Skip to content

Support for assumed IAM role (chained credentials) in MCP proxy #176

New issue
New issue
Open
Open
Support for assumed IAM role (chained credentials) in MCP proxy#176
Labels
feature-requestNew feature or request
@slavhate

Description

@slavhate
slavhate
opened on Feb 13, 2026

Describe the feature (Security related? please follow https://github.com/aws/mcp-proxy-for-aws/security/policy to report them to AWS Security directly.)

When configuring the MCP proxy with an AWS profile that uses an assumed IAM role (chained credentials), the connection fails with a timeout error.

Logs (Assumed Role Profile):

2026-02-12 16:07:44.808 [info] [eks-mcp] Configuration changed for MCP server, reconnecting
2026-02-12 16:07:44.809 [info] [eks-mcp] Registering MCP server and starting connection
2026-02-12 16:08:44.977 [info] [eks-mcp] MCP connection closed successfully
2026-02-12 16:08:44.978 [error] [eks-mcp] Error connecting to MCP server: MCP error -32001: Request timed out

However, when using an AWS profile backed by a direct IAM user (static credentials, no role assumption), the connection succeeds.

Logs (IAM User Profile):

2026-02-13 20:01:46.900 [info] [eks-mcp] MCP server is already connecting
2026-02-13 20:01:56.266 [info] [eks-mcp] Connected to server with transport type: Stdio
2026-02-13 20:01:58.092 [info] [eks-mcp] Successfully connected and synced tools and resources for MCP server

Expected Behavior:

The MCP proxy should support AWS profiles that use assumed IAM roles (including chained credentials), similar to how the AWS CLI and SDKs handle them.

Questions:

  • Are assumed-role profiles officially supported?
  • If not, is this a known limitation for security reasons?
  • Would supporting MFA-authenticated role sessions resolve security concerns?
  • Is there any additional configuration required for chained role profiles?

Use Case

I’m interested in using the fully managed EKS MCP server provided by AWS. In our organization, access to EKS and related resources is granted exclusively through assumed IAM roles.

I expect this is a common setup across many organizations, where IAM roles (rather than long-lived IAM user credentials) are required for interacting with AWS services. Enabling support for assumed-role profiles in the MCP proxy would therefore benefit a broader segment of the AWS community that relies on role-based access controls.

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions