Serverless Model Context Protocol implementation enabling administrative registration and management of tools, IAM permission control, and client-side SSE connections for command execution and streaming responses using AWS Lambda.
Unlock the full potential of MCP Lambda Server through LangDB's AI Gateway. Get enterprise-grade security, analytics, and seamless integration with zero configuration.
Free tier available • No credit card required
Discover shared experiences
Model Context Protocol (MCP) implementation using AWS Lambda and SAM.
This project provides a serverless implementation of the Model Context Protocol, with two distinct interfaces:
System Configuration (Administrative):
System Usage (Client):
You can visualize the system using this Mermaid syntax:
graph TD Client --> MCP[/"MCP Lambda (/sse & /message)"/] MCP -->|read/write| SessionTable[(Session Table)] MCP -->|query| RegistrationTable[(Registration Table)] MCP -->|invoke| RegisteredLambda["Registered Lambda Tool"] Admin[Administrator] --> RegistrationLambda[/"Registration Lambda (/register)"/] RegistrationLambda -->|write| RegistrationTable
This section is for system administrators who need to configure and manage the MCP server.
npx @markvp/mcp-lambda-sam deploy
The command will interactively prompt for administrative configuration:
To access MCP endpoints, users and clients must have IAM permission to invoke the relevant Function URLs.
mcp-registration
function URLmcp
function URLYou can grant access using either an IAM policy or aws lambda add-permission
(see below).
To grant permission to invoke the registration function URL:
aws lambda add-permission \ --function-name \ --statement-id allow-registration \ --action lambda:InvokeFunctionUrl \ --principal "*" \ --function-url-auth-type IAM
To grant permission to invoke the MCP function URL (SSE and message):
aws lambda add-permission \ --function-name \ --statement-id allow-mcp \ --action lambda:InvokeFunctionUrl \ --principal "*" \ --function-url-auth-type IAM
Replace and
with the actual Lambda function names.
Use these endpoints to manage MCP tools, resources, and prompts:
awscurl -X POST ${REGISTRATION_URL}/register \ --region ap-southeast-2 \ --service lambda \ -H "Content-Type: application/json" \ -d '{ "type": "tool", "name": "example", "description": "Example tool", "lambdaArn": "arn:aws:lambda:region:account:function:name", "parameters": { "input": "string" } }'
awscurl -X PUT ${REGISTRATION_URL}/register/{id} \ --region ap-southeast-2 \ --service lambda \ -d '...'
awscurl -X DELETE ${REGISTRATION_URL}/register/{id} \ --region ap-southeast-2 \ --service lambda
awscurl ${REGISTRATION_URL}/register \ --region ap-southeast-2 \ --service lambda
Administrators need these permissions to manage registrations:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "lambda:InvokeFunctionUrl", "Resource": "arn:aws:lambda:${region}:${account}:function:${stack-id}-mcp-registration", "Condition": { "StringEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" } } }] }
This section is for clients who want to use the MCP server.
Clients need these permissions to use the MCP server:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunctionUrl", "Resource": [ "arn:aws:lambda:${region}:${account}:function:${stack-id}-mcp", ], "Condition": { "StringEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" } } } ] }
const sse = new EventSource(SSE_URL, { headers: { Authorization: 'AWS4-HMAC-SHA256 ...', // Must be AWS SigV4 signed } }); sse.onmessage = (event) => { console.log(JSON.parse(event.data)); };
awscurl -X GET "${MCP_URL}/sse" \ --region ap-southeast-2 \ --service lambda
The first event will include a sessionId
. Use this when sending messages.
awscurl -X POST "${MCP_URL}/message?sessionId=session-123" \ --region ap-southeast-2 \ --service lambda \ -H "Content-Type: application/json" \ -d '{ "jsonrpc": "2.0", "id": "1", "method": "example", "params": { "input": "hello" } }'
401
: Invalid/missing AWS credentials403
: Insufficient permissions404
: Invalid session ID429
: Rate limit exceededConnection Issues:
Command Execution Errors:
To deploy this application locally or to AWS using the AWS SAM CLI:
sam --version
sam build sam deploy --guided
You can rerun sam deploy
without --guided
to use saved configuration.
You can install and deploy this application in four ways:
The easiest way to deploy the MCP server is through the AWS Serverless Application Repository (SAR):
StackIdentifier
: Unique ID for this MCP server instanceVpcEnabled
: Set to true
if deploying in a VPCVpcId
and SubnetIds
: Provide only if VpcEnabled
is true
Alternatively, you can deploy from the AWS CLI:
aws serverlessrepo create-cloud-formation-change-set \ --application-id arn:aws:serverlessrepo:ap-southeast-2:522814717816:applications/mcp-lambda-sam \ --stack-name your-stack-name \ --capabilities CAPABILITY_IAM \ --parameter-overrides '[{"name":"StackIdentifier","value":"your-stack-id"}]'
npx @markvp/mcp-lambda-sam deploy
The command will interactively prompt for administrative configuration:
Install the package:
npm install @markvp/mcp-lambda-sam
After installing the package, you can use it programmatically:
import { deploy } from '@markvp/mcp-lambda-sam'; // Usage example deploy();
Install the package:
npm install @markvp/mcp-lambda-sam
After making development changes, you can deploy it manually:
npm run deploy
# Install dependencies npm install # Lint npm run lint # Run tests npm test # Build npm run build # Deploy npm run deploy
If you're contributing to this project and need to publish updates to SAR:
npm run package:sar
npm run publish:sar
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "serverlessrepo:CreateCloudFormationTemplate", "Resource": "arn:aws:serverlessrepo:${region}:${account-id}:applications/mcp-lambda-sam" } ] }
MIT
Shared threads will appear here, showcasing real-world applications and insights from the community. Check back soon for updates!