feat: add gateway auth and multi-gateway support to agent templates#427
Open
aidandaly24 wants to merge 5 commits intoaws:feat/gateway-integrationfrom
Open
feat: add gateway auth and multi-gateway support to agent templates#427aidandaly24 wants to merge 5 commits intoaws:feat/gateway-integrationfrom
aidandaly24 wants to merge 5 commits intoaws:feat/gateway-integrationfrom
Conversation
aidandaly24
requested a deployment
to
e2e-testing
GitHub Actions
Waiting
aidandaly24
changed the title
aidandaly24
force-pushed
the
feat/batch-5-agent-gateway-auth
branch
from
10d415a to
1c74bb4
Compare
aidandaly24
force-pushed
the
feat/batch-5-agent-gateway-auth
branch
from
1c74bb4 to
d9b90be
Compare
notgitika
approved these changes
Feb 24, 2026
Contributor
notgitika
left a comment
notgitika
left a comment
There was a problem hiding this comment.
Overall, LGTM.
This is a great start and we can go ahead with my comments + @tejaskash 's in follow-up PRs
Comment on lines
+48
to
+50
| mcp_tools = [] | ||
| if mcp_client: | ||
| mcp_tools = await mcp_client.get_tools() |
Contributor
There was a problem hiding this comment.
MultiServerMCPClient is normally used as async with. Calling .get_tools() without entering the context manager may not initialize connections.
| logger.warning("{{envVarName}} not set — {{name}} gateway tools unavailable") | ||
| return None | ||
| {{#if (eq authType "AWS_IAM")}} | ||
| http_client = httpx.AsyncClient(auth=SigV4HTTPXAuth()) |
Contributor
There was a problem hiding this comment.
This client is never closed, which leaks connections. Should be managed with async with or closed on shutdown.
Comment on lines
+11
to
+13
| Handlebars.registerHelper('snakeCase', (str: string) => { | ||
| return str.replace(/[^a-zA-Z0-9]/g, '_').toLowerCase(); | ||
| }); |
Contributor
There was a problem hiding this comment.
Produces double underscores (My--GW → my__gateway) and invalid Python identifiers for digit-leading names. Collapse consecutive _ and handle leading digits.
| try: | ||
| async with mcp_server as server: | ||
| active_servers = [server] if server else [] | ||
| {{#if hasGateway}} |
Contributor
There was a problem hiding this comment.
Gateway and non-gateway branches duplicate a lot of lines of agent creation. We could factor out the shared logic
Contributor
|
Can we also add tests in this PR around |
aidandaly24
force-pushed
the
feat/batch-5-agent-gateway-auth
branch
from
2b7b91d to
d9b90be
Compare
Add SigV4 authentication to MCP client templates so agents can
authenticate with AWS_IAM gateways. Each framework's client.py
uses Handlebars conditionals to include auth when gateways exist.
SigV4HTTPXAuth class signs HTTP requests using botocore SigV4Auth,
passed to the MCP client via httpx.AsyncClient. Templates read
gateway URLs from AGENTCORE_GATEWAY_{NAME}_URL env vars and handle
missing vars gracefully (warn, don't crash).
Updated all 5 frameworks: Strands, LangChain, OpenAI Agents,
Google ADK, AutoGen. Schema mapper reads mcp.json to populate
gateway config for template rendering. All gateways are auto-
included when creating an agent.
Replace single-gateway [0] indexing with {{#each gatewayProviders}}
loops. Each gateway gets its own client function (Strands) or entry
in the servers dict (LangChain/OpenAI/AutoGen/ADK).
Add snakeCase Handlebars helper for gateway function names.
Add gatewayAuthTypes array for conditional SigV4 imports.
Fix @index parse error by using plain variable names.
All 5 framework main.py files now use Handlebars conditionals to import the correct MCP client function based on hasGateway flag. Fix snakeCase helper to handle all special characters.
…way support Replace custom SigV4HTTPXAuth class with official mcp-proxy-for-aws package: - Strands: aws_iam_streamablehttp_client factory pattern - LangChain: SigV4HTTPXAuth via auth param in MultiServerMCPClient config - OpenAI Agents: SigV4HTTPXAuth via httpx_client_factory param - Google ADK: SigV4HTTPXAuth via httpx_client_factory in StreamableHTTPConnectionParams Revert AutoGen to original upstream — SDK doesn't support custom httpx auth (no httpx_client_factory param).
aidandaly24
force-pushed
the
feat/batch-5-agent-gateway-auth
branch
from
12af7bf to
1f153bc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add gateway authentication and multi-gateway support to agent templates so agents can connect to MCP gateways.
SigV4 Authentication
Each framework's
mcp_client/client.pyincludes aSigV4HTTPXAuthclass that signs HTTP requests using botocore'sSigV4Auth, passed to the MCP client viahttpx.AsyncClient(auth=...). This enables agents to authenticate with AWS_IAM gateways (Lambda function URLs).Multi-Gateway Support
Templates use
{{#each gatewayProviders}}loops to generate per-gateway client functions. Each gateway gets its own env var (AGENTCORE_GATEWAY_{NAME}_URL) and auth configuration. A convenience function collects clients from all gateways.Template System Changes
AgentRenderConfigextended withhasGateway,gatewayProviders, andgatewayAuthTypesmcp.jsonto populate gateway config for renderingsnakeCaseHandlebars helper for Python function namesmain.pyfiles use{{#if hasGateway}}conditionals for correct importsRelated Issue
Part of the MCP Gateway Phase 1 integration (gateway-integration branch). Task 16.
Type of Change
Testing
npm run test:unitandnpm run test:integnpm run typechecknpm run lintsrc/assets/, I rannpm run test:update-snapshotsand committed the updated snapshotsChecklist