feat: Add Q CLI and local SMUS MCP (#736)

Author: TRNWWZ

template/v2/Dockerfile

@@ -62,6 +62,12 @@ RUN apt-get update && apt-get upgrade -y && \
     sudo ./aws/install && \
     rm -rf aws awscliv2.zip && \
     : && \
+    # Install Q CLI
+    curl --proto '=https' --tlsv1.2 -sSf "https://desktop-release.q.us-east-1.amazonaws.com/latest/q-x86_64-linux.zip" -o "q.zip" && \
+    unzip q.zip && \
+    Q_INSTALL_GLOBAL=true ./q/install.sh --no-confirm && \
+    rm -rf q q.zip && \
+    : && \
     echo "source /usr/local/bin/_activate_current_env.sh" | tee --append /etc/profile && \
 # CodeEditor - create server, user data dirs
     mkdir -p /opt/amazon/sagemaker/sagemaker-code-editor-server-data /opt/amazon/sagemaker/sagemaker-code-editor-user-data \

template/v2/dirs/etc/sagemaker-ui/sagemaker-mcp/mcp.json

@@ -0,0 +1,8 @@
+{
+  "mcpServers": {
+    "smus-local-mcp": {
+      "command": "python",  
+      "args": ["/etc/sagemaker-ui/sagemaker-mcp/smus-mcp.py"]
+    }
+  }
+}

template/v2/dirs/etc/sagemaker-ui/sagemaker-mcp/smus-mcp.py

@@ -0,0 +1,123 @@
+"""
+SageMaker Unified Studio Project Context MCP Server in stdio transport.
+
+"""
+
+import json
+import logging
+import os
+import re
+from typing import Any, Dict
+
+from mcp.server.fastmcp import FastMCP
+
+# Configure logging
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(__name__)
+
+
+class ProjectContext:
+    """
+    A class that encapsulates AWS session, project object, and region.
+    This class simplifies the common pattern of setting up an AWS session,
+    extracting credentials, and getting a project.
+    """
+
+    def __init__(self):
+        try:
+            datazone_domain_id = os.getenv("AmazonDataZoneDomain")
+            datazone_project_id = os.getenv("AmazonDataZoneProject")
+            aws_region = os.getenv("AWS_REGION")
+            if datazone_domain_id and datazone_project_id and aws_region:
+                self.domain_id = datazone_domain_id
+                self.project_id = datazone_project_id
+                self.region = aws_region
+            else:
+                with open("/opt/ml/metadata/resource-metadata.json", "r") as metadata_file:
+                    metadata = json.load(metadata_file)
+                    self.domain_id = metadata["AdditionalMetadata"]["DataZoneDomainId"]
+                    self.project_id = metadata["AdditionalMetadata"]["DataZoneProjectId"]
+                    self.region = metadata["AdditionalMetadata"]["DataZoneDomainRegion"]
+        except Exception as e:
+            raise RuntimeError(f"Failed to initialize project: {e}")
+
+        if not re.match("^dzd[-_][a-zA-Z0-9_-]{1,36}$", self.domain_id):
+            raise RuntimeError(f"Invalid domain id")
+        if not re.match("^[a-zA-Z0-9_-]{1,36}$", self.project_id):
+            raise RuntimeError(f"Invalid project id")
+        if not re.match("^[a-z]{2}-[a-z]{4,10}-\\d$", self.region):
+            raise RuntimeError(f"Invalid region")
+
+
+def safe_get_attr(obj: Any, attr: str, default: Any = None) -> Any:
+    """Safely get an attribute from an object."""
+    if obj is None:
+        return default
+
+    try:
+        if hasattr(obj, attr):
+            value = getattr(obj, attr)
+            # Handle case where attribute access might throw RuntimeError
+            if callable(value):
+                try:
+                    return value()
+                except (RuntimeError, Exception) as e:
+                    logger.error(f"Error calling attribute {attr}: {e}")
+                    return default
+            return value
+        return default
+    except Exception as e:
+        logger.error(f"Error getting attribute {attr}: {e}")
+        return default
+
+
+def create_smus_context_identifiers_response(domain_id: str, project_id: str, region: str) -> str:
+
+    return f"""Selectively use the below parameters only when the parameter is required.
+<parameter>
+domain identifier: "{domain_id}"
+project identifier: "{project_id}"
+region: "{region}"
+aws profiles: "DomainExecutionRoleCreds, default"
+</parameter>
+Again, include only required parameters. Any extra parameters may cause the API to fail. Stick strictly to the schema."""
+
+
+async def aws_context_provider() -> Dict[str, Any]:
+    """
+    AWS Context Provider - MUST BE CALLED BEFORE ANY use_aws OPERATIONS
+
+    This tool provides essential AWS context parameters that are required by subsequent AWS operations.
+    It returns configuration details including domain identifiers, project information, and region
+    settings that would otherwise need to be manually specified with each use_aws call.
+
+    The returned parameters include:
+    - domain identifier: Unique identifier for the AWS DataZone domain
+    - project identifier: Identifier for the specific project being worked on
+    - profile name: Name of the AWS profile to use for credentials
+    - region: AWS region where operations should be performed
+    - aws profiles: use the aws profile named DomainExecutionRoleCreds for calling datazone APIs; otherwise use default AWS profile
+
+    Returns:
+        dict: Parameter context to be used with subsequent use_aws operations
+    """
+    identifiers_response = ""
+    try:
+        ctx = ProjectContext()
+        domain_id = safe_get_attr(ctx, "domain_id", "")
+        project_id = safe_get_attr(ctx, "project_id", "")
+        region = safe_get_attr(ctx, "region", "")
+        identifiers_response = create_smus_context_identifiers_response(domain_id, project_id, region)
+        return {"response": identifiers_response}
+    except Exception as e:
+        logger.error(f"Error providing SMUS context identifiers: {e}")
+        return {"response": identifiers_response, "error": "Error providing SMUS context identifiers"}
+
+
+if __name__ == "__main__":
+    mcp: FastMCP = FastMCP("SageMakerUnififedStudio Project Context MCP Server")
+
+    # Register the tools from tools.py
+    mcp.tool()(aws_context_provider)  # use the doc string of the function as description, do not overwrite here.
+
+    mcp.run(transport="stdio")

