AWS IAM Identity Center MCP Server
The AWS IAM Identity Center MCP server lets your AI agents discover the AWS accounts and roles available to the authenticated user through AWS SSO. Agents can list accessible accounts and enumerate the permission sets (roles) available in each account — all read-only.
Capabilities
| Tool | What It Does |
|---|---|
| List accounts | List AWS accounts accessible to the authenticated user through IAM Identity Center |
| List account roles | List the permission sets (roles) available in a specific AWS account |
📝 Note: These tools provide discovery only — they show which accounts and roles the user can access, but do not assume roles or make AWS API calls on your behalf.
OAuth Setup
The AWS IAM Identity Center MCP server uses OIDC (OpenID Connect) to authenticate through your organization's IAM Identity Center instance.
Step 1: Register an OIDC Application
- Sign in to the AWS Management Console and go to IAM Identity Center.
- Navigate to Applications > Add application.
- Select OAuth 2.0 or OIDC as the application type.
- Enter a name (for example, "Devs AI").
- Enter the redirect URL provided by your Devs.ai platform administrator.
- Under scopes, add
sso:account:access.
Step 2: Get Your Credentials
- After creating the application, copy the Client ID and Client Secret (or issuer URL, depending on your configuration).
Step 3: Configure in Devs.ai
- Navigate to Organization > Connectors in Devs.ai.
- Find the AWS IAM Identity Center template and click Enable.
- Select OAuth as the authentication type.
- Enter your Client ID and Client Secret (or OIDC Issuer URL) from Step 2.
- Select the tools you want to make available.
- Click Save.
When a user first interacts with an agent connected to AWS IAM Identity Center, they will be prompted to authorize access through their organization's SSO flow.
OAuth Configuration Reference
| Field | Value |
|---|---|
| Authorization URL | Your IAM Identity Center OIDC issuer URL |
| Token URL | Your IAM Identity Center OIDC token endpoint |
| Scopes | sso:account:access |
📝 Note: The exact OIDC URLs depend on your AWS region and IAM Identity Center configuration. Your AWS administrator can provide the issuer URL.