Generate images using Amazon Nova Canvas with text prompts and color guidance.
2.3K

Description: Generate images using Amazon Nova Canvas with text prompts and color guidance.
Packaged by Acuvity and published to our curated MCP server registry from awslabs.nova-canvas-mcp-server original sources.
Quick links:
At Acuvity, security is central to our mission—especially for critical systems like MCP servers and integration in agentic systems. To address this need, we've created a secure and robust Docker image designed to ensure awslabs.nova-canvas-mcp-server run reliably and safely.
Minibridge Integration: Minibridge establishes secure Agent-to-MCP connectivity, supports Rego/HTTP-based policy enforcement 🕵️, and simplifies orchestration.
The ARC container includes a built-in Rego policy that enables a set of runtime "guardrails"" to help enforce security, privacy, and correct usage of your services. Below is an overview of each guardrail provided.
Mitigates MCP Rug Pull Attacks
Monitors incoming requests for hidden or obfuscated directives that could alter policy behavior.
Block user-defined sensitive data patterns (credential paths, filesystem references).
.env files, RSA key paths, directory traversal sequences.Detects and blocks "shadowing" attacks, where a malicious MCP server sneaks hidden directives into its own tool descriptions to hijack or override the behavior of other, trusted tools.
send_email tool).<IMPORTANT> sections referencing other tool names, hidden side‐effects, or directives that apply to a different server’s API. Any description that attempts to shadow or extend instructions for a tool outside its own namespace triggers a policy violation and is rejected.Enforces strict adherence to MCP input schemas.
Controls whether tools may invoke tools or services from external origins.
Automatically masks sensitive values so they never appear in logs or responses.
[REDACTED] before the response is sent or recorded.Provides a lightweight auth layer using a single shared token.
Authorization header with the predefined secret.These controls ensure robust runtime integrity, prevent unauthorized behavior, and provide a foundation for secure-by-design system operations.
To review the full policy, see it here. Alternatively, you can override the default policy or supply your own policy file to use (see here for Docker, here for Helm charts).
Note
By default, all guardrails are turned off. You can enable or disable each one individually, ensuring that only the protections your environment needs are active.
Maintained by:
Where to get help:
Where to file issues:
Supported architectures:
amd64arm64Base image:
ghcr.io/astral-sh/uv:python3.12-alpineResources:
Latest tags:
latest -> 1.0.0-0.2.8 -> 0.2.8Tip
Given mcp-server-aws-canvas scope of operation it can be hosted anywhere.
Below are the steps for configuring most clients that use MCP to elevate their Copilot experience.
Note
These integrations function natively across all Minibridge modes. To keep things brief, only the docker local-run setup is covered here.
To get started immediately, you can use the "one-click" link below:
Press ctrl + shift + p and type Preferences: Open User Settings JSON to add the following section:
{
"mcp": {
"servers": {
"acuvity-mcp-server-aws-canvas": {
"env": {
"AWS_PROFILE": "TO_BE_SET",
"AWS_REGION": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"AWS_PROFILE",
"-e",
"AWS_REGION",
"docker.io/acuvity/mcp-server-aws-canvas:0.2.8"
]
}
}
}
}
In your workspace create a file called .vscode/mcp.json and add the following section:
{
"servers": {
"acuvity-mcp-server-aws-canvas": {
"env": {
"AWS_PROFILE": "TO_BE_SET",
"AWS_REGION": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"AWS_PROFILE",
"-e",
"AWS_REGION",
"docker.io/acuvity/mcp-server-aws-canvas:0.2.8"
]
}
}
}
To pass secrets you should use the
promptStringinput type described in the Visual Studio Code documentation.
In ~/.codeium/windsurf/mcp_config.json add the following section:
{
"mcpServers": {
"acuvity-mcp-server-aws-canvas": {
"env": {
"AWS_PROFILE": "TO_BE_SET",
"AWS_REGION": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"AWS_PROFILE",
"-e",
"AWS_REGION",
"docker.io/acuvity/mcp-server-aws-canvas:0.2.8"
]
}
}
}
See Windsurf documentation for more info.
Add the following JSON block to your mcp configuration file:
~/.cursor/mcp.json for global scope.cursor/mcp.json for project scope{
"mcpServers": {
"acuvity-mcp-server-aws-canvas": {
"env": {
"AWS_PROFILE": "TO_BE_SET",
"AWS_REGION": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"AWS_PROFILE",
"-e",
"AWS_REGION",
"docker.io/acuvity/mcp-server-aws-canvas:0.2.8"
]
}
}
}
See cursor documentation for more information.
In the claude_desktop_config.json configuration file add the following section:
{
"mcpServers": {
"acuvity-mcp-server-aws-canvas": {
"env": {
"AWS_PROFILE": "TO_BE_SET",
"AWS_REGION": "TO_BE_SET"
},
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--read-only",
"-e",
"AWS_PROFILE",
"-e",
"AWS_REGION",
"docker.io/acuvity/mcp-server-aws-canvas:0.2.8"
]
}
}
}
See Anthropic documentation for more information.
async with MCPServerStdio(
params={
"env": {"AWS_PROFILE":"TO_BE_SET","AWS_REGION":"TO_BE_SET"},
"command": "docker",
"args": ["run","-i","--rm","--read-only","-e","AWS_PROFILE","-e","AWS_REGION","docker.io/acuvity/mcp-server-aws-canvas:0.2.8"]
}
) as server:
tools = await server.list_tools()
async with MCPServerSse(
params={
"url": "http://<ip>:<port>/sse",
}
) as server:
tools = await server.list_tools()
See OpenAI Agents SDK docs for more info.
Environment variables and secrets:
AWS_PROFILE required to be setAWS_REGION required to be setIn your client configuration set:
dockerrun -i --rm --read-only -e AWS_PROFILE -e AWS_REGION docker.io/acuvity/mcp-server-aws-canvas:0.2.8Simply run as:
docker run -it -p 8000:8000 --rm --read-only -e AWS_PROFILE -e AWS_REGION docker.io/acuvity/mcp-server-aws-canvas:0.2.8
Then on your application/client, you can configure to use it like:
{
"mcpServers": {
"acuvity-mcp-server-aws-canvas": {
"url": "http://localhost:8000/sse"
}
}
}
You might have to use different ports for different tools.
This section assume you are familiar with TLS and certificates and will require:
- a server certificate with proper DNS/IP field matching your tool deployment.
- a client-ca used to sign client certificates
backend mode-e MINIBRIDGE_MODE=backend/certs ex (-v $PWD/certs:/certs)-e MINIBRIDGE_TLS_SERVER_CERT=/certs/server-cert.pem-e MINIBRIDGE_TLS_SERVER_KEY=/certs/server-key.pem-e MINIBRIDGE_TLS_SERVER_KEY_PASS=optional-e MINIBRIDGE_TLS_SERVER_CLIENT_CA=/certs/client-ca.pemminibridge locally in frontend mode:In your client configuration, Minibridge works like any other STDIO command.
Example for Claude Desktop:
{
"mcpServers": {
"acuvity-mcp-server-aws-canvas": {
"command": "minibridge",
"args": ["frontend", "--backend", "wss://<remote-url>:8000/ws", "--tls-client-backend-ca", "/path/to/ca/that/signed/the/server-cert.pem/ca.pem", "--tls-client-cert", "/path/to/client-cert.pem", "--tls-client-key", "/path/to/client-key.pem"]
}
}
}
That's it.
Minibridge offers a host of additional features. For step-by-step guidance, please visit the wiki. And if anything’s unclear, don’t hesitate to reach out!
Guardrails:
To activate guardrails in your Docker containers, define the GUARDRAILS environment variable with the protections you need. Available options:
For example adding:
-e GUARDRAILS="secrets-redaction covert-instruction-detection"
to your docker arguments will enable the secrets-redaction and covert-instruction-detection guardrails.Basic Authentication:
To turn on Basic Authentication, add BASIC_AUTH_SECRET like:
-e BASIC_AUTH_SECRET="supersecret"
to your docker arguments. This will enable the Basic Authentication check.Then you can connect through http/sse as usual given that you pass an Authorization: Bearer supersecret header with your secret as Bearer token.
Caution
While basic auth will protect against unauthorized access, you should use it only in controlled environment, rotate credentials frequently and **always** use TLS.
This chart requires some mandatory information to be installed.
Mandatory Environment variables:
AWS_PROFILE environment variable to be set by env.AWS_PROFILEAWS_REGION environment variable to be set by env.AWS_REGIONYou can inspect the chart README:
helm show readme oci://docker.io/acuvity/mcp-server-aws-canvas --version 1.0.0
You can inspect the values that you can configure:
helm show values oci://docker.io/acuvity/mcp-server-aws-canvas --version 1.0.0
Install with helm
helm install mcp-server-aws-canvas oci://docker.io/acuvity/mcp-server-aws-canvas --version 1.0.0
From there your MCP server mcp-server-aws-canvas will be reachable by default through http/sse from inside the cluster using the Kubernetes Service mcp-server-aws-canvas on port 8000 by default. You can change that by looking at the service section of the values.yaml file.
The deployment will create a Kubernetes service with a healthPort, that is used for liveness probes and readiness probes. This health port can also be used by the monitoring stack of your choice and exposes metrics under the /metrics path.
See full charts Readme for more details about settings and runtime security including guardrails activation.
💬 Questions? Open an issue or contact us [email protected] . 📦 Contributions welcome!
Content type
Image
Digest
sha256:9df0143f8…
Size
261 Bytes
Last updated
about 1 year ago
docker pull acuvity/mcp-server-aws-canvas:sha256-cebb159c78276c38f91841cc54ba8195019d7cd5b0974b8f12719c452075c361.sig