**Help improve this page** To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page. # Amazon EKS Model Context Protocol (MCP) Server Model Context Protocol (MCP) The Amazon EKS MCP server is a fully managed service enabling AI powered experiences for development and operations. [Model Context Protocol (MCP)](https://modelcontextprotocol.io/docs/getting-started/intro) provides a standardized interface that enriches AI agents and applications with real-time, contextual knowledge of your EKS clusters and Kubernetes resources, enabling more accurate, context-aware responses and AI-powered workflows throughout the application lifecycle, from initial setup through production optimization, and troubleshooting. **Note** The Amazon EKS MCP Server is in preview release for Amazon EKS and is subject to change. ## Overview The EKS MCP server can be easily integrated with any MCP compatible AI coding assistant to enhance your development workflow like [Kiro](https://kiro.dev/?trk=4e1f440a-99e0-4ad0-9a9c-6b04723ec916&sc_channel=ps&ef_id=CjwKCAiAwqHIBhAEEiwAx9cTecSJYyUgoD93aVmUNglC8epCwc2HOHHTH-dtL6FbZJaD0xmrNjN1uxoCnaUQAvD_BwE:G:s&s_kwcid=AL!4422!3!773515754057!e!!g!!aws%20kiro!23000458260!188935657567&gad_source=1&gad_campaignid=23000458260&gclid=CjwKCAiAwqHIBhAEEiwAx9cTecSJYyUgoD93aVmUNglC8epCwc2HOHHTH-dtL6FbZJaD0xmrNjN1uxoCnaUQAvD_BwE), [Amazon Q Developer](https://docs.amazonaws.cn/amazonq/latest/qdeveloper-ug/command-line.html) CLI, or third party tools like [Cursor](https://cursor.com/) or [Cline](https://cline.bot/). When getting started, the EKS MCP server guides you through cluster creation, automatically provisioning prerequisites and applying Amazon best practices. During development, it simplifies EKS and Kubernetes operations by providing high-level workflows for application deployment and cluster management. For debugging and troubleshooting, the server accelerates issue-resolution through integrated troubleshooting aids and knowledge base access available on the EKS console and your favorite AI assistants. These capabilities are accessible through natural language interactions, enabling you to perform complex Kubernetes operations more intuitively and efficiently. The fully managed EKS MCP server is hosted in the Amazon cloud, eliminating the need for local installation and maintenance. It provides enterprise-grade capabilities like automatic updates and patching, centralized security through Amazon IAM integration, comprehensive audit logging via Amazon CloudTrail, and the proven scalability, reliability, and support of Amazon. The fully managed EKS MCP server hosted in the Amazon cloud offers the following key benefits: + **Eliminate installation and maintenance.** With the EKS MCP server being hosted in the Amazon cloud, you no longer need manage version updates, or troubleshoot local server issues. Simply configure your AI assistant to connect to the hosted EKS MCP server endpoint, and you’re ready to start working with your EKS clusters. + **Centralized access management.** The EKS MCP server integrates with [IAM](https://www.amazonaws.cn/iam/), providing a centralized, secure way to control access to the server. All requests are signed using [Amazon SigV4](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_sigv.html) through a lightweight proxy, enabling seamless integration with your existing Amazon credentials and IAM policies. + **Enhanced monitoring and visibility.** Amazon CloudTrail integration captures initialization and full access tool calls made through the hosted service, enabling detailed audit trails and compliance reporting. + **Always up-to-date.** Receive new tools, features, and bug fixes automatically without needing to update local installations. The hosted service is continuously improved based on your feedback and Amazon best practices. ## Integration examples The EKS MCP Server provides several tools that you can use to: + **Manage your cluster** Create, configure, and manage EKS clusters with automated best practices. + **Manage Kubernetes resources** Deploy applications, manage Kubernetes resources, and inspect cluster state. + **Troubleshoot your cluster** Diagnose issues using integrated troubleshooting tools and knowledge base of runbooks + **Query documentation** Search and retrieve relevant EKS documentation contextually. ### Explore your clusters ``` Show me all EKS clusters and their status What insights does EKS have about my production-cluster? Show me the VPC configuration for my staging cluster ``` ### Check Kubernetes resources ``` List all deployments in the production namespace Show me pods that are not in Running state Get the logs from the api-server pod in the last 30 minutes ``` ### Troubleshoot issues ``` Why is my nginx-ingress-controller pod failing to start? Search the EKS troubleshooting guide for pod networking issues Show me events related to the failed deployment in the staging namespace ``` ### Create resources (if "write" mode is enabled) ``` Create a new EKS cluster named demo-cluster with VPC and Auto Mode Deploy my containerized app from ECR to the production namespace with 3 replicas Generate a Kubernetes deployment YAML for my Node.js app running on port 3000 ``` ## Get started To get started, see [Getting Started with the Amazon EKS MCP Server](eks-mcp-getting-started.md). # Getting Started with the Amazon EKS MCP Server Get started This guide walks you through the steps to setup and use the EKS MCP Server with your AI code assistants. You’ll learn how to configure your environment, connect to the server, and start managing your EKS clusters through natural language interactions. **Note** The Amazon EKS MCP Server is in preview release for Amazon EKS and is subject to change. ## Prerequisites Before you start, make sure you have performed the following tasks: + [Create an Amazon account with access to Amazon EKS](https://www.amazonaws.cn/resources/create-account/) + [Install and configure the Amazon CLI with credentials](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-configure.html) + [Install Python 3.10\$1](https://www.python.org/downloads/release/python-3100/) + [Install `uv`](https://docs.astral.sh/uv/getting-started/installation/) ## Setup ### 1. Verify prerequisites ``` # Check that your Python version is 3.10 or higher python3 --version # Check uv installation uv --version # Verify CLI configuration aws configure list ``` ### 2. Setup IAM permissions To connect to the EKS MCP server, your [IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) must have the following policies attached: ** `eks-mcp:InvokeMcp` ** (required permissions for initialization and retrieving information about available tools), ** `eks-mcp:CallReadOnlyTool` ** (required permissions for usage of read only tools), and ** `eks-mcp:CallPrivilegedTool` ** (required permissions for usage of full access (write) tools). These `eks-mcp` permissions are included in the read-only and full-access Amazon managed policies provided, below. + Open the [IAM console](https://console.amazonaws.cn/iam/). + In the left navigation pane, choose **Users**, **User groups**, or **Roles** depending on the identity you want to attach the policy to, then the name of the specific user, group, or role. + Choose the **Permissions** tab. + Choose **Attach policies** (or **Add permissions** if it’s the first time). + In the policy list, search for and select the managed policy you want to attach: + **Read-only operations**: AmazonEKSMCPReadOnlyAccess + Choose **Attach policies** (or **Next** and then **Add permissions** to confirm). This attaches the policy, and the permissions take effect immediately. You can attach multiple policies to the same identity, and each can contain various permissions. To learn more about these policies, see [Amazon managed policies for Amazon Elastic Kubernetes Service](https://docs.amazonaws.cn/eks/latest/userguide/security-iam-awsmanpol.html). ### 3. Choose an AI assistant Choose one of the following MCP-compatible AI assistants or any MCP-compatible tool: + [Install Amazon Q Developer CLI](https://docs.amazonaws.cn/amazonq/latest/qdeveloper-ug/command-line-installing.html) + [Install Kiro](https://kiro.dev/docs/getting-started/installation/) + [Install Cursor](https://cursor.com/download) + [Install Cline VS Code Extension](https://marketplace.visualstudio.com/items?itemName=saoudrizwan.claude-dev) ## Step 1: Configure your AI assistant Choose from any one of the following options to setup your AI code assistant. Completing this step sets up your AI code assistant to use the MCP Proxy for Amazon, which is required for secure, authenticated access to the Amazon EKS MCP Server. This involves adding or editing the MCP configuration file (e.g., `~/.aws/amazonq/mcp.json` for Amazon Q Developer CLI). The proxy acts as a client-side bridge, handling Amazon SigV4 authentication using your local Amazon credentials and enabling dynamic tool discovery for interacting with backend Amazon MCP servers like the EKS MCP Server. To learn more, see the [https://github.com/aws/mcp-proxy-for-aws](https://github.com/aws/mcp-proxy-for-aws). ### Option A: Amazon Q Developer CLI The Q Developer CLI provides the most integrated experience with the EKS MCP Server. #### 1. Locate MCP Configuration File + **macOS/Linux**: `~/.aws/q/mcp.json` + **Windows**: `%USERPROFILE%\.aws\q\mcp.json` #### 2. Add MCP Server Configuration Create the configuration file if it doesn’t exist. Be sure to replace the region (`{region}`) placeholder with your desired region. **For Mac/Linux:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **For Windows:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **Security note**: `--read-only` can be used to only allow read-only tool operations. #### 3. Verify Configuration Restart Q Developer CLI, then check available tools: ``` q /tools ``` ### Option B: Kiro IDE Kiro