Remote OpenClaw Blog
Best MCP Servers for DevOps Teams in 2026: Top Picks
9 min read ·
The AWS MCP Servers suite from AWS Labs is the best MCP pick for DevOps teams in 2026: it lets an AI agent issue validated AWS API and CLI calls and query AWS documentation, covering the cloud most DevOps work runs on. This list ranks the 10 MCP servers that earn a slot in a DevOps setup, spanning cloud providers, infrastructure-as-code, Kubernetes, containers, and observability, each with a verified install command. For a role-agnostic ranking, see the broader best MCP servers in 2026 list and our best MCP servers for Claude Code guide; this post curates what belongs in a DevOps stack.
How We Ranked These for DevOps
This ranking optimizes for one job: making an AI agent useful across provisioning, deployment, and incident response. We scored each server on fit for DevOps workflows (cloud resource management, infrastructure-as-code, orchestration, CI/CD, monitoring), GitHub stars and maintenance checked against each repository in early July 2026, and install friction. Servers that shine for application coding but add little to an operations workflow live in the complete ranked MCP list instead.
All install commands follow the syntax in the official Claude Code MCP documentation, and the same servers work in any MCP client. For the wider cloud picture, see our best MCP servers for cloud infrastructure guide.
The 10 Best MCP Servers for DevOps Teams
These ten cover cloud providers, infrastructure-as-code, orchestration, containers, CI/CD, and observability: the full path from provision to deploy to monitor.
1. AWS MCP Servers: validated cloud operations (best overall)
The AWS MCP Servers suite from AWS Labs (~9,400 stars) is a family of first-party servers that let an agent issue validated AWS API and CLI calls and query AWS documentation. It is #1 because AWS is where most DevOps work lives and the suite covers everything from resource inspection to cost and infrastructure guidance under one project.
claude mcp add --env AWS_REGION=us-east-1 --env AWS_PROFILE=default aws-api -- uvx awslabs.aws-api-mcp-server@latest
Setup note: the local API server uses your standard AWS credential chain, so start with a read-only IAM role. AWS Labs also offers a managed remote proxy if you prefer not to run a local process.
2. Terraform MCP: infrastructure-as-code authoring
The official Terraform MCP from HashiCorp (~1,500 stars) exposes the Terraform Registry, meaning providers, modules, and documentation, to the agent while it writes infrastructure-as-code. It grounds generated HCL in real module inputs instead of guessing at arguments.
claude mcp add terraform -- docker run -i --rm hashicorp/terraform-mcp-server
Setup note: public Registry lookups need no auth. Set TFE_TOKEN only when you point it at Terraform Cloud or Enterprise for private modules.
3. Kubernetes MCP: talk to the cluster API directly
Kubernetes MCP from the containers project (~1,700 stars) is a Go-native server that speaks to the Kubernetes and OpenShift API directly, with no kubectl or helm dependency. The agent can inspect pods, read logs, and manage resources using your existing kubeconfig.
claude mcp add kubernetes -- npx -y kubernetes-mcp-server@latest
Setup note: it uses your standard kubeconfig or in-cluster config. Point it at a read-only context first, and scope RBAC tightly before granting any write verbs.
4. Cloudflare MCP: edge, DNS, and Workers
The official Cloudflare MCP (~3,900 stars) is a family of hosted servers for observability, Workers, DNS, and security. Each domain has its own remote endpoint, so you connect only the surface you operate rather than one monolith.
claude mcp add --transport http cloudflare-observability https://observability.mcp.cloudflare.com/mcp
Setup note: the endpoints use Cloudflare OAuth. Swap the URL host for the service you need, such as the Workers or DNS endpoint listed in Cloudflare's docs.
5. Azure MCP Server: query and operate Azure
The official Azure MCP Server from Microsoft (~3,400 stars) bundles Azure tools into a single server so the agent can query and operate Azure services and resources. It is the natural pick for teams whose primary cloud is Azure rather than AWS.
claude mcp add azure -- npx -y @azure/mcp@latest server start
Setup note: run az login first; the server uses the DefaultAzureCredential chain, so it inherits whatever identity your CLI is signed into.
6. Grafana MCP: dashboards, alerts, and logs
The official Grafana MCP (~3,200 stars) lets an agent query and manage dashboards, datasources, alerts, and logs. During an incident it turns "which alert fired and what does the panel show" into a single prompt instead of a tab-switching hunt.
claude mcp add --env GRAFANA_URL=http://localhost:3000 --env GRAFANA_SERVICE_ACCOUNT_TOKEN=glsa_xxx grafana -- docker run --rm -i -e GRAFANA_URL -e GRAFANA_SERVICE_ACCOUNT_TOKEN grafana/mcp-grafana -t stdio
Setup note: create a Grafana service account token scoped to read access. See our monitoring and observability MCP guide.
7. GitHub MCP Server: CI/CD and pull requests
The official GitHub MCP Server (~31,200 stars, the most-starred on this list) lets an agent inspect Actions runs, analyze build failures, and manage releases and pull requests. For DevOps it is the CI/CD control surface: "why did the last deploy workflow fail" becomes a one-line prompt.
claude mcp add --transport http github https://api.githubcopilot.com/mcp/
Setup note: the remote endpoint handles OAuth on first use, so the basic flow needs no personal access token.
8. Docker MCP: containers, images, and volumes
mcp-server-docker by ckreiling (~724 stars) gives natural-language control of Docker containers, images, networks, and volumes on a host. It is handy for local debugging and for lightweight container ops where full orchestration is overkill.
claude mcp add docker -- uvx mcp-server-docker
Setup note: it needs access to the Docker socket at /var/run/docker.sock. Set DOCKER_HOST to operate a remote or SSH-reachable host. See our guide to running MCP servers with Docker.
