# Connect an Amazon Bedrock AgentCore Gateway to Teleport Teleport can provide secure access to MCP servers via Teleport Application Service. In this guide, you will: 1. Configure your Amazon Bedrock AgentCore Gateway service for access by the MCP server. 2. Run the Amazon Bedrock AgentCore Gateway MCP Server. 3. Enroll the MCP server into your Teleport cluster and connect to it. ## How it works The Amazon Bedrock AgentCore Gateway is configured to trust Teleport as its inbound identity provider. Teleport authenticates client requests and proxies them to the AgentCore Gateway, which then forwards the requests to the target MCP servers. ## Prerequisites - A running Teleport (v18.7.0 or higher) cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tsh` client. Installing `tsh` client 1. Determine the version of your Teleport cluster. The `tsh` client must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tsh` client: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tsh` client: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tsh` client to your %PATH% NOTE: Do not place the `tsh` client in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tsh` client. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * Ability to configure your Amazon Bedrock AgentCore Gateway * An agent running the Teleport Application Service. If you have not yet done this, follow the [Getting Started guide](https://goteleport.com/docs/enroll-resources/mcp-access/getting-started.md). * A Teleport user with sufficient permissions (e.g. role `mcp-user`) to access MCP servers. ## Step 1/2. Configure Amazon Bedrock AgentCore Gateway To change **Inbound Auth Configurations** of your Amazon Bedrock AgentCore gateway, go to your gateway in AWS Management Console. Click the **Edit** button in the *Inbound Identity*\* section. Select **Use JSON Web Tokens (JWT)** as the **Inbound Auth type** and select **Use existing Identity provider configurations** for **JWT schema configuration**. Note that creating a new gateway may be required if they cannot be modified after gateway creation. Use the following as **Discovery URL**: ``` https://teleport.example.com/.well-known/openid-configuration ``` Replace teleport.example.com with your Teleport cluster name. Use the following for **Allowed audiences** under **JWT Authorization Configuration**: ``` mcp+https://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp ``` Replace https\://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp with your Gateway resource URL, which is available after the gateway is created. Note that this value is also the application URI you will use to create the Teleport application. All other settings under **JWT Authorization Configuration** like **Allowed clients** should not be selected. ![Gateway Inbound Identity](/docs/assets/images/aws-bedrock-gateway-inbound-identity-a97dfdc61fdf1411e60dfa287aef4bf6.png) ## Step 2/2. Connect via Teleport You can register an MCP application in Teleport by defining it in your Teleport Application Service configuration, or by using dynamic registration with `tctl` or Terraform: **Static configuration** ``` app_service: enabled: "yes" apps: - name: "bedrock-mcp" uri: "mcp+https://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp" labels: env: dev service: "bedrock" rewrite: headers: - "Authorization: Bearer {{internal.id_token}}" ``` Restart the Application Service. **tctl** Create an `app` resource definition file named `app-bedrock-mcp.yaml`: ``` # app-bedrock-mcp.yaml kind: app version: v3 metadata: name: "bedrock-mcp" labels: env: dev service: "bedrock" spec: uri: "mcp+https://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp" rewrite: headers: - name: "Authorization" value: "Bearer {{internal.id_token}}" ``` Create the `app` resource with: ``` $ tctl create -f app-bedrock-mcp.yaml ``` **Terraform** Create a `teleport_app` resource in terraform: ``` resource "teleport_app" "bedrock" { version = "v3" metadata = { name = "bedrock-mcp" labels = { "teleport.dev/origin" = "dynamic" "env" = "dev" "service" = "bedrock" } } spec = { uri = "mcp+https://your-mcp-gateway.bedrock-agentcore.us-east-1.amazonaws.com/mcp" rewrite = { headers = [{ name = "Authorization" value = "Bearer {{internal.id_token}}" }] } } } ``` Apply the configuration: ``` $ terraform apply ``` To grant access to the MCP server and all its tools, assign the preset `mcp-user` role to your Teleport user. Optionally, you can limit which MCP tools the user can access by adjusting the `mcp.tools` list in their role. For example: ``` kind: role version: v8 metadata: name: bedrock-mcp-readonly spec: allow: app_labels: 'service': 'bedrock' mcp: # Adjust this list based on the MCP tools exposed by the gateway’s targets. tools: - ^(get|query|list|search|find)_.*$ ``` Now wait until the application appears in `tsh mcp ls`, then configure your MCP clients to access the MCP server, for example: ``` $ tsh mcp config bedrock-mcp --client-config claude ``` After configuring your MCP client, you will find Amazon Bedrock AgentCore Gateway-related tools from `teleport-mcp-bedrock-mcp`. You can now use these tools to interact with Amazon Bedrock AgentCore Gateway via Teleport in your MCP clients: ## Next steps - Review [Enroll a Streamable-HTTP MCP Server](https://goteleport.com/docs/enroll-resources/mcp-access/enrolling-mcp-servers/streamable-http.md). - See the [dynamic registration](https://goteleport.com/docs/enroll-resources/mcp-access/dynamic-registration.md) guide. - Learn more about [Egress JWT Authentication](https://goteleport.com/docs/enroll-resources/mcp-access/jwt.md). - Connect your [MCP clients](https://goteleport.com/docs/connect-your-client/model-context-protocol/mcp-access.md).