is an AI-first coding workspace with built-in [MCP support](https://kiro.dev/docs/mcp/). #### 1. Open Kiro Settings + Open Kiro + Go to **Kiro** → **Settings** and search for "MCP Config" + Or press `Cmd+Shift+P,` (Mac) or `Ctrl+Shift+P,` (Windows/Linux) and search for "MCP Config" #### 2. Add MCP Server Configuration + Click "Open Workspace MCP Config" or "Open User MCP Config" to edit the MCP configuration file directly. Be sure to replace the region (`{region}`) placeholder with your desired region. **For Mac/Linux:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **For Windows:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **Security note**: `--read-only` can be used to only allow read-only tool operations. ### Option C: Cursor IDE Cursor provides built-in MCP support with a graphical configuration interface. #### 1. Open Cursor Settings + Open Cursor + Go to **Settings** → **Cursor Settings** → **Tools & MCP** + Or press `Cmd+Shift+P` (Mac) / `Ctrl+Shift+P` (Windows) and search for "MCP" #### 2. Add MCP Server Configuration + Click "New MCP Server" Create the configuration file if it doesn’t exist. Be sure to replace the region (`{region}`) placeholder with your desired region. **For Mac/Linux:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **For Windows:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **Security note**: `--read-only` can be used to only allow read-only tool operations. #### 3. Restart Cursor Close and reopen Cursor for the changes to take effect. #### 4. Verify in Cursor chat Open the chat panel and try: ``` What EKS MCP tools are available? ``` You should see a list of available EKS management tools. ### Option D: Cline (VS Code Extension) Cline is a popular VS Code extension that brings AI assistance directly into your editor. #### 1. Open Cline Settings + Open Cline + Press `Cmd+Shift+P` (Mac) / `Ctrl+Shift+P` (Windows) and search for "MCP" #### 2. Add MCP Server Configuration + Click "Add Server" + Click "Open User Configuration" Create the configuration file if it doesn’t exist. Be sure to replace the region (`{region}`) placeholder with your desired region. **For Mac/Linux:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **For Windows:** ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "{region}" ] } } } ``` **Security note**: `--read-only` can be used to only allow read-only tool operations. #### 2. Reload VS Code Press `Cmd+Shift+P` / `Ctrl+Shift+P` and select "Developer: Reload Window" #### 3. Verify configuration Open Cline and ask: ``` List the available MCP tools for EKS ``` ## Step 2: (Optional) Create a "write" policy Optionally, you can create a [customer-managed IAM policy](https://docs.amazonaws.cn/privateca/latest/userguide/auth-CustManagedPolicies.html) that provides full access to the Amazon EKS MCP server. This policy grants permissions to use all tools in the EKS MCP server, including both privileged tools that may involve write operations and read-only tools. Note that high-risk permissions (anything with Delete\$1, or unrestricted IAM resource) are included in this policy, as they’re required for setup/teardown of the cluster resources in the **manage\$1eks\$1stacks** tool. ``` aws iam create-policy \ --policy-name EKSMcpWriteManagementPolicy \ --policy-document "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"eks:DescribeCluster\", \"eks:ListClusters\", \"eks:DescribeNodegroup\", \"eks:ListNodegroups\", \"eks:DescribeAddon\", \"eks:ListAddons\", \"eks:DescribeAccessEntry\", \"eks:ListAccessEntries\", \"eks:DescribeInsight\", \"eks:ListInsights\", \"eks:AccessKubernetesApi\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"eks:CreateCluster\", \"eks:DeleteCluster\", \"eks:CreateAccessEntry\", \"eks:TagResource\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"iam:GetRole\", \"iam:ListRolePolicies\", \"iam:ListAttachedRolePolicies\", \"iam:GetRolePolicy\", \"iam:GetPolicy\", \"iam:GetPolicyVersion\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"iam:TagRole\", \"iam:CreateRole\", \"iam:AttachRolePolicy\", \"iam:PutRolePolicy\", \"iam:DetachRolePolicy\", \"iam:DeleteRole\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"iam:PassRole\"], \"Resource\": \"*\", \"Condition\": {\"StringEquals\": {\"iam:PassedToService\": [\"eks.amazonaws.com\", \"ec2.amazonaws.com\"]}}}, {\"Effect\": \"Allow\", \"Action\": [\"ec2:CreateVpc\", \"ec2:CreateSubnet\", \"ec2:CreateRouteTable\", \"ec2:CreateRoute\", \"ec2:CreateInternetGateway\", \"ec2:CreateNatGateway\", \"ec2:CreateSecurityGroup\", \"ec2:AttachInternetGateway\", \"ec2:AssociateRouteTable\", \"ec2:ModifyVpcAttribute\", \"ec2:ModifySubnetAttribute\", \"ec2:AllocateAddress\", \"ec2:CreateTags\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"ec2:DeleteVpc\", \"ec2:DeleteSubnet\", \"ec2:DisassociateRouteTable\", \"ec2:DeleteRouteTable\", \"ec2:DeleteRoute\", \"ec2:DetachInternetGateway\", \"ec2:DeleteInternetGateway\", \"ec2:DeleteNatGateway\", \"ec2:ReleaseAddress\", \"ec2:DeleteSecurityGroup\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"ec2:DescribeVpcs\", \"ec2:DescribeSubnets\", \"ec2:DescribeRouteTables\", \"ec2:DescribeInternetGateways\", \"ec2:DescribeNatGateways\", \"ec2:DescribeAddresses\", \"ec2:DescribeSecurityGroups\", \"ec2:DescribeAvailabilityZones\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"cloudformation:CreateStack\", \"cloudformation:UpdateStack\", \"cloudformation:DeleteStack\", \"cloudformation:DescribeStacks\", \"cloudformation:TagResource\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"sts:GetCallerIdentity\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"logs:StartQuery\", \"logs:GetQueryResults\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"cloudwatch:GetMetricData\"], \"Resource\": \"*\"}, {\"Effect\": \"Allow\", \"Action\": [\"eks-mcp:*\"], \"Resource\": \"*\"}]}" ``` ## Step 3: Verify your setup ### Test connection Ask your AI assistant a simple question to verify the connection: ``` List all EKS clusters in my {aws} account ``` You should see a list of your EKS clusters. ## Step 4: Run your first tasks ### Example 1: Explore your clusters ``` Show me all EKS clusters and their status What insights does EKS have about my production-cluster? Show me the VPC configuration for my staging cluster ``` ### Example 2: Check Kubernetes resources ``` Get the details of all the kubernetes resources deployed in my EKS cluster Show me pods that are not in Running state or pods with any restarts Get the logs from the aws-node daemonset in the last 30 minutes ``` ### Example 3: Troubleshoot issues ``` Why is my nginx-ingress-controller pod failing to start? Search the EKS troubleshooting guide for pod networking issues Show me events related to the failed deployment in the staging namespace ``` ### Example 4: Create resources (if "write" mode is enabled) ``` Create a new EKS cluster named demo-cluster with VPC and Auto Mode Deploy my containerized app from ECR to the production namespace with 3 replicas Generate a Kubernetes deployment YAML for my Node.js app running on port 3000 ``` ## Common configurations ### Scenario 1: Multiple Amazon profiles If you work with multiple Amazon accounts, create separate MCP server configurations. **For Mac/Linux:** ``` { "mcpServers": { "eks-mcp-prod": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "production", "--region", "us-west-2" ] }, "eks-mcp-dev": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "development", "--region", "us-east-1" ] } } } ``` **For Windows:** ``` { "mcpServers": { "eks-mcp-prod": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "production", "--region", "us-west-2" ] }, "eks-mcp-dev": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "development", "--region", "us-east-1" ] } } } ``` ### Scenario 2: Read-only for production Create a read-only configuration for production environments. **For Mac/Linux:** ``` { "mcpServers": { "eks-mcp-prod-readonly": { "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "production", "--region", "us-west-2", "--read-only" ], "autoApprove": [ "list_k8s_resources", "get_pod_logs", "get_k8s_events" ] } } } ``` **For Windows:** ``` { "mcpServers": { "eks-mcp-prod-readonly": { "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "production", "--region", "us-west-2", "--read-only" ], "autoApprove": [ "list_k8s_resources", "get_pod_logs", "get_k8s_events" ] } } } ``` ### Scenario 3: Development with full access For development environments with full write access. **For Mac/Linux:** ``` { "mcpServers": { "eks-mcp-dev-full": { "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "development", "--region", "us-east-1" ] } } } ``` **For Windows:** ``` { "mcpServers": { "eks-mcp-dev-full": { "command": "uvx", "args": [ "--from", "mcp-proxy-for-aws@latest", "mcp-proxy-for-aws.exe", "https://eks-mcp.{region}.api.aws/mcp", "--service", "eks-mcp", "--profile", "development", "--region", "us-east-1" ] } } } ``` ## Considerations ### Security Do not pass secrets or sensitive information via allowed input mechanisms: + Do not include secrets or credentials in YAML files applied with apply\$1yaml. + Do not pass sensitive information directly in the prompt to the model. + Do not include secrets in CloudFormation templates or application manifests. + Avoid using MCP tools for creating Kubernetes Secrets, as this would require providing the secret data to the model. + Avoid logging sensitive information in application logs within Kubernetes pods. YAML content security: + Only use YAML files from trustworthy sources. + The server relies on Kubernetes API validation for YAML content and does not perform its own validation. + Audit YAML files before applying them to your cluster. Instead of passing secrets through MCP: + Use [Amazon Secrets Manager](https://docs.amazonaws.cn/secretsmanager/latest/userguide/intro.html) or [Parameter