AWS Labs MySQL MCP Server

1.0.17 · active · verified Thu Apr 16

The AWS Labs MySQL Model Context Protocol (MCP) server enables AI agents and LLM applications to interact with MySQL databases, converting natural language questions into MySQL-compatible SQL queries. It's an active project by AWS Labs, with frequent updates, and currently at version 1.0.17. It integrates with various MCP-compatible AI clients/IDEs like Kiro, Cursor, and VS Code, extending their capabilities to manage and query MySQL databases securely.

Common errors

```
Error: 'db_connection' object has no attribute 'readonly_query' or similar database connection attribute error.
```
cause MCP clients (e.g., Amazon Q) might incorrectly pass `db_connection` parameters as strings rather than the expected object, or there's a mismatch in how the client expects to provide connection details versus how the server expects to receive them.

fix Ensure your MCP client is updated to its latest version. Verify your MCP client's configuration for the MySQL MCP server matches the expected input format for connection parameters (resource_arn/secret_arn or hostname/port/database/secret_arn). This issue has been noted and appears to have received fixes or workarounds in newer versions.
```
AccessDeniedException: User is not authorized to perform <action> on resource <resource_ARN>
```
cause The AWS credentials used by the MCP server lack the necessary IAM permissions to access the specified AWS resources (e.g., RDS Data API, Secrets Manager, or the Aurora MySQL cluster itself).

fix Review the IAM policy attached to the AWS profile or role being used by the MCP server. Ensure it has explicit `Allow` permissions for actions like `rds-data:*` on the Aurora cluster, `secretsmanager:GetSecretValue` on the secret, and potentially `iam:PassRole` if the service passes a role.

Warnings

breaking Server Sent Events (SSE) support was removed from all MCP servers in their latest major versions, effective May 26th, 2025. This change aligns with the Model Context Protocol specification. Streamable HTTP is planned as a replacement for improved transport capabilities.
Fix: Clients should update to use new transport mechanisms as they become available. Review MCP client documentation for compatibility with post-SSE versions.
gotcha Potential for SQL injection if proper security practices are not followed. Although the MySQL MCP server includes a `mutable_sql_detector.py` for client-side checks, it is crucial to also enforce least-privilege access via server-side IAM/RBAC.
Fix: Always configure the underlying MySQL database user with minimal necessary permissions (e.g., `SELECT` only if read-only operations are intended). Regularly review database access policies and use the latest MCP server version which includes enhanced client-side checks.
gotcha The `awslabs.core-mcp-server` is deprecated. If your setup used this for proxying, you must now configure individual MCP servers (like `awslabs.mysql-mcp-server`) directly in your client application.
Fix: Refer to the MCP client's documentation (e.g., Kiro, Cursor, VS Code) on how to directly configure `awslabs.mysql-mcp-server` without relying on the deprecated core server.

Install

pip install awslabs.mysql-mcp-server Install with pip
uvx awslabs.mysql-mcp-server@latest Run via uvx (recommended by AWS Labs)

Imports

awslabs.mysql-mcp-server

This library is primarily run as a server executable, not typically imported directly into Python applications by end-users. MCP clients (e.g., AI IDEs) invoke it.

The interaction is typically via an MCP client executing the server, not direct Python imports.

Quickstart

The AWS Labs MySQL MCP Server is designed to be executed as a server, which MCP-compatible AI clients connect to. The `uvx` command, as shown above, is the recommended way to run it, optionally specifying connection details for either RDS Data API or direct MySQL. Prior to running, ensure AWS credentials are configured (e.g., via `AWS_PROFILE` environment variable or `aws configure`), and your database credentials are securely stored in AWS Secrets Manager.

# The awslabs.mysql-mcp-server is intended to be run as an executable, often managed by an MCP client or 'uvx'.
# This command starts the server, which an MCP client can then connect to.
# Ensure your AWS credentials (e.g., via AWS_PROFILE) are configured and Secrets Manager
# contains your MySQL credentials.

# Example for RDS Data API connection (replace with your actual ARN and secret name):
# export AWS_PROFILE="your-aws-profile"
# export AWS_REGION="your-aws-region"
# uvx awslabs.mysql-mcp-server@latest \
#     --resource_arn "arn:aws:rds:your-aws-region:123456789012:cluster:your-db-cluster" \
#     --secret_arn "arn:aws:secretsmanager:your-aws-region:123456789012:secret:your-db-credentials-XXXXXX"

# Example for Direct MySQL connection (replace with your actual host, port, user, and secret name):
# export AWS_PROFILE="your-aws-profile"
# export AWS_REGION="your-aws-region"
# uvx awslabs.mysql-mcp-server@latest \
#     --hostname "your-mysql-host.com" \
#     --port 3306 \
#     --database "your_database_name" \
#     --secret_arn "arn:aws:secretsmanager:your-aws-region:123456789012:secret:your-db-credentials-XXXXXX"

view raw JSON →