Authentication Options¶

This guide outlines the different ways you can authenticate to AWS when using AWS Logs MCP.

AWS Authentication Methods¶

AWS Logs MCP supports multiple ways to provide AWS credentials, giving you flexibility based on your environment and security preferences.

AWS Profile (Recommended for Local Development)¶

AWS profiles are the simplest and most secure way to use AWS Logs MCP locally:

# Using a specific profile with AWS Logs MCP
AWS_PROFILE=my-profile-name npx -y aws-logs-mcp --stdio

Environment Variables¶

Provide credentials directly as environment variables:

# Direct credential usage
AWS_ACCESS_KEY_ID=your-access-key AWS_SECRET_ACCESS_KEY=your-secret-key npx -y aws-logs-mcp --stdio

# With temporary credentials (from STS)
AWS_ACCESS_KEY_ID=your-access-key AWS_SECRET_ACCESS_KEY=your-secret-key AWS_SESSION_TOKEN=your-session-token npx -y aws-logs-mcp --stdio

IAM Roles for AWS Services¶

When running the MCP server on AWS services, you can use IAM roles:

EC2: Use instance profiles attached to your EC2 instance
ECS/EKS: Use task/pod execution roles
Lambda: Use Lambda execution roles

No explicit credentials are required:

npx -y aws-logs-mcp --stdio

SSO Authentication¶

If your organization uses AWS SSO:

Configure an SSO profile in your AWS config:¶

[profile sso-profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = SSOReadOnlyRole
region = us-east-1

[sso-session my-sso]
sso_region = us-east-1
sso_start_url = https://my-sso-portal.awsapps.com/start

aws sso login --profile sso-profile

Use the profile with AWS Logs MCP:¶

AWS_PROFILE=sso-profile npx -y aws-logs-mcp --stdio

Required AWS Permissions¶

AWS Logs MCP requires the following minimum permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "cloudtrail:LookupEvents"
      ],
      "Resource": "*"
    }
  ]
}