Store](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-parameter-store.html) to store sensitive information. + Configure proper Kubernetes RBAC for service accounts. + Use IAM roles for service accounts (IRSA) for Amazon service access from pods. Redaction of sensitive data: + The EKS MCP Server automatically redacts common patterns for security tokens, certificates, and other sensitive information in tool responses. + Redacted values are replaced with `HIDDEN_FOR_SECURITY_REASONS` to avoid accidentally exposing data to the model. + This redaction applies to all tool responses including logs, resource descriptions, and configuration data. ## Next up For configuration options, see [Amazon EKS MCP Server Configuration Reference](eks-mcp-tool-configurations.md). For a complete list of tools, see [Amazon EKS MCP Server Tools Reference](eks-mcp-tools.md). # Amazon EKS MCP Server Configuration Reference Configuration This guide shows all the configurations available for the [https://github.com/aws/mcp-proxy-for-aws](https://github.com/aws/mcp-proxy-for-aws) client-side tool that allows you to connect to the fully managed Amazon EKS MCP Server from your IDE. **Note** The Amazon EKS MCP Server is in preview release for Amazon EKS and is subject to change. ## Example ``` { "mcpServers": { "eks-mcp": { "disabled": false, "type": "stdio", "command": "uvx", "args": [ "mcp-proxy-for-aws@latest", "https://eks-mcp.us-west-2.api.aws/mcp", "--service", "eks-mcp", "--profile", "default", "--region", "us-east-1", "--read-only" ] } } } ``` ## IAM permissions The role used for connecting to the MCP server requires ** `eks-mcp:InvokeMcp` ** permissions for initialization and retrieving information about available tools. ** `eks-mcp:CallReadOnlyTool` ** is required for usage of read only tools and ** `eks-mcp:CallPrivilegedTool` ** is required for usage of full access (write) tools. ## Environment variables ** `AWS_PROFILE` ** (optional) Amazon credentials profile name to use; can be overridden by the `--profile` command-line argument. + Example: `export AWS_PROFILE=production` ** `AWS_REGION` ** (optional) Amazon region for SigV4 signing; defaults to `us-west-2` if not set. + Example: `export AWS_REGION=us-east-1` ## Arguments **SigV4 MCP endpoint URL** (required) The MCP endpoint URL to connect to. + Example: `https://eks-mcp.us-west-2.api.aws/mcp` ** `--service` ** (optional) Amazon service name for SigV4 signing; auto-detected from the endpoint hostname if not provided. + Example: `--service eks-mcp` ** `--profile` ** (optional) Amazon credentials profile to use. Defaults to the `AWS_PROFILE` environment variable if not specified. + Example: `--profile production` ** `--region` ** Amazon region to use. Uses `AWS_REGION` environment variable if not set, defaults to `us-east-1`. + Example: `--region us-west-2` ** `--read-only` ** (optional) Disable tools which may require write permissions (tools which DO NOT require write permissions are annotated with readOnlyHint=true). By default, all tools are enabled. + Example: `--read-only` For more configuration options, see [Configuration parameters](https://github.com/aws/mcp-proxy-for-aws?tab=readme-ov-file#configuration-parameters). ## Tools For detailed information about all available tools, including parameters and usage examples, see [Amazon EKS MCP Server Tools Reference](eks-mcp-tools.md). # Amazon EKS MCP Server Tools Reference Tools The server exposes the following [MCP tools](https://modelcontextprotocol.io/docs/concepts/tools). **Note** The Amazon EKS MCP Server is in preview release for Amazon EKS and is subject to change. ## Read only tools This section describes the read-only tools available for the EKS MCP Server. Note that all read-only Kubernetes API operations can access both: + **Private clusters** (see [Cluster private endpoint](https://docs.amazonaws.cn/eks/latest/userguide/cluster-endpoint.html#cluster-endpoint-private)) + **Public clusters** ## search\$1eks\$1documentation Search EKS documentation for up-to-date information and guidance. This tool provides access to the latest EKS documentation, including new features and recent enhancements that agents may not be aware of. Parameters: + **query** (required): Your specific question or search query related to EKS documentation, features, or best practices. + **limit** (optional): Maximum number of documentation results to return (1-10). Default: 5. ## search\$1eks\$1troubleshooting\$1guide Searches the EKS Troubleshoot Guide for troubleshooting information based on a query. It helps identify common problems and provides step-by-step solutions. Parameters: + **query** (required): Your specific question or issue description related to EKS troubleshooting. ## describe\$1eks\$1resource Retrieves detailed information about a specific EKS cluster resource including configuration, status, and metadata. Parameters: + **cluster\$1name** (required): Name of the EKS cluster (required for cluster-scoped