AgentCore Gateway to MCP Server
The connection generator can register an MCP server (either TypeScript or Python) as a target of an AgentCore Gateway.
Once connected, the Gateway aggregates the MCP server’s tools into its single MCP endpoint, evaluates calls against its Cedar policy engine, and signs outbound traffic to the MCP server with IAM SigV4.
Prerequisites
Section titled “Prerequisites”Before using this generator, ensure you have:
- A
agentcore-gatewayproject - An MCP server component (
ts#mcp-serverorpy#mcp-server) created withinfra: agentcoreandauth: iam
The Gateway must have protocol: mcp and the MCP server must have auth: iam — the generator validates both. Non-IAM MCP servers cannot be attached because the Gateway signs outbound traffic with SigV4.
Run the Generator
Section titled “Run the Generator”- Install the Nx Console VSCode Plugin if you haven't already
- Open the Nx Console in VSCode
- Click
Generate (UI)in the "Common Nx Commands" section - Search for
@aws/nx-plugin - connection - Fill in the required parameters
- Click
Generate
pnpm nx g @aws/nx-plugin:connectionyarn nx g @aws/nx-plugin:connectionnpx nx g @aws/nx-plugin:connectionbunx nx g @aws/nx-plugin:connectionYou can also perform a dry-run to see what files would be changed
pnpm nx g @aws/nx-plugin:connection --dry-runyarn nx g @aws/nx-plugin:connection --dry-runnpx nx g @aws/nx-plugin:connection --dry-runbunx nx g @aws/nx-plugin:connection --dry-runSelect the Gateway project as the source and the MCP server project as the target. If the MCP server project contains multiple components, specify targetComponent to disambiguate.
Options
Section titled “Options”| Parameter | Type | Default | Description |
|---|---|---|---|
| sourceProject Required | string | - | The source project |
| targetProject Required | string | - | The target project to connect to |
| sourceComponent | string | - | The source component to connect from (component name, path relative to source project root, or generator id). Use '.' to explicitly select the project as the source. |
| targetComponent | string | - | The target component to connect to (component name, path relative to target project root, or generator id). Use '.' to explicitly select the project as the target. |
| preferInstallDependencies | boolean | true | Whether to prefer installing dependencies after the generator runs. Set to false to defer installing when batching multiple generators (an install still runs if needed so subsequent generators can compute the Nx project graph); install once at the end. |
Generator Output
Section titled “Generator Output”The generator wires existing projects together rather than emitting new source files. The following files are modified:
Directorypackages/<gateway>
- project.json the Gateway’s
devtarget gains a dependency on the MCP server’s<mcp>-dev - local-dev.ts
ATTACHED_MCP_SERVERSupdated so the local gateway aggregates the MCP server
- project.json the Gateway’s
The Gateway project’s dev target gains a dependency on the MCP server’s <mcp>-dev target, so running the Gateway locally also starts the MCP server. The MCP server is also registered in the Gateway project’s local-dev.ts so the local gateway aggregates its tools.
Adding the MCP server target to your stack
Section titled “Adding the MCP server target to your stack”The generator cannot automatically wire the MCP server target into your infrastructure because it doesn’t know which stack or module instantiates the Gateway. Add a single call to gateway.addMcpServer(server) yourself.
In the stack where you instantiate the Gateway, register the MCP server as a target:
const myMcpServer = new MyMcpServer(this, 'MyMcpServer');const myGateway = new MyGateway(this, 'MyGateway');
// Register the MCP server as a target of the Gateway. The target name// defaults to the MCP server's `mcpServerName` (its class name in// kebab-case, e.g. `MyMcpServer` -> `my-mcp-server`).myGateway.addMcpServer(myMcpServer);The Gateway target name (the MCP server’s mcpServerName by default) is used as the prefix for Cedar action names — the action format is AgentCore::Action::"<targetName>___<toolName>". See the Writing Policies section. Keep the target name short and stable; changing it later invalidates any Cedar policies that reference the old name.
To override the default target name, pass gatewayTargetName:
myGateway.addMcpServer(myMcpServer, { gatewayTargetName: 'my-mcp' });The construct configures the target with iamCredentialProvider.service = 'bedrock-agentcore' so the Gateway signs outbound calls using its own execution role.
In the Terraform file where you instantiate the Gateway, wire the MCP server target in:
module "my_mcp_server" { source = "../../common/terraform/src/app/mcp-servers/my-mcp-server"}
module "my_gateway" { source = "../../common/terraform/src/app/gateways/my-gateway" policy_dependencies = [aws_bedrockagentcore_gateway_target.my_mcp_server.target_id]}
# Register the MCP server as a target of the Gatewayresource "aws_bedrockagentcore_gateway_target" "my_mcp_server" { gateway_identifier = module.my_gateway.gateway_id name = "my-mcp-server"
target_configuration { mcp { mcp_server { endpoint = "https://bedrock-agentcore.${local.aws_region}.amazonaws.com/runtimes/${urlencode(module.my_mcp_server.agent_core_runtime_arn)}/invocations?qualifier=DEFAULT" } } }
credential_provider_configuration { gateway_iam_role { service = "bedrock-agentcore" } }}The target name (my-mcp-server above) is used as the prefix for Cedar action names — see the Writing Policies section. policy_dependencies ensures Cedar policies referencing this target’s actions are created after the target has registered them.
Local Development
Section titled “Local Development”Running the Gateway locally with:
pnpm nx dev <gateway-name>yarn nx dev <gateway-name>npx nx dev <gateway-name>bunx nx dev <gateway-name>starts a local gateway plus every attached MCP server on its assigned local port. The local gateway exposes a single MCP endpoint that aggregates the attached servers’ tools. Agents connected to the Gateway via the TypeScript or Python gateway-connection generators point at it when running with LOCAL_DEV=true.