Accessibility Options:
Skip to main content

How to Deploy Custom AI Tools to Amazon Bedrock AgentCore in 3 Minutes (Without Touching Infra)

4 min read775 words
#aws#bedrockagentcore#aiagents

Deploying AI tools shouldn’t require a DevOps degree. This guide shows developers how to deploy custom tools built with the Model Context Protocol (MCP) to Amazon Bedrock AgentCore Runtime in under 3 minutes. You’ll learn how to set up OAuth2 authentication with Amazon Cognito, launch a fully scalable HTTPS endpoint, and monitor performance—all without managing servers, containers, or scaling logic. Whether you’re building your first tool or scaling a fleet of agents, this is the fastest way to go from local script to production-ready AI infrastructure.

How to Deploy Custom AI Tools to Amazon Bedrock AgentCore in 3 Minutes (Without Touching Infra)

You’ve built something great—a custom tool your AI agents can use to do real work. But now you’re stuck. You’re not sure how to get it from your local machine into the hands of your agents without falling into a rabbit hole of Docker containers, Lambda quirks, IAM roles, and OAuth2 headaches.

You’re thinking, “I just want to deploy a tool—not become a DevOps engineer.”

You’re not alone.

The truth is, most developers hit a wall when it comes to deployment. It’s not that the tooling doesn’t exist—it’s that the process is scattered, slow, and unforgiving if you get even one small thing wrong. That friction slows down innovation, kills momentum, and leaves amazing tools sitting idle.

That’s exactly why Amazon Bedrock AgentCore Runtime exists—and more specifically, why it now supports Model Context Protocol (MCP) servers.

With just a few commands, you can deploy your custom tool with:

  • OAuth2 authentication via Amazon Cognito

  • Auto-scaling infrastructure

  • A publicly accessible HTTPS endpoint

  • Production-grade security baked in

  • All in under 3 minutes

In this guide, you’ll learn how to go from “it works on my machine” to “it works securely in production”—without needing to manage containers or wrestle with scaling policies.

The Fast Path to Production

Deploying a custom AI tool shouldn’t feel like launching a rocket. But until now, it’s often involved multiple services, custom scripts, and days of setup just to get something basic online. Even if you managed to get it working, scaling securely was another story.

Amazon Bedrock AgentCore Runtime changes that.

It’s a managed environment designed to make your MCP (Model Context Protocol) tools instantly usable by AI agents. Think of it like a hosting platform purpose-built for GenAI tool developers—one where scaling, authentication, and HTTPS endpoints are handled for you.

Why MCP + AgentCore is a Game Changer

With AgentCore, you can:

  • Host up to 10 custom tools in one deployment

  • Authenticate requests using OAuth2 via Amazon Cognito

  • Deploy with a CLI in 2–3 minutes, with zero container setup

  • Scale automatically

  • See cold starts under 2 seconds, and warm responses under 500ms

And the best part? You don’t need to be an AWS power user to get started.

What You’ll Build

By the end of this guide, you’ll have:

  • ✅ An MCP server deployed to Amazon Bedrock AgentCore Runtime

  • ✅ OAuth2 authentication via Amazon Cognito

  • ✅ A publicly accessible HTTPS endpoint

  • ✅ Support for 10 custom tools

  • ✅ Auto-scaling and stateless transport

  • ✅ Cold starts under 2s, warm responses under 500ms

  • ✅ Integrated monitoring via CloudWatch logs

You’ll go from Python script to production endpoint—with authentication, scaling, and logging—all in a few simple steps.

Step-by-Step: From Python Script to Secure, Scalable Tool

🔧 Step 1: Prepare Your MCP Server

from mcp.server.fastmcp import FastMCP
import os

mcp = FastMCP(host="0.0.0.0", stateless_http=True)

@mcp.tool()
def reverse_text(text: str) -> str:
    return text[::-1]

if __name__ == "__main__":
    is_agentcore = (
        os.getenv("AWS_EXECUTION_ENV") or os.getenv("AWS_LAMBDA_FUNCTION_NAME")
    )
    mode = os.getenv("MCP_TRANSPORT", "http" if is_agentcore else "stdio")

    if mode in ["http", "streamable-http"]:
        mcp.run(transport="streamable-http")
    else:
        mcp.run()

🔐 Step 2: Set Up Amazon Cognito (OAuth2)

export REGION=us-east-1
export USERNAME=testuser
export PASSWORD=MyPassword123!