resources). + **resource\$1type** (required): The EKS resource type to describe. Valid values: + accessentry (requires cluster\$1name and resource\$1name as principalArn) + addon (requires cluster\$1name and resource\$1name as addon name) + cluster (requires cluster\$1name), nodegroup (requires cluster\$1name and resource\$1name as nodegroup name). + **resource\$1name** (optional): Name of the specific resource to describe (required for most resource types). ## list\$1eks\$1resources Lists EKS resources of a specific type, returning a summary of all resources of the specified type that are accessible. Parameters: + **resource\$1type** (required): The EKS resource type to list. Valid values: + accessentry (requires cluster\$1name) + addon (requires cluster\$1name) + cluster (no additional parameters required) + nodegroup (requires cluster\$1name). + **cluster\$1name** (optional): Name of the EKS cluster (required for cluster-scoped resources). ## get\$1eks\$1insights Retrieves EKS cluster insights and recommendations for optimization. Provides actionable insights for security, performance, and cost optimization based on Amazon best practices and cluster analysis. Parameters: + **cluster\$1name** (required): Name of the EKS cluster. + **category** (optional): Optional category to filter insights by (e.g., "MISCONFIGURATION" or "UPGRADE\$1READINESS"). + **insight\$1id** (optional): Optional ID of a specific insight to get detailed information for. + **next\$1token** (optional): Optional token for pagination to get the next set of results. ## get\$1eks\$1vpc\$1config Retrieves VPC configuration for an EKS cluster, including subnets, route tables, and network connectivity. Parameters: + **cluster\$1name** (required): Name of the EKS cluster to get VPC configuration for. + **vpc\$1id** (optional): ID of the specific VPC to query (optional, will use cluster VPC if not specified). ## get\$1k8s\$1events Retrieves Kubernetes events related to specific resources for troubleshooting and monitoring. Parameters: + **cluster\$1name** (required): Name of the EKS cluster where the resource is located. + **kind** (required): Kind of the involved object (e.g., "Pod", "Deployment", "Service"). Must match the resource kind exactly. + **name** (required): Name of the involved object to get events for. + **namespace** (optional): Namespace of the involved object. Required for namespaced resources (like Pods, Deployments). Not required for cluster-scoped resources (like Nodes, PersistentVolumes). ## get\$1pod\$1logs Retrieves logs from pods in an EKS cluster with filtering options. Parameters: + **cluster\$1name** (required): Name of the EKS cluster where the pod is running. + **namespace** (required): Kubernetes namespace where the pod is located. + **pod\$1name** (required): Name of the pod to retrieve logs from. + **container\$1name** (optional): Name of the specific container to get logs from. Required only if the pod contains multiple containers. + **limit\$1bytes** (optional): Maximum number of bytes to return. Default: 10KB (10240 bytes). + **previous** (optional): Return previous terminated container logs (defaults to false). Useful to get logs for pods that are restarting. + **since\$1seconds** (optional): Only return logs newer than this many seconds. Useful for getting recent logs without retrieving the entire history. + **tail\$1lines** (optional): Number of lines to return from the end of the logs. Default: 100. ## list\$1api\$1versions Lists all available API versions in the specified Kubernetes cluster. Parameters: + **cluster\$1name** (required): Name of the EKS cluster. ## list\$1k8s\$1resources Lists Kubernetes resources of a specific kind in an EKS cluster. Parameters: + **cluster\$1name** (required): Name of the EKS cluster where the resources are located. + **kind** (required): Kind of the Kubernetes resources to list (e.g., 'Pod', 'Service', 'Deployment'). Use the `list_api_versions` tool to find available resource kinds. + **api\$1version** (required): API version of the Kubernetes resources (e.g., 'v1', 'apps/v1', 'networking.k8s.io/v1'). Use the `list_api_versions` tool to find available API versions. + **field\$1selector** (optional): Field selector to filter resources (e.g., 'metadata.name=my-pod,status.phase=Running'). Uses the same syntax as kubectl’s --field-selector flag. + **label\$1selector** (optional): Label selector to filter resources (e.g., 'app=nginx,tier=frontend'). Uses the same syntax as kubectl’s `--selector` flag. + **namespace** (optional): Namespace of the Kubernetes resources to list. If not provided, resources will be listed across all namespaces (for namespaced resources). ## read\$1k8s\$1resource Retrieves detailed information about a specific Kubernetes resource in an EKS cluster. Parameters: + **api\$1version** (required): API version of the Kubernetes resource (e.g., "v1", "apps/v1", "networking.k8s.io/v1"). + **cluster\$1name** (required): Name