Configuration¶
This guide covers the configuration options for AWS Logs MCP.
Environment Variables¶
AWS Logs MCP is configured primarily through environment variables. Create a .env file in the root directory or set these variables in your environment.
Basic Server Configuration¶
| Variable | Description | Default |
|---|---|---|
PORT | Port for the MCP server (HTTP mode only) | 3000 |
NODE_ENV | Environment (development/production) | development |
MCP_TRANSPORT | Transport mode (stdio or HTTP) | HTTP |
AWS Authentication Options¶
Choose one of these authentication methods:
| Variable | Description | Default |
|---|---|---|
AWS_REGION | AWS region | us-east-1 |
AWS_PROFILE | AWS profile name (recommended method) | |
AWS_ACCESS_KEY_ID | AWS access key ID (for direct credentials) | |
AWS_SECRET_ACCESS_KEY | AWS secret access key (for direct credentials) | |
AWS_SESSION_TOKEN | AWS session token (optional, for temporary credentials) | |
AWS_CREDENTIAL_PROVIDER | Override credential provider (env, profile, process, default) | default |
Advanced Configuration¶
| Variable | Description | Default |
|---|---|---|
LOG_LEVEL | Logging level (debug, info, warn, error) | info |
HEALTH_CHECK_PATH | Health check endpoint path | /health |
MAX_LOG_ENTRIES | Maximum log entries per request | 100 |
ENABLE_CLOUDWATCH_METRICS | Enable sending metrics to CloudWatch | false |
CLOUDWATCH_METRICS_NAMESPACE | CloudWatch namespace for metrics | AwsLogsMcp |
AWS Credentials¶
The server supports multiple AWS credential providers for secure AWS access:
Authentication Methods¶
AWS Profile (Recommended)¶
Use profiles from your AWS CLI configuration:
# .env file
AWS_PROFILE=your_profile_name
AWS_REGION=us-east-1
This is the most secure method as it:
- Uses your existing AWS CLI configuration
- Supports credential rotation
- Works with SSO and other advanced authentication methods
- Can use profiles with MFA
IAM Credentials¶
Directly provide credentials:
# .env file
AWS_ACCESS_KEY_ID=your_access_key_id
AWS_SECRET_ACCESS_KEY=your_secret_access_key
AWS_REGION=us-east-1
# Optional, for temporary credentials
AWS_SESSION_TOKEN=your_session_token
IAM Role (Auto-detected)¶
When running on AWS services (EC2, ECS, Lambda), the server automatically uses the attached IAM role.
Just specify the region:
# .env file
AWS_REGION=us-east-1
Advanced Configuration¶
Process-Based Credentials¶
For credential_process configured in ~/.aws/config:
AWS_CREDENTIAL_PROVIDER=process
Default Credential Chain¶
Uses the AWS SDK default credential provider chain, which tries environment variables, profile, EC2 instance profiles, and more:
AWS_CREDENTIAL_PROVIDER=default
Security Considerations¶
- Your AWS credentials remain on your local machine
- Credentials are only used for accessing AWS services
- MCP servers never expose credentials to AI models
- Only grant the minimum permissions needed
- Consider using temporary credentials where possible
Logging Configuration¶
Configure logging behavior with:
LOG_LEVEL=info # Options: debug, info, warn, error
In development, debug provides detailed logs. In production, info is generally preferred.
Server Configuration¶
Basic server settings:
PORT=3000
HEALTH_CHECK_PATH=/health
Limit Configuration¶
Control limits to prevent excessive resource usage:
MAX_LOG_ENTRIES=100
CloudWatch Metrics¶
Enable CloudWatch metrics for monitoring:
ENABLE_CLOUDWATCH_METRICS=true
CLOUDWATCH_METRICS_NAMESPACE=AwsLogsMcp
Note
Enabling CloudWatch metrics requires proper IAM permissions for CloudWatch PutMetricData.