# Configuration

This guide covers the configuration options for AWS Logs MCP.

## Environment Variables

AWS Logs MCP is configured primarily through environment variables. Create a `.env` file in the root directory or set these variables in your environment.

### Basic Server Configuration

| Variable | Description | Default |
|----------|-------------|---------|
| `PORT` | Port for the MCP server | `3000` |
| `NODE_ENV` | Environment (development/production) | `development` |

### AWS Authentication Options

Choose one of these authentication methods:

| Variable | Description | Default |
|----------|-------------|---------|
| `AWS_REGION` | AWS region | `us-east-1` |
| `AWS_PROFILE` | AWS profile name (recommended method) | |
| `AWS_ACCESS_KEY_ID` | AWS access key ID (for direct credentials) | |
| `AWS_SECRET_ACCESS_KEY` | AWS secret access key (for direct credentials) | |
| `AWS_SESSION_TOKEN` | AWS session token (optional, for temporary credentials) | |
| `AWS_CREDENTIAL_PROVIDER` | Override credential provider (env, profile, process, default) | `default` |

### Advanced Configuration

| Variable | Description | Default |
|----------|-------------|---------|
| `LOG_LEVEL` | Logging level (debug, info, warn, error) | `info` |
| `HEALTH_CHECK_PATH` | Health check endpoint path | `/health` |
| `MAX_LOG_ENTRIES` | Maximum log entries per request | `100` |
| `ENABLE_CLOUDWATCH_METRICS` | Enable sending metrics to CloudWatch | `false` |
| `CLOUDWATCH_METRICS_NAMESPACE` | CloudWatch namespace for metrics | `AwsLogsMcp` |

## AWS Credentials

The server supports multiple AWS credential providers for secure AWS access:

### Authentication Methods

#### 1. AWS Profile (Recommended)

Use profiles from your AWS CLI configuration:

```bash
# .env file
AWS_PROFILE=your_profile_name
AWS_REGION=us-east-1
```

This is the most secure method as it:
- Uses your existing AWS CLI configuration
- Supports credential rotation
- Works with SSO and other advanced authentication methods
- Can use profiles with MFA

#### 2. IAM Credentials

Directly provide credentials:

```bash
# .env file
AWS_ACCESS_KEY_ID=your_access_key_id
AWS_SECRET_ACCESS_KEY=your_secret_access_key
AWS_REGION=us-east-1
# Optional, for temporary credentials
AWS_SESSION_TOKEN=your_session_token
```

#### 3. IAM Role (Auto-detected)

When running on AWS services (EC2, ECS, Lambda), the server automatically uses the attached IAM role.

Just specify the region:

```bash
# .env file
AWS_REGION=us-east-1
```

### Advanced Configuration

#### Process-Based Credentials

For credential_process configured in `~/.aws/config`:

```bash
AWS_CREDENTIAL_PROVIDER=process
```

#### Default Credential Chain

Uses the AWS SDK default credential provider chain, which tries environment variables, profile, EC2 instance profiles, and more:

```bash
AWS_CREDENTIAL_PROVIDER=default
```

### Security Considerations

- Your AWS credentials remain on your local machine
- Credentials are only used for accessing AWS services
- MCP servers never expose credentials to AI models
- Only grant the minimum permissions needed
- Consider using temporary credentials where possible

## Logging Configuration

Configure logging behavior with:

```bash
LOG_LEVEL=info # Options: debug, info, warn, error
```

In development, `debug` provides detailed logs. In production, `info` is generally preferred.

## Server Configuration

Basic server settings:

```bash
PORT=3000
HEALTH_CHECK_PATH=/health
```

## Limit Configuration

Control limits to prevent excessive resource usage:

```bash
MAX_LOG_ENTRIES=100
```

## CloudWatch Metrics

Enable CloudWatch metrics for monitoring:

```bash
ENABLE_CLOUDWATCH_METRICS=true
CLOUDWATCH_METRICS_NAMESPACE=AwsLogsMcp
```

!!! note
    Enabling CloudWatch metrics requires proper IAM permissions for CloudWatch PutMetricData.