template/v2/dirs/etc/sagemaker-ui/sagemaker_ui_post_startup.sh

@@ -208,6 +208,80 @@ else
   echo readonly LOGNAME >> ~/.bashrc
 fi
 
+# Setup Q CLI auth mode
+q_settings_file="$HOME/.aws/amazon_q/settings.json"
+if [ -f "$q_settings_file" ]; then
+    q_auth_mode=$(jq -r '.auth_mode' < $q_settings_file)
+    if [ "$q_auth_mode" == "IAM" ]; then
+        export AMAZON_Q_SIGV4=true
+    else 
+        export AMAZON_Q_SIGV4=false
+    fi
+else
+    export AMAZON_Q_SIGV4=true
+fi
+
+if $AMAZON_Q_SIGV4; then
+    if grep -q "^export AMAZON_Q_SIGV4=" ~/.bashrc; then
+        echo "AMAZON_Q_SIGV4 is defined in the env"
+    else
+        echo export AMAZON_Q_SIGV4=$AMAZON_Q_SIGV4 >> ~/.bashrc
+    fi
+else 
+    # Remove from .bashrc if it exists
+    sed -i '/^export AMAZON_Q_SIGV4=/d' ~/.bashrc
+fi
+
+# Setup SageMaker MCP configuration
+echo "Setting up SageMaker MCP configuration..."
+mkdir -p $HOME/.aws/amazonq/
+target_file="$HOME/.aws/amazonq/mcp.json"
+source_file="/etc/sagemaker-ui/sagemaker-mcp/mcp.json"
+
+if [ -f "$source_file" ]; then
+    # Extract all servers from source configuration
+    if [ -f "$target_file" ]; then
+        # Target file exists - merge configurations
+        echo "Existing MCP configuration found, merging configurations..."
+        
+        # Check if it's valid JSON first
+        if jq empty "$target_file" 2>/dev/null; then
+            # Initialize mcpServers object if it doesn't exist
+            if ! jq -e '.mcpServers' "$target_file" >/dev/null 2>&1; then
+                echo "Creating mcpServers object in existing configuration"
+                jq '. + {"mcpServers":{}}' "$target_file" > "$target_file.tmp"
+                mv "$target_file.tmp" "$target_file"
+            fi
+            
+            servers=$(jq '.mcpServers | keys[]' "$source_file" | tr -d '"')
+            
+            # Add each server from source to target if it doesn't exist
+            for server in $servers; do
+                if ! jq -e ".mcpServers.\"$server\"" "$target_file" >/dev/null 2>&1; then
+                    server_config=$(jq ".mcpServers.\"$server\"" "$source_file")
+                    jq --arg name "$server" --argjson config "$server_config" \
+                        '.mcpServers[$name] = $config' "$target_file" > "$target_file.tmp"
+                    mv "$target_file.tmp" "$target_file"
+                    echo "Added server '$server' to existing configuration"
+                else
+                    echo "Server '$server' already exists in configuration"
+                fi
+            done
+        else
+            echo "Warning: Existing MCP configuration is not valid JSON, replacing with default configuration"
+            cp "$source_file" "$target_file"
+        fi
+    else
+        # File doesn't exist, copy our configuration
+        cp "$source_file" "$target_file"
+        echo "Created new MCP configuration with default servers"
+    fi
+    
+    echo "Successfully configured MCP for SageMaker"
+else
+    echo "Warning: MCP configuration file not found at $source_file"
+fi
+
 # Generate sagemaker pysdk intelligent default config
 nohup python /etc/sagemaker/sm_pysdk_default_config.py &
 # Only run the following commands if SAGEMAKER_APP_TYPE_LOWERCASE is jupyterlab