of the EKS cluster where the resource is located. + **kind** (required): Kind of the Kubernetes resource (e.g., "Pod", "Service", "Deployment"). + **name** (required): Name of the Kubernetes resource to read. + **namespace** (optional): Namespace of the Kubernetes resource. Required for namespaced resources. Not required for cluster-scoped resources (like Nodes, PersistentVolumes). ## generate\$1app\$1manifest Generates standardized Kubernetes deployment and service manifests for containerized applications. Parameters: + **app\$1name** (required): Name of the application. Used for deployment and service names, and for labels. + **image\$1uri** (required): Full ECR image URI with tag (e.g., 123456789012.dkr.ecr.region.amazonaws.com/repo:tag). Must include the full repository path and tag. + **load\$1balancer\$1scheme** (optional): Amazon load balancer scheme. Valid values: + "internal" (private VPC only) + "internet-facing" (public access). + Default: "internal". + **cpu** (optional): CPU request for each container (e.g., "100m" for 0.1 CPU cores, "500m" for half a core). Default: "100m". + **memory** (optional): Memory request for each container (e.g., "128Mi" for 128 MiB, "1Gi" for 1 GiB). Default: "128Mi" + **namespace** (optional): Kubernetes namespace to deploy the application to. Default: "default". + **port** (optional): Container port that the application listens on. Default: 80 + **replicas** (optional): Number of replicas to deploy. Default: 2 ## get\$1cloudwatch\$1logs Queries CloudWatch logs with filtering based on the input parameters and support for standard log groups used for EKS cluster observability. Parameters: + **cluster\$1name** (required): Name of the EKS cluster where the resource is located. Used to construct the CloudWatch log group name. + **resource\$1type** (required): Resource type to search logs for. Valid values: \$1"pod", "node", "container", "cluster". This determines how logs are filtered. + **log\$1type** (required): Log type to query. Valid values: + "application": Container/application logs + "host": Node-level system logs + "performance": Performance metrics logs + "control-plane": EKS control plane logs + "your-log-group-name": Provide a custom CloudWatch log group name directly. + **resource\$1name** (optional): Resource name to search for in log messages (e.g., pod name, node name, container name). Used to filter logs for the specific resource. + **minutes** (optional): Number of minutes to look back for logs. Default: 15. Ignored if start\$1time is provided. Use smaller values for recent issues, larger values for historical analysis. + **start\$1time** (optional): Start time in ISO format (e.g., "2023-01-01T00:00:00Z"). If provided, overrides the minutes parameter. + **end\$1time** (optional): End time in ISO format (e.g., "2023-01-01T01:00:00Z"). If not provided, defaults to current time. + **fields** (optional): Custom fields to include in the query results (defaults to "@timestamp, @message"). Use CloudWatch Logs Insights field syntax. + **filter\$1pattern** (optional): Additional CloudWatch Logs filter pattern to apply. Uses CloudWatch Logs Insights syntax (e.g., "ERROR", "field=value"). + **limit** (optional): Maximum number of log entries to return. Use lower values (10-50) for faster queries, higher values (100-1000) for more comprehensive results. Higher values may impact performance. ## get\$1cloudwatch\$1metrics Retrieves CloudWatch metrics and data points for EKS cluster monitoring and performance analysis. Handles Container Insights metrics, custom metrics, and configurable time periods and dimensions. Parameters: + **cluster\$1name** (required): Name of the EKS cluster to get metrics for. + **dimensions** (required): Dimensions to use for the CloudWatch metric query as a JSON string. Must include appropriate dimensions for the resource type and metric (e.g., '\$1"ClusterName": "my-cluster", "PodName": "my-pod", "Namespace": "default"\$1'). + **metric\$1name** (required): Metric name to retrieve. Common examples: + `cpu_usage_total`: Total CPU usage + `memory_rss`: Resident Set Size memory usage + `network_rx_bytes`: Network bytes received + `network_tx_bytes`: Network bytes transmitted + **namespace** (required): CloudWatch namespace where the metric is stored. Common values: + `"ContainerInsights"`: For container metrics + `"AWS/EC2"`: For EC2 instance metrics + `"AWS/EKS"`: For EKS control plane metrics + **minutes** (optional): Number of minutes to look back for metrics. Default: 15. Ignored if start\$1time is provided. + **start\$1time** (optional): Start time in ISO format (e.g., "2023-01-01T00:00:00Z"). If provided, overrides the minutes parameter. + **end\$1time** (optional): End time in ISO format (e.g., "2023-01-01T01:00:00Z"). If not provided, defaults to current time. + **limit** (optional): Maximum number of data points to return. Higher values (100-1000) provide more granular data but may