Skip to content

RFC: Microsoft SQL Server MCP Server #2885

Open
Open
RFC: Microsoft SQL Server MCP Server#2885
Labels
RFC-proposalA Request for Comments to announce intentions and get early feedback (mainly for new MCP servers)needs-triageThis needs to be handled, it is the first automatically assigned label to issues.
@RobinGolden

Description

@RobinGolden
RobinGolden
opened on Apr 7, 2026

Is this related to an existing feature request or issue?

No response

Summary

This RFC proposes the development of a Model Context Protocol server for Microsoft SQL Server databases hosted on AWS RDS. The server will provide a safe, read-optimized interface for schema exploration, query execution, and database introspection by leveraging AWS Secrets Manager for credential management and connection pooling for performance. It enables AI assistants to interact with SQL Server instances without requiring direct database credentials or complex connection management on the client side.

Use case

  • Schema Exploration: Developers and DBAs can retrieve table schemas, column metadata, and data types without writing queries against INFORMATION_SCHEMA manually.
  • Safe Query Execution: Users can run parameterized read queries against SQL Server databases, with the server enforcing read-only access by default to prevent unintended data modification.
  • Connection Management: AI assistants can establish and cache database connections via AWS Secrets Manager, abstracting away credential handling and connection lifecycle from the calling agent.

Proposal

Experience Before

Developers and AI agents needing to introspect or query a SQL Server database on RDS must:

  • Manage connection strings and credentials manually or retrieve them from Secrets Manager themselves
  • Implement SQL injection protections and read-only enforcement at the application layer
  • Handle connection pooling, retries, and TLS configuration independently
  • Have knowledge of SQL Server's INFORMATION_SCHEMA views to retrieve schema metadata

Experience After

With the proposed MCP server:

  • AI assistants can connect to SQL Server with a single tool call using an RDS instance identifier, with credentials fetched automatically from Secrets Manager
  • Example: "What columns are in the dbo.Orders table?"
  • Example: "Show me the top 10 most recent orders from the orders table."
  • Example: "Is the database currently connected and what instance is it using?"

Out of scope

  • Executing data-modifying queries (INSERT, UPDATE, DELETE, DDL) unless explicitly enabled via --allow_write_query
  • Support for self-managed (non-RDS) SQL Server instances
  • SQL Server-specific performance monitoring or query plan analysis
  • Integration with CloudWatch or RDS Performance Insights
  • Schema migrations or database administration tooling
  • Cross-database or linked server queries

Potential challenges

Security and Injection Prevention:
SQL Server's T-SQL dialect supports complex syntax including bracket-quoted identifiers, multi-statement batches, and dynamic SQL. Detecting all injection vectors while avoiding false positives on legitimate queries requires careful pattern design.

TLS/Certificate Handling:
RDS SQL Server instances use AWS-issued certificates. Configuring pymssql to validate these certificates correctly — particularly across different OS trust stores and RDS CA bundle versions — requires explicit handling and documentation.

Connection Pool Reliability:
pymssql's connection pooling behavior under network interruptions or RDS failover events must be handled gracefully. The pool refresh mechanism must balance connection reuse against stale connection detection.

Read-Only Enforcement:
Unlike PostgreSQL's SET default_transaction_read_only, SQL Server has no server-side read-only transaction mode. Read-only enforcement relies on keyword blocking, which must be kept comprehensive as T-SQL evolves.

Dependencies and Integrations

AWS Services:

  • Amazon RDS (SQL Server engine)
  • AWS Secrets Manager (MasterUserSecret credential retrieval)
  • IAM (for Secrets Manager access permissions)

Database Access:

  • Read-only SQL Server connection via pymssql
  • INFORMATION_SCHEMA views for schema metadata
  • Parameterized query execution with type-safe binding

Runtime:

  • Python 3.10+
  • FastMCP framework
  • pymssql for SQL Server connectivity
  • aiorwlock for async connection pool synchronization
  • boto3 for AWS service integration

Model Context Protocol:

  • Five MCP tools: connect_to_database, is_database_connected, get_database_connection_info, run_query, get_table_schema

Alternative solutions

Existing database MCP servers in this repository (Aurora, MySQL, PostgreSQL) cover open-source and AWS-native engines. SQL Server is a widely used commercial database with a distinct wire protocol (TDS), T-SQL dialect, and Windows-heritage security model that is not served by those implementations. A dedicated server is necessary to address SQL Server's unique connectivity requirements and AWS RDS integration patterns.

Metadata

Metadata

Assignees

No one assigned

    Labels

    RFC-proposalA Request for Comments to announce intentions and get early feedback (mainly for new MCP servers)needs-triageThis needs to be handled, it is the first automatically assigned label to issues.

    Type

    No type

    Projects

    awslabs/mcp Project

    Status

    To triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions