Bypass Docker MCP secret store; pass secrets from environment variables instead

[skyzyx]

Summary

Inside my project's mcp.json file, I want to configure a process to execute before docker mcp gateway run.

1. Process A generates environment variables (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).
2. Using -- after process A, it tells process A to run the next command in a subshell containing the environment variables.
3. The next command is docker mcp gateway run (with parameters).
4. One of the parameters is --servers aws-api (link).
5. In mcpServers.envs, set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY so that they get passed to the AWS API MCP server.

Unfortunately, this doesn't seem to be working. According to the debug logs, it's trying to read from config.yaml and docker mcp secret. When it finds nothing, it overwrites AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY with empty values.

Context

AWS is kind of a special beast. It has specific ways of accepting AWS credentials, and the credentials themselves come in many forms — (a) long-lived credentials, (b) short-lived STS credentials, and (c) even the use of a credential server (a la on-board EC2 Metadata API).

When you work with several/dozens/hundreds of accounts, and are exploring the use of AWS MCP servers across an entire AWS Organization of accounts, the use of Docker MCP Toolkit becomes a bottleneck as the servers request specific configurations read from config.yaml and Docker MCP secrets. If you want change accounts, you need to manually update the secrets store and config.yaml with the new credentials.

What I'm trying to get to is as close to a 100% ephemeral, project-specific config as possible for integrating Docker MCP Toolkit with my projects in VS Code, Cursor, and Kiro.

Practical code

This uses AWS Vault to provide an ECS-like credential server to other processes (including credential rotation). In this case, I'm passing AWS_CONTAINER_AUTHORIZATION_TOKEN and AWS_CONTAINER_CREDENTIALS_FULL_URI directly to the docker mcp gateway run process.

The underlying AWS CLI and SDKs know how to leverage these environment variables to fetch valid credentials. However there's something about how Docker MCP Toolkit works that seems to be intercepting/interfering with that process.

mcp.json

{
  "mcpServers": {
    "MCP_DOCKER": {
      "disabled": false,
      "command": "executable-shell-script-on-the-path",
      "args": [],
      "env": {
        "AWS_CONTAINER_AUTHORIZATION_TOKEN": "${AWS_CONTAINER_AUTHORIZATION_TOKEN}",
        "AWS_CONTAINER_CREDENTIALS_FULL_URI": "${AWS_CONTAINER_CREDENTIALS_FULL_URI}",
        "AWS_PROFILE": "${AWS_VAULT}",
        "AWS_REGION": "${AWS_REGION}"
      },
      "autoApprove": [],
      "disabledTools": []
    }
  }
}

executable-shell-script-on-the-path

#!/bin/bash
set -euo pipefail

aws-vault exec --duration=15m --ecs-server --region=us-east-2 --lazy {PROFILE} -- \
  docker mcp gateway run \
    --servers=aws-api \
    --servers=aws-core-mcp-server \
    --servers=aws-documentation \
    --servers=aws-terraform \
    --tools=call_aws \
    --tools=fetch_agentcore_doc \
    --tools=manage_agentcore_gateway \
    --tools=manage_agentcore_memory \
    --tools=manage_agentcore_runtime \
    --tools=mcp-add \
    --tools=mcp-create-profile \
    --tools=mcp-find \
    --tools=prompt_understanding \
    --tools=recommend \
    --tools=search_agentcore_docs \
    --tools=suggest_aws_commands \
;

[slimslenderslacks]

@skyzyx of the servers you're starting (e.g. aws-api, aws-core-mcp-server, aws-documentation, aws-terraform), I think only aws-api defines secrets:

• https://github.com/docker/mcp-registry/blob/main/servers/aws-api/server.yaml#L18
  but the secrets in this definition are AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

I actually think what you're saying above makes sense though. If this mcp server was designed to mount your local .aws and could use a aws cli and the AWS_CONTAINER_AUTHORIZATION_TOKEN then that work. I think the server is built from this github repo (https://github.com/awslabs/mcp/tree/main/src/aws-api-mcp-server), right? I'll ask if someone on our team has used this server before because even their documentation here https://github.com/awslabs/mcp/tree/main/src/aws-api-mcp-server#-using-docker seems to indicate that the host .aws folder should be mounted.

[slimslenderslacks]

By the way, would your method above only be expected to work if the container had mounted the host .aws directory? Is there a way for your aws-vault to populate the AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, etc?

[skyzyx]

Well, that's part of the quirk.

1. I think it's an anti-pattern to mount your ~/.aws directory. It might work, but if a rogue process in the container wants to read your credentials, then yeesh.

2. The AWS MCP servers leverage the Boto3 boot credential process, which includes support for the AWS_CONTAINER_AUTHORIZATION_TOKEN and AWS_CONTAINER_CREDENTIALS_FULL_URI environment variables. But something about Docker MCP Toolkit is interfering with those environment variables making their way to the server.

3. After looking at https://github.com/docker/mcp-registry/blob/main/servers/aws-api/server.yaml#L18, it seems that the code in the docker/mcp-registry repo forces a specific type of way to authenticate.

   I also explored writing a proxy process that sits between AWS Vault and the docker mcp gateway run command which exchanges the AWS_CONTAINER_AUTHORIZATION_TOKEN and AWS_CONTAINER_CREDENTIALS_FULL_URI variables for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN variables. That still doesn't work because the value for AWS_ACCESS_KEY_ID does not seem to read from the environment variables I'm presenting. It appears to explicitly (and only) look at the aws-api.aws_access_key_id config value.

   Update my example above with:

   aws-vault exec --duration=15m --ecs-server --region=us-east-2 --lazy {PROFILE} -- \
     aws-mcp-credential-proxy -- \
       docker mcp gateway run […]

Based on this, I'm wondering if the problem is just how the server.yaml file is written and not Docker MCP Toolkit itself.

[kgprs]

I added env vars for AWS_CONTAINER_AUTHORIZATION_TOKEN and AWS_CONTAINER_CREDENTIALS_FULL_URI to the aws-api server yaml here: docker/mcp-registry#935

That should plumb those env vars to the container. Please let me know if it works and I can add it to the other AWS servers that support it.

• Clone this branch of mcp-registry: https://github.com/docker/mcp-registry/tree/feat/aws-api-volume-mount
• Run task catalog -- aws-api
• Import with docker mcp catalog import $PWD/catalogs/aws-api/catalog.yaml (this will temporarily remove all servers except the aws-api server)
• Test server with env vars
• Reset the catalog back to its original state with docker mcp catalog reset