impact performance. Default: 50. + **period** (optional): Period in seconds for the metric data points. Default: 60 (1 minute). Lower values (1-60) provide higher resolution but may be less available. + **stat** (optional): Statistic to use for the metric aggregation. Default: "Average". Valid values: + `Average`: Mean value during the period + `Sum:` Total value during the period + `Maximum`: Highest value during the period + `Minimum`: Lowest value during the period + `SampleCount`: Number of samples during the period. ## get\$1eks\$1metrics\$1guidance Get CloudWatch metrics guidance for specific resource types in EKS clusters. Useful for the agent when determining the correct dimensions to use with the get\$1cloudwatch\$1metrics tool. Parameters: + **resource\$1type** (required): Type of resource to get metrics for (cluster, node, pod, namespace, service). ## get\$1policies\$1for\$1role Retrieves all policies attached to a specified IAM role, including assume role policy, managed policies, and inline policies. Parameters: + **role\$1name** (required): Name of the IAM role to get policies for. The role must exist in your Amazon account. ## Full access (write) tools This section describes the read-only tools available for the EKS MCP Server. Note that (as of "today") all write Kubernetes API operations can access only: + **Public clusters** (endpointPublicAccess=true) ## manage\$1k8s\$1resource Manages a single Kubernetes resource with write operations (create, update, patch, or delete). Parameters: + **operation** (required): Operation to perform on the resource. Valid values: + `create:` Create a new resource + `replace`: Replace an existing resource + `patch`: Update specific fields of an existing resource + `delete`: Delete an existing resource + **Note**: Use read\$1k8s\$1resource for reading resources and list\$1k8s\$1resources for listing multiple resources. + **cluster\$1name** (required): Name of the EKS cluster where the resource is located or will be created. + **kind** (required): Kind of the Kubernetes resource (e.g., "Pod", "Service", "Deployment"). + **api\$1version** (required): API version of the Kubernetes resource (e.g., "v1", "apps/v1", "networking.k8s.io/v1"). + **body** (optional): Resource definition as a JSON string. Required for create, replace, and patch operations. For create and replace, this should be a complete resource definition. For patch, this should contain only the fields to update. + **name** (optional): Name of the Kubernetes resource. Required for all operations except create (where it can be specified in the body). + **namespace** (optional): Namespace of the Kubernetes resource. Required for namespaced resources. Not required for cluster-scoped resources (like Nodes, PersistentVolumes). ## apply\$1yaml Applies Kubernetes YAML manifests to an EKS cluster. Parameters: + **cluster\$1name** (required): Name of the EKS cluster where the resources will be created or updated. + **namespace** (required): Kubernetes namespace to apply resources to. Will be used for name-spaced resources that do not specify a namespace. + **yaml\$1content** (required): YAML content to apply to the cluster. Can contain multiple documents separated by '---'. + **force** (optional): Whether to update resources if they already exist (similar to kubectl apply). Set to false to only create new resources. ## manage\$1eks\$1stacks Manages EKS CloudFormation stacks with operations for generating templates, deploying, describing, and deleting EKS clusters and their underlying infrastructure. Cluster creation typically takes 15-20 minutes to complete. For deploy and delete operations, the stack must have been created by this tool (i.e., tagged with CreatedBy=EksMcpServer). Parameters: + **cluster\$1name** (required): Name of the EKS cluster (for generate, deploy, describe and delete operations). This name will be used to derive the CloudFormation stack name and will be embedded in the cluster resources. + **operation** (required): Operation to perform. Valid values: + `generate`: Generate a CloudFormation template + `deploy`: Deploy a CloudFormation stack (requires `template_content`) + `describe`: Describe/read a CloudFormation stack (read-only) + `delete`: Delete a CloudFormation stack + **template\$1content** (optional): CloudFormation template content (for deploy operations). This should be the complete YAML or JSON template content. Supports both single resources and multi-document YAML content separated by '---'. ## add\$1inline\$1policy Adds a new inline policy to an IAM role. Parameters: + **permissions** (required): Permissions to include in the policy as JSON strings representing IAM policy statements. Can be either a single JSON string or an array of JSON strings. + **policy\$1name** (required): Name of the inline policy to create. Must be unique within the role. + **role\$1name** (required): Name of the IAM role to add the policy to. The role must exist.