blue-bridge

blue-bridge

6
cloud_platforms

Blue Bridge is a Model Context Protocol (MCP) server designed to manage and query Azure resources with secure, passwordless authentication. It supports services like Azure Managed Grafana and Azure Data Explorer, simplifying cloud operations without requiring sensitive credentials.

Blue Bridge

Sample prompts and recipes for using Model Context Protocol (MCP) server to query and manage Azure resources with zero‑secret authentication.
Scenarios include:

  