# Create User Pool
export POOL_ID=$(aws cognito-idp create-user-pool \
  --pool-name "MCPUserPool" \
  --region $REGION | jq -r '.UserPool.Id')

# Create App Client
export CLIENT_ID=$(aws cognito-idp create-user-pool-client \
  --user-pool-id $POOL_ID \
  --client-name "MCPClient" \
  --no-generate-secret \
  --explicit-auth-flows "ALLOW_USER_PASSWORD_AUTH" \
  --region $REGION | jq -r '.UserPoolClient.ClientId')

# Create User
aws cognito-idp admin-create-user \
  --user-pool-id $POOL_ID \
  --username $USERNAME \
  --region $REGION \
  --message-action SUPPRESS

# Set Permanent Password
aws cognito-idp admin-set-user-password \
  --user-pool-id $POOL_ID \
  --username $USERNAME \
  --password $PASSWORD \
  --permanent

# Discovery URL
export DISCOVERY_URL="https://cognito-idp.$REGION.amazonaws.com/$POOL_ID/.well-known/openid-configuration"

🚀 Step 3: Install the AgentCore CLI

pip install bedrock-agentcore-starter-toolkit
agentcore --version

⚙️ Step 4: Configure Your Deployment

agentcore configure -e server.py --protocol MCP --region us-east-1

  • Accept all default prompts

  • Say “yes” to OAuth2

  • Paste your Cognito Discovery URL and Client ID

☁️ Step 5: Launch the Deployment

agentcore launch --region us-east-1

Your server is now hosted on AgentCore Runtime. You’ll get back a public HTTPS URL and log group for monitoring.

✅ Step 6: Test It

Get a fresh token:

aws cognito-idp initiate-auth \
  --client-id $CLIENT_ID \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters USERNAME=testuser,PASSWORD=MyPassword123! \
  --region us-east-1 \
  --query 'AuthenticationResult.AccessToken' \
  --output text

Then test:

curl -X POST "https://bedrock-agentcore.us-east-1.amazonaws.com/runtimes/YOUR_AGENT_ARN/invocations" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
      "name": "reverse_text",
      "arguments": {
        "text": "hello world"
      }
    }
  }'

Expected output:

{
  "jsonrpc": "2.0",
  "id": 1,
  "result": {
    "output": "dlrow olleh"
  }
}

Cost and Performance: What to Expect in Production

⚡ Performance

  • Cold starts: <2 seconds

  • Warm calls: <500ms

  • Auto-scaling built in

💸 Cost (Based on 1,000 req/day)

It’s startup-friendly and enterprise-grade at the same time.

Common Issues (and How to Fix Them)

“Starting MCP server in STDIO mode”

→ Fix: Update your transport detection code (see Step 1)

“401 Unauthorized”

→ Fix: Your token expired. Run the token command again.

“ValidationException: discoveryUrl…”

→ Fix: Your discovery URL is malformed in .bedrock_agentcore.yaml

curl call hangs

→ Fix: Make sure headers include both Content-Type and Accept: application/json, text/event-stream

Logs not showing?

aws logs tail /aws/bedrock-agentcore/runtimes/YOUR_AGENT_NAME-DEFAULT --follow

Going Further: Scale, Integrate, and Build Smarter Systems

🧩 Use an AgentCore Gateway

Combine multiple MCP tool sources under one endpoint.

🧠 Integrate with Frameworks

Connect your tool to LangChain, the Strands Agent Framework, or any MCP-compatible agent.

📈 Monitor with CloudWatch

Track latency, volume, errors—and iterate fast.

🧪 Use MCP Inspector

Test tools interactively using:

npx @modelcontextprotocol/inspector

Final Thought

You don’t need to be a DevOps pro to ship fast, secure, scalable tools.

Amazon Bedrock AgentCore + FastMCP gives you the power to:

  • Deploy in minutes

  • Stay secure with OAuth2

  • Scale without lifting a finger

  • Build tools that real agents can use

Now you can move fast without breaking infra.

So… what’s your team going to build next?