AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS Athena MCP Server - Lambda + API Gateway
Parameters:
OutputS3Path:
Type: String
Description: S3 path for Athena query results (e.g., s3://your-bucket/athena-results/)
AthenaWorkgroup:
Type: String
Default: primary
Description: Athena workgroup name
AwsRegionParam:
Type: String
Default: us-east-1
Description: AWS region for Athena
CognitoUserPoolName:
Type: String
Default: athena-mcp-user-pool
Description: Name for the Cognito User Pool
CognitoAppClientName:
Type: String
Default: athena-mcp-client
Description: Name for the Cognito App Client
Globals:
Function:
Timeout: 300
MemorySize: 512
Runtime: nodejs20.x
Architectures:
- arm64
Resources:
# Cognito User Pool
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Ref CognitoUserPoolName
AutoVerifiedAttributes:
- email
Schema:
- Name: email
AttributeDataType: String
Required: true
Mutable: false
Policies:
PasswordPolicy:
MinimumLength: 8
RequireUppercase: true
RequireLowercase: true
RequireNumbers: true
RequireSymbols: true
# Cognito User Pool Domain
CognitoUserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
Domain: !Sub '${CognitoUserPoolName}-${AWS::AccountId}'
UserPoolId: !Ref CognitoUserPool
# Cognito Resource Server (for custom scopes)
CognitoResourceServer:
Type: AWS::Cognito::UserPoolResourceServer
Properties:
UserPoolId: !Ref CognitoUserPool
Identifier: athena-mcp-api
Name: Athena MCP API
Scopes:
- ScopeName: read
ScopeDescription: Read access to Athena queries
- ScopeName: write
ScopeDescription: Write access to execute Athena queries
# Cognito App Client
CognitoAppClient:
Type: AWS::Cognito::UserPoolClient
DependsOn: CognitoResourceServer
Properties:
ClientName: !Ref CognitoAppClientName
UserPoolId: !Ref CognitoUserPool
GenerateSecret: true
AllowedOAuthFlows:
- client_credentials
AllowedOAuthScopes:
- athena-mcp-api/read
- athena-mcp-api/write
AllowedOAuthFlowsUserPoolClient: true
ExplicitAuthFlows:
- ALLOW_REFRESH_TOKEN_AUTH
SupportedIdentityProviders:
- COGNITO
AthenaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./
Handler: build/lambda-simple.handler
Environment:
Variables:
OUTPUT_S3_PATH: !Ref OutputS3Path
ATHENA_WORKGROUP: !Ref AthenaWorkgroup
Policies:
- Statement:
- Effect: Allow
Action:
- athena:StartQueryExecution
- athena:GetQueryExecution
- athena:GetQueryResults
- athena:ListNamedQueries
- athena:BatchGetNamedQuery
- athena:GetNamedQuery
- athena:GetWorkGroup
Resource: '*'
- Effect: Allow
Action:
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::${OutputS3Path}'
- !Sub 'arn:aws:s3:::${OutputS3Path}/*'
- Effect: Allow
Action:
- glue:GetDatabase
- glue:GetDatabases
- glue:GetTable
- glue:GetTables
- glue:GetPartitions
Resource: '*'
Events:
ApiEvent:
Type: Api
Properties:
Path: /mcp
Method: post
RestApiId: !Ref McpApi
OptionsEvent:
Type: Api
Properties:
Path: /mcp
Method: options
RestApiId: !Ref McpApi
McpApi:
Type: AWS::Serverless::Api
Properties:
StageName: prod
Auth:
DefaultAuthorizer: CognitoAuthorizer
Authorizers:
CognitoAuthorizer:
UserPoolArn: !GetAtt CognitoUserPool.Arn
AuthorizationScopes:
- athena-mcp-api/read
- athena-mcp-api/write
Cors:
AllowMethods: "'POST, OPTIONS'"
AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
AllowOrigin: "'*'"
Outputs:
ApiEndpoint:
Description: "API Gateway endpoint URL"
Value: !Sub "https://${McpApi}.execute-api.${AWS::Region}.amazonaws.com/prod/mcp"
FunctionArn:
Description: "Lambda Function ARN"
Value: !GetAtt AthenaFunction.Arn
CognitoUserPoolId:
Description: "Cognito User Pool ID"
Value: !Ref CognitoUserPool
CognitoAppClientId:
Description: "Cognito App Client ID"
Value: !Ref CognitoAppClient
CognitoTokenUrl:
Description: "Cognito OAuth2 Token URL"
Value: !Sub "https://${CognitoUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com/oauth2/token"
CognitoScopes:
Description: "Available OAuth scopes"
Value: "athena-mcp-api/read athena-mcp-api/write"
