by Azure
A Model Context Protocol (MCP) server that enables AI assistants to interact with AKS clusters. It serves as a bridge between AI tools (like Claude, Cursor, and GitHub Copilot) and AKS.
# Add to your Claude Code skills
git clone https://github.com/Azure/aks-mcpThe AKS-MCP is a Model Context Protocol (MCP) server that enables AI assistants to interact with Azure Kubernetes Service (AKS) clusters. It serves as a bridge between AI tools (like GitHub Copilot, Claude, and other MCP-compatible AI assistants) and AKS, translating natural language requests into AKS operations and returning the results in a format the AI tools can understand.
It allows AI tools to:
AKS-MCP connects to Azure using the Azure SDK and provides a set of tools that AI assistants can use to interact with AKS resources. It leverages the Model Context Protocol (MCP) to facilitate this communication, enabling AI tools to make API calls to Azure and interpret the responses.
AKS-MCP uses Azure CLI (az) for AKS operations. Azure CLI authentication is attempted in this order:
Service Principal (client secret): When AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID environment variables are present, a service principal login is performed using the following command: az login --service-principal -u CLIENT_ID -p CLIENT_SECRET --tenant TENANT_ID
Workload Identity (federated token): When AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE environment variables are present, a federated token login is performed using the following command: az login --service-principal -u CLIENT_ID --tenant TENANT_ID --federated-token TOKEN
User-assigned Managed Identity (managed identity client ID): When only environment variable is present, a user-assigned managed identity login is performed using the following command:
AZURE_CLIENT_IDaz login --identity -u CLIENT_IDSystem-assigned Managed Identity: When AZURE_MANAGED_IDENTITY is set to system, a system-assigned managed identity login is performed using the following command: az login --identity
Existing Login: When none of the above environment variables are set, AKS-MCP assumes you have already authenticated (for example, via az login) and uses the existing session.
Optional subscription selection:
AZURE_SUBSCRIPTION_ID is set, AKS-MCP will run az account set --subscription SUBSCRIPTION_ID after login.Notes and security:
/var/run/secrets/azure/tokens/azure-identity-token and is strictly validated; other paths are rejected.az account show --query id -o tsv.Environment variables used:
AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_FEDERATED_TOKEN_FILEAZURE_SUBSCRIPTION_IDAZURE_MANAGED_IDENTITY (set to system to opt into system-assigned managed identity)The AKS-MCP server provides consolidate...