template/v2/dirs/usr/local/bin/entrypoint-sagemaker-ui-code-editor

@@ -11,6 +11,7 @@ micromamba activate base
 
 export SAGEMAKER_APP_TYPE_LOWERCASE=$(echo $SAGEMAKER_APP_TYPE | tr '[:upper:]' '[:lower:]')
 export SERVICE_NAME='SageMakerUnifiedStudio'
+export Q_CLI_CLIENT_APPLICATION='SMUS_CODE_EDITOR'
 
 mkdir -p $STUDIO_LOGGING_DIR/$SAGEMAKER_APP_TYPE_LOWERCASE/supervisord
 exec supervisord -c /etc/supervisor/conf.d/supervisord-sagemaker-ui-code-editor.conf -n

template/v2/dirs/usr/local/bin/entrypoint-sagemaker-ui-jupyter-server

@@ -21,6 +21,7 @@ fi
 
 export SAGEMAKER_APP_TYPE_LOWERCASE=$(echo $SAGEMAKER_APP_TYPE | tr '[:upper:]' '[:lower:]')
 export SERVICE_NAME='SageMakerUnifiedStudio'
+export Q_CLI_CLIENT_APPLICATION='SMUS_JUPYTER_LAB'
 
 mkdir -p $STUDIO_LOGGING_DIR/$SAGEMAKER_APP_TYPE_LOWERCASE/supervisord
 exec supervisord -c /etc/supervisor/conf.d/supervisord-sagemaker-ui.conf -n

template/v3/Dockerfile

@@ -62,6 +62,12 @@ RUN apt-get update && apt-get upgrade -y && \
     sudo ./aws/install && \
     rm -rf aws awscliv2.zip && \
     : && \
+    # Install Q CLI
+    curl --proto '=https' --tlsv1.2 -sSf "https://desktop-release.q.us-east-1.amazonaws.com/latest/q-x86_64-linux.zip" -o "q.zip" && \
+    unzip q.zip && \
+    Q_INSTALL_GLOBAL=true ./q/install.sh --no-confirm && \
+    rm -rf q q.zip && \
+    : && \
     echo "source /usr/local/bin/_activate_current_env.sh" | tee --append /etc/profile && \
 # CodeEditor - create server, user data dirs
     mkdir -p /opt/amazon/sagemaker/sagemaker-code-editor-server-data /opt/amazon/sagemaker/sagemaker-code-editor-user-data \

template/v3/dirs/etc/sagemaker-ui/sagemaker-mcp/mcp.json

@@ -0,0 +1,8 @@
+{
+  "mcpServers": {
+    "smus-local-mcp": {
+      "command": "python",  
+      "args": ["/etc/sagemaker-ui/sagemaker-mcp/smus-mcp.py"]
+    }
+  }
+}