9. Prometheus MCP: query metrics with PromQL
prometheus-mcp-server by pab1it0 (~490 stars) runs PromQL queries and discovers metrics and targets, so the agent can analyze monitoring data directly. Paired with Grafana MCP it covers both the raw metrics and the dashboards built on them.
claude mcp add --env PROMETHEUS_URL=http://localhost:9090 prometheus -- docker run -i --rm -e PROMETHEUS_URL ghcr.io/pab1it0/prometheus-mcp-server:latest
Setup note: PROMETHEUS_URL is required. Add PROMETHEUS_TOKEN or basic-auth variables if your Prometheus is behind authentication.
10. Argo CD MCP: GitOps application state
mcp-for-argocd from Argo Project Labs (~520 stars) lets an agent inspect and manage Argo CD applications and sync status. For GitOps teams it turns "which apps are out of sync" into a prompt instead of a dashboard scan.
claude mcp add --env ARGOCD_BASE_URL=https://argocd.example.com --env ARGOCD_API_TOKEN=xxx argocd -- npx argocd-mcp@latest stdio
Setup note: generate an Argo CD API token with read scope first. Keep write access gated behind human approval for sync operations.
Comparison Table
The table compares all ten picks on the three things that matter at install time: job, transport, and whether you need a credential.
| Rank | Server | Best for | Transport | Auth needed | Recommended scope |
|---|---|---|---|---|---|
| 1 | AWS MCP Servers | AWS operations | stdio (uvx) | AWS credentials | local |
| 2 | Terraform MCP | Infrastructure-as-code | stdio (docker) | None (public) | project |
| 3 | Kubernetes MCP | Cluster management | stdio (npx) | kubeconfig | local |
| 4 | Cloudflare MCP | Edge, DNS, Workers | HTTP (remote) | OAuth | user |
| 5 | Azure MCP Server | Azure operations | stdio (npx) | az login | local |
| 6 | Grafana MCP | Dashboards, alerts | stdio (docker) | Service token | user |
| 7 | GitHub MCP | CI/CD, PRs | HTTP (remote) | OAuth | user |
| 8 | Docker MCP | Container ops | stdio (uvx) | Docker socket | local |
| 9 | Prometheus MCP | PromQL metrics | stdio (docker) | URL (+ token) | user |
| 10 | Argo CD MCP | GitOps state | stdio (npx) | API token | local |
Read Access, Blast Radius, and Approvals
The most important rule for DevOps MCP is to start read-only and expand deliberately. Point the AWS, Kubernetes, and Azure servers at an identity with read scope first, so the agent can investigate an incident without the ability to delete a resource or scale a deployment. The blast radius of a wrong write in production infrastructure is far larger than a bad database query.
Credentials belong at local scope. An AWS profile, a kubeconfig, or an Argo CD token should never land in a committed .mcp.json; use ${VAR} expansion when a team shares a server config. Keep write and sync operations behind human approval, and treat the agent as a fast investigator plus a proposer of changes rather than an unattended operator. Our DevOps and CI/CD automation guide covers safe delegation patterns.
Limitations and Tradeoffs
These servers are not free wins. Every connected server adds tool definitions to your context window, so enabling all ten at once wastes tokens before you type a prompt; most DevOps engineers should run two or three per task, matched to the system they are working on. The AWS and Cloudflare entries are multi-server suites, so connect only the sub-servers you actually operate rather than the whole family. Stdio servers execute code on your machine and often hold powerful cloud credentials, so vet what you install and prefer official or heavily starred servers. And when a CLI you already trust does the job under human control, an agent-driven write to production infrastructure may not be worth the risk.
Related Guides
- Best MCP Servers for Cloud Infrastructure
- Best MCP Servers for Monitoring and Observability
- How to Run MCP Servers with Docker
- Best MCP Servers in 2026: The Complete Ranked List
Go deeper
The operator playbooks
Production-ready PDF guides for OpenClaw and Hermes Agent — $19.99 each.
Skills for this topic
Browse all skills →Frequently Asked Questions
What is the best MCP server for DevOps teams?
The AWS MCP Servers suite from AWS Labs is the best MCP pick for DevOps teams in 2026. It is a first-party family of servers that lets an AI agent issue validated AWS API and CLI calls and query AWS documentation, has around 9,400 GitHub stars as of July 2026, and covers resource inspection, cost, and infrastructure guidance for the
Is there an MCP server for Kubernetes?
Yes. The Kubernetes MCP server from the containers project is a Go-native server that talks directly to the Kubernetes and OpenShift API with no kubectl or helm dependency. It uses your existing kubeconfig, so the agent can inspect pods, read logs, and manage resources. Start with a read-only context and tighten RBAC before granting write verbs.
Can an AI agent write Terraform code?
Yes, and it writes better Terraform with the HashiCorp Terraform MCP server connected. That server exposes the Terraform Registry, meaning providers, modules, and documentation, so generated HCL is grounded in real module inputs instead of guessed arguments. Public Registry lookups need no auth; set TFE_TOKEN only for private Terraform Cloud or Enterprise modules.
How do I safely give an AI agent access to production infrastructure?
Start read-only and expand deliberately. Point cloud and cluster servers at an identity scoped to read access so the agent can investigate incidents without deleting resources. Keep credentials at local scope so they never reach a committed .mcp.json, gate write and sync operations behind human approval, and treat the agent as an investigator and proposer rather than an unattended operator.
Which MCP servers help with incident response?
Grafana MCP, Prometheus MCP, and GitHub MCP together cover most incident triage. Prometheus MCP runs PromQL queries against raw metrics, Grafana MCP reads the dashboards and alerts built on them, and GitHub MCP surfaces the failing CI/CD workflow or recent deploy. Connecting the three turns "what broke and when" into a small set of prompts.





