Skip to main content

Connect an Amazon Bedrock AgentCore Gateway to Teleport

Report an Issue

Teleport can provide secure access to MCP servers via Teleport Application Service.

In this guide, you will:

  1. Configure your Amazon Bedrock AgentCore Gateway service for access by the MCP server.
  2. Run the Amazon Bedrock AgentCore Gateway MCP Server.
  3. Enroll the MCP server into your Teleport cluster and connect to it.

How it works

The Amazon Bedrock AgentCore Gateway is configured to trust Teleport as its inbound identity provider. Teleport authenticates client requests and proxies them to the AgentCore Gateway, which then forwards the requests to the target MCP servers.

Prerequisites

  • A running Teleport (v18.7.0 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tsh client.

    Installing tsh client

    1. Determine the version of your Teleport cluster. The tsh client must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

      TELEPORT_DOMAIN=teleport.example.com:443
      TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

    2. Follow the instructions for your platform to install tsh client:

      Download the signed macOS .pkg installer for Teleport, which includes the tsh client:

      curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg

      In Finder double-click the pkg file to begin installation.

      danger

      Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

  • Ability to configure your Amazon Bedrock AgentCore Gateway
  • An agent running the Teleport Application Service. If you have not yet done this, follow the Getting Started guide.
  • A Teleport user with sufficient permissions (e.g. role mcp-user) to access MCP servers.

Step 1/2. Configure Amazon Bedrock AgentCore Gateway

To change Inbound Auth Configurations of your Amazon Bedrock AgentCore gateway, go to your gateway in AWS Management Console. Click the Edit button in the Inbound Identity* section.

Select Use JSON Web Tokens (JWT) as the Inbound Auth type and select Use existing Identity provider configurations for JWT schema configuration. Note that creating a new gateway may be required if they cannot be modified after gateway creation.

Use the following as Discovery URL:

https://teleport.example.com/.well-known/openid-configuration

Replace teleport.example.com with your Teleport cluster name.

Use the following for Allowed audiences under JWT Authorization Configuration:

mcp+https://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp

Replace https://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp with your Gateway resource URL, which is available after the gateway is created. Note that this value is also the application URI you will use to create the Teleport application.

All other settings under JWT Authorization Configuration like Allowed clients should not be selected.

Step 2/2. Connect via Teleport

You can register an MCP application in Teleport by defining it in your Teleport Application Service configuration, or by using dynamic registration with tctl or Terraform:

app_service:
  enabled: "yes"
  apps:
  - name: "bedrock-mcp"
    uri: "mcp+https://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp"
    labels:
      env: dev
      service: "bedrock"
    rewrite:
      headers:
      - "Authorization: Bearer {{internal.id_token}}"

Restart the Application Service.

To grant access to the MCP server and all its tools, assign the preset mcp-user role to your Teleport user.

Optionally, you can limit which MCP tools the user can access by adjusting the mcp.tools list in their role. For example:

kind: role
version: v8
metadata:
  name: bedrock-mcp-readonly
spec:
  allow:
    app_labels:
      'service': 'bedrock'
    mcp:
      # Adjust this list based on the MCP tools exposed by the gateway’s targets.
      tools:
      - ^(get|query|list|search|find)_.*$

Now wait until the application appears in tsh mcp ls, then configure your MCP clients to access the MCP server, for example:

tsh mcp config bedrock-mcp --client-config claude

After configuring your MCP client, you will find Amazon Bedrock AgentCore Gateway-related tools from teleport-mcp-bedrock-mcp. You can now use these tools to interactive with Amazon Bedrock AgentCore Gateway via Teleport in your MCP clients:

Next steps