template/v3/dirs/etc/sagemaker-ui/sagemaker-mcp/smus-mcp.py

@@ -0,0 +1,123 @@
+"""
+SageMaker Unified Studio Project Context MCP Server in stdio transport.
+
+"""
+
+import json
+import logging
+import os
+import re
+from typing import Any, Dict
+
+from mcp.server.fastmcp import FastMCP
+
+# Configure logging
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(__name__)
+
+
+class ProjectContext:
+    """
+    A class that encapsulates AWS session, project object, and region.
+    This class simplifies the common pattern of setting up an AWS session,
+    extracting credentials, and getting a project.
+    """
+
+    def __init__(self):
+        try:
+            datazone_domain_id = os.getenv("AmazonDataZoneDomain")
+            datazone_project_id = os.getenv("AmazonDataZoneProject")
+            aws_region = os.getenv("AWS_REGION")
+            if datazone_domain_id and datazone_project_id and aws_region:
+                self.domain_id = datazone_domain_id
+                self.project_id = datazone_project_id
+                self.region = aws_region
+            else:
+                with open("/opt/ml/metadata/resource-metadata.json", "r") as metadata_file:
+                    metadata = json.load(metadata_file)
+                    self.domain_id = metadata["AdditionalMetadata"]["DataZoneDomainId"]
+                    self.project_id = metadata["AdditionalMetadata"]["DataZoneProjectId"]
+                    self.region = metadata["AdditionalMetadata"]["DataZoneDomainRegion"]
+        except Exception as e:
+            raise RuntimeError(f"Failed to initialize project: {e}")
+
+        if not re.match("^dzd[-_][a-zA-Z0-9_-]{1,36}$", self.domain_id):
+            raise RuntimeError(f"Invalid domain id")
+        if not re.match("^[a-zA-Z0-9_-]{1,36}$", self.project_id):
+            raise RuntimeError(f"Invalid project id")
+        if not re.match("^[a-z]{2}-[a-z]{4,10}-\\d$", self.region):
+            raise RuntimeError(f"Invalid region")
+
+
+def safe_get_attr(obj: Any, attr: str, default: Any = None) -> Any:
+    """Safely get an attribute from an object."""
+    if obj is None:
+        return default
+
+    try:
+        if hasattr(obj, attr):
+            value = getattr(obj, attr)
+            # Handle case where attribute access might throw RuntimeError
+            if callable(value):
+                try:
+                    return value()
+                except (RuntimeError, Exception) as e:
+                    logger.error(f"Error calling attribute {attr}: {e}")
+                    return default
+            return value
+        return default
+    except Exception as e:
+        logger.error(f"Error getting attribute {attr}: {e}")
+        return default
+
+
+def create_smus_context_identifiers_response(domain_id: str, project_id: str, region: str) -> str:
+
+    return f"""Selectively use the below parameters only when the parameter is required.
+<parameter>
+domain identifier: "{domain_id}"
+project identifier: "{project_id}"
+region: "{region}"
+aws profiles: "DomainExecutionRoleCreds, default"
+</parameter>
+Again, include only required parameters. Any extra parameters may cause the API to fail. Stick strictly to the schema."""
+
+
+async def aws_context_provider() -> Dict[str, Any]:
+    """
+    AWS Context Provider - MUST BE CALLED BEFORE ANY use_aws OPERATIONS
+
+    This tool provides essential AWS context parameters that are required by subsequent AWS operations.
+    It returns configuration details including domain identifiers, project information, and region
+    settings that would otherwise need to be manually specified with each use_aws call.
+
+    The returned parameters include:
+    - domain identifier: Unique identifier for the AWS DataZone domain
+    - project identifier: Identifier for the specific project being worked on
+    - profile name: Name of the AWS profile to use for credentials
+    - region: AWS region where operations should be performed
+    - aws profiles: use the aws profile named DomainExecutionRoleCreds for calling datazone APIs; otherwise use default AWS profile
+
+    Returns:
+        dict: Parameter context to be used with subsequent use_aws operations
+    """
+    identifiers_response = ""
+    try:
+        ctx = ProjectContext()
+        domain_id = safe_get_attr(ctx, "domain_id", "")
+        project_id = safe_get_attr(ctx, "project_id", "")
+        region = safe_get_attr(ctx, "region", "")
+        identifiers_response = create_smus_context_identifiers_response(domain_id, project_id, region)
+        return {"response": identifiers_response}
+    except Exception as e:
+        logger.error(f"Error providing SMUS context identifiers: {e}")
+        return {"response": identifiers_response, "error": "Error providing SMUS context identifiers"}
+
+
+if __name__ == "__main__":
+    mcp: FastMCP = FastMCP("SageMakerUnififedStudio Project Context MCP Server")
+
+    # Register the tools from tools.py
+    mcp.tool()(aws_context_provider)  # use the doc string of the function as description, do not overwrite here.
+
+    mcp.run(transport="stdio")