - INFO -   ✓ Domain is active
2026-01-27 16:12:32,852 - bedrock_agentcore.gateway - INFO -   ✓ Created resource server: agentcore-gateway-test
2026-01-27 16:12:33,160 - bedrock_agentcore.gateway - INFO -   ✓ Created client: 2ggnqctruhdplcspij6qohgkrn
2026-01-27 16:12:33,160 - bedrock_agentcore.gateway - INFO -   ⏳ Waiting for DNS propagation of domain: agentcore-f8b117b8.auth.eu-central-1.amazoncognito.com
2026-01-27 16:13:33,165 - bedrock_agentcore.gateway - INFO - ✓ EZ Auth setup complete!
2026-01-27 16:13:33,173 - 

Gateway ID = testgateway255362c6-35twl2csmx
Gateway URL = https://testgateway255362c6-35twl2csmx.gateway.bedrock-agentcore.eu-central-1.amazonaws.com/mcp


## Create Lambda target

In [123]:
# This helper will create a lambda by default
lambda_target = client.create_mcp_gateway_target(gateway=gateway, target_type="lambda")

2026-01-27 16:14:00,328 - bedrock_agentcore.gateway - INFO - ✓ Lambda already exists: arn:aws:lambda:eu-central-1:911101829662:function:AgentCoreLambdaTestFunction
2026-01-27 16:14:00,332 - bedrock_agentcore.gateway - INFO - Creating Target
2026-01-27 16:14:00,332 - bedrock_agentcore.gateway - INFO - {'gatewayIdentifier': 'testgateway255362c6-35twl2csmx', 'name': 'TestGatewayTarget236f11ee', 'targetConfiguration': {'mcp': {'lambda': {'lambdaArn': 'arn:aws:lambda:eu-central-1:911101829662:function:AgentCoreLambdaTestFunction', 'toolSchema': {'inlinePayload': [{'name': 'get_weather', 'description': 'Get weather for a location', 'inputSchema': {'type': 'object', 'properties': {'location': {'type': 'string'}}, 'required': ['location']}}, {'name': 'get_time', 'description': 'Get time for a timezone', 'inputSchema': {'type': 'object', 'properties': {'timezone': {'type': 'string'}}, 'required': ['timezone']}}]}}}}, 'credentialProviderConfigurations': [{'credentialProviderType': 'GATEWAY_IAM_R

## Adding another Lambda 

In [124]:
lambda_target_configuration = {
    'lambdaArn': 'arn:aws:lambda:eu-central-1:911101829662:function:agentCoreGatewayCustomLambda',
    'toolSchema': {
        # 's3': {
        #     'uri': 'string',
        #     'bucketOwnerAccountId': 'string'
        # },
        'inlinePayload': [
            {
                'name': 'get_random_number',
                'description': 'Returning a random number',
                'inputSchema': {
                    'type': 'object',
                    'properties': {},
                    'required': []
                },
                'outputSchema': {
                    'type': 'integer'
                }
            },
        ]
    }
}

response = client.create_mcp_gateway_target(
    gateway=gateway,
    target_type="lambda",
    target_payload=lambda_target_configuration
)

print("✓ Lambda target added\n")
print(f"Lambda Target = {response}")

2026-01-27 16:14:27,096 - bedrock_agentcore.gateway - INFO - Creating Target
2026-01-27 16:14:27,097 - bedrock_agentcore.gateway - INFO - {'gatewayIdentifier': 'testgateway255362c6-35twl2csmx', 'name': 'TestGatewayTargeta7f3f500', 'targetConfiguration': {'mcp': {'lambda': {'lambdaArn': 'arn:aws:lambda:eu-central-1:911101829662:function:agentCoreGatewayCustomLambda', 'toolSchema': {'inlinePayload': [{'name': 'get_random_number', 'description': 'Returning a random number', 'inputSchema': {'type': 'object', 'properties': {}, 'required': []}, 'outputSchema': {'type': 'integer'}}]}}}}, 'credentialProviderConfigurations': [{'credentialProviderType': 'GATEWAY_IAM_ROLE'}]}
2026-01-27 16:14:27,098 - bedrock_agentcore.gateway - DEBUG - Creating target with params: {
  "gatewayIdentifier": "testgateway255362c6-35twl2csmx",
  "name": "TestGatewayTargeta7f3f500",
  "targetConfiguration": {
    "mcp": {
      "lambda": {
        "lambdaArn": "arn:aws:lambda:eu-central-1:911101829662:function:agentCo

✓ Lambda target added

Lambda Target = {'ResponseMetadata': {'RequestId': '94033087-7331-4a2a-9b3e-d280a12819ac', 'HTTPStatusCode': 202, 'HTTPHeaders': {'date': 'Tue, 27 Jan 2026 15:14:27 GMT', 'content-type': 'application/json', 'content-length': '695', 'connection': 'keep-alive', 'x-amzn-requestid': '94033087-7331-4a2a-9b3e-d280a12819ac', 'x-amzn-remapped-x-amzn-requestid': 'a730ced5-36cc-4f77-bf8c-c81041790635', 'x-amzn-remapped-content-length': '695', 'x-amzn-remapped-connection': 'keep-alive', 'x-amz-apigw-id': 'X2ZtDEhSFiAENjw=', 'x-amzn-trace-id': 'Root=1-6978d653-51631f9549f15a6979931636', 'x-amzn-remapped-date': 'Tue, 27 Jan 2026 15:14:27 GMT'}, 'RetryAttempts': 0}, 'gatewayArn': 'arn:aws:bedrock-agentcore:eu-central-1:911101829662:gateway/testgateway255362c6-35twl2csmx', 'targetId': 'OEIDUPBOWX', 'createdAt': datetime.datetime(2026, 1, 27, 15, 14, 27, 367099, tzinfo=tzutc()), 'updatedAt': datetime.datetime(2026, 1, 27, 15, 14, 27, 367111, tzinfo=tzutc()), 'status': 'CREATING'

