Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

MCP Gateway Lambda target tools not appearing in Amazon Connect Agent Builder

0

I have set up a Bedrock AgentCore Gateway with a Lambda-based MCP target to expose a custom tool to Amazon Connect's Agent Builder. Despite the configuration appearing correct, the tool does not appear in the Agent Builder's "Add existing tool" menu or in the Security Profiles "Tools" section (which shows "No Tools available").

Setup:

  • Bedrock AgentCore Gateway with MCP protocol (version 2025-03-26)
  • Authorizer: CUSTOM_JWT, with discovery URL pointing to my Connect instance
  • Gateway target: Lambda function with inline tool schema
  • Tool schema includes a tool with a name, description, and a valid inputSchema with at least one property
  • Third-party application created in Amazon Connect as type "MCP Server", linked to the gateway
  • Instance association is active and correctly configured
  • Gateway status: READY
  • Target status: READY
  • Amazon Q in Connect is enabled
  • All resources are in the same region and account

Troubleshooting steps taken:

  1. Verified gateway and target are both in READY status
  2. Updated tool schema to include non-empty inputSchema (added a required string property) — no change
  3. Attempted SynchronizeGatewayTargets — received "Target type LAMBDA is not supported for synchronization" (expected for Lambda targets)
  4. Deleted and recreated both the gateway target and the third-party application from scratch — no change
  5. Confirmed the discovery URL matches the Connect instance
  6. Confirmed the allowed clients list includes the Connect instance ARN
  7. Checked CloudWatch — no gateway-related logs exist, suggesting Connect never attempts tool discovery against the gateway
  8. Hard-refreshed the Connect admin site multiple times

Expected behavior: The tool defined in the Lambda target's inline schema should appear in:

  • Security Profiles → Tools section
  • Agent Builder → "Add existing tool" dropdown

Actual behavior:

  • Security Profiles → Tools shows "No Tools available"
  • Agent Builder only shows "Amazon Connect" and prebuilt tools
  • No gateway logs in CloudWatch

Questions:

  1. Is there an additional step required for Amazon Connect to discover tools from a Lambda-based MCP gateway target?
  2. Does Connect perform tool discovery automatically when the third-party app is associated, or is there a manual trigger needed?
  3. Are there known limitations with Lambda targets vs HTTP/S MCP server targets for tool discovery in Connect?

Any guidance would be appreciated.

Topics
Application IntegrationMachine Learning & AIBusiness ApplicationsGenerative AI on AWS
Tags
Amazon ConnectAmazon Bedrock AgentCoreAmazon Bedrock
Language
English
asked 2 months ago102 views
1 Answer
0

Based on the information available about Amazon Bedrock AgentCore Gateway, I can provide some insights that may help with your situation.

When a principal lists available tools from a gateway, the policy engine evaluates whether they have permission to see those tools. A principal can only see tools in the listing that they would be permitted to call by policy. Importantly, a tool appears in the list only if there exists any set of circumstances under which a call to that tool would be permitted. This means that even if your gateway and target are in READY status, policy configurations could prevent tools from appearing in listings.

For Lambda-based targets specifically, the gateway requires certain configurations to be in place. The Lambda target must be properly configured with the Lambda function ARN and tool schema. The credential configuration for Lambda functions should use IAM-based authorization (GATEWAY_IAM_ROLE as the credential provider type).

Regarding synchronization, you've correctly identified that Lambda targets do not support the SynchronizeGatewayTargets operation - this is expected behavior. Lambda targets use implicit synchronization during target creation and updates, rather than explicit on-demand synchronization.

For tool discovery to work properly, the gateway must be configured with appropriate authorization. When using custom JWT authorization, the gateway validates and authorizes incoming tool calls according to the MCP authorization specification. The absence of CloudWatch logs suggesting no discovery attempts could indicate an authorization or configuration issue preventing Amazon Connect from successfully querying the gateway's tool catalog.

I would recommend verifying that:

  • The IAM role associated with your gateway has the necessary permissions to invoke the Lambda function
  • The authorization configuration between Amazon Connect and the gateway is properly established
  • Any policy configurations (if implemented) are not inadvertently filtering out the tools from the listing

Without specific documentation about Amazon Connect's integration with AgentCore Gateway for tool discovery, I cannot definitively answer whether there are additional steps or limitations specific to Connect's Agent Builder integration with Lambda-based MCP targets.
Sources
Use a AgentCore Gateway with Policy in AgentCore - Amazon Bedrock AgentCore
MCP servers targets - Amazon Bedrock AgentCore
Introducing Amazon Bedrock AgentCore Gateway: Transforming enterprise AI agent tool development | Artificial Intelligence

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content