## Call the MCP tools from Strands Agents

In [130]:
from strands import Agent
from strands.models import BedrockModel
from strands.tools.mcp.mcp_client import MCPClient
from mcp.client.streamable_http import streamablehttp_client 

# Refresh the access token to ensure it's valid
access_token = client.get_access_token_for_cognito(cognito_authorizer["client_info"])
print(f"✓ Refreshed access token")

# Ensure the gateway URL ends with /mcp
mcp_url = gatewayUrl if gatewayUrl.endswith('/mcp') else f"{gatewayUrl}/mcp"
print(f"✓ Using gateway URL: {mcp_url}")

streamable_http_mcp_client = MCPClient(
    lambda: streamablehttp_client(
        url=mcp_url,
        headers={"Authorization": f"Bearer {access_token}"}
    )    
)

# Start the MCP client and keep it running
streamable_http_mcp_client.start()
print(f"✓ MCP client started")

# Get tools while client is running
tools = streamable_http_mcp_client.list_tools_sync()
print(f"✓ Successfully connected! Found {len(tools)} tools")

# Create agent with the tools
model = BedrockModel(model_id="eu.amazon.nova-pro-v1:0")
agent = Agent(model=model, tools=tools)
print(f"Tools loaded in the agent are {agent.tool_names}")
print(f"\n⚠️  IMPORTANT: Keep the MCP client running while using the agent!")
print(f"   Use streamable_http_mcp_client.stop() when done.")




2026-01-27 16:27:51,112 - bedrock_agentcore.gateway - INFO - Fetching test token from Cognito...
2026-01-27 16:27:51,113 - bedrock_agentcore.gateway - INFO -   Attempting to connect to token endpoint: https://agentcore-f8b117b8.auth.eu-central-1.amazoncognito.com/oauth2/token
2026-01-27 16:27:51,801 - bedrock_agentcore.gateway - INFO - ✓ Got test token successfully


✓ Refreshed access token
✓ Using gateway URL: https://testgateway255362c6-35twl2csmx.gateway.bedrock-agentcore.eu-central-1.amazonaws.com/mcp
✓ MCP client started
✓ Successfully connected! Found 4 tools
Tools loaded in the agent are ['x_amz_bedrock_agentcore_search', 'TestGatewayTarget236f11ee___get_time', 'TestGatewayTarget236f11ee___get_weather', 'TestGatewayTargeta7f3f500___get_random_number']

⚠️  IMPORTANT: Keep the MCP client running while using the agent!
   Use streamable_http_mcp_client.stop() when done.


## Invoking the agent

In [131]:
# Make sure the MCP client is still running (it should be from Cell 10)
# The agent needs the client session to be active to call tools
response = agent("Get the time for PST")
print("Response: ", response)

<thinking> The user has requested the time for the Pacific Standard Time (PST) timezone. I need to use the `TestGatewayTarget236f11ee___get_time` tool to get the current time for this timezone. </thinking>

Tool #1: TestGatewayTarget236f11ee___get_time
The current time in the Pacific Standard Time (PST) timezone is 2:30 PM.Response:  The current time in the Pacific Standard Time (PST) timezone is 2:30 PM.



## Clean up

In [132]:
# Stop the MCP client if it's running
try:
    if streamable_http_mcp_client.is_running():
        streamable_http_mcp_client.stop()
        print("✓ MCP client stopped")
except:
    pass

# Clean up gateway resources
client.delete_gateway_target(gatewayID, lambda_target["targetId"])
client.delete_gateway(gatewayID)
print("✓ Gateway resources cleaned up")

2026-01-27 16:28:16,201 - bedrock_agentcore.gateway - ERROR - target_id or target_name required
2026-01-27 16:28:16,420 - bedrock_agentcore.gateway - ERROR - Gateway has 2 target(s). Delete them first.


✓ Gateway resources cleaned up


## Summary

This notebook demonstrated how to:

1. ✅ **Create an AgentCore Gateway** with Cognito-based OAuth authentication
2. ✅ **Register Lambda functions** as MCP tools with custom schemas
3. ✅ **Connect Strands Agents** to discover and use Lambda-backed tools
4. ✅ **Invoke tools** through AI agents using natural language

## Key Takeaways

- **AgentCore Gateway** bridges AWS Lambda functions and AI agents via MCP protocol
- **EZAuth flow** simplifies Cognito setup for OAuth authentication
- **Multiple targets** can be registered, each exposing different Lambda functions
- **Tool schemas** define how Lambda functions are exposed to agents
- **MCP client** must remain active while agents are using tools

## Next Steps

- Register your own Lambda functions with custom tool schemas
- Explore S3-based tool schemas for larger configurations
- Integrate with other AI agent frameworks that support MCP
- Set up monitoring and logging for production deployments

## Additional Resources

- [AWS Bedrock AgentCore Documentation](https://docs.aws.amazon.com/bedrock/)
- [Model Context Protocol Specification](https://modelcontextprotocol.io/)
- [Strands Agents Documentation](https://github.com/strands-ai/strands-agents)
- [Bedrock AgentCore Starter Toolkit](https://github.com/aws-samples/bedrock-agentcore-starter-toolkit)

---

**Note**: This is a sample implementation. For production use, ensure proper error handling, security best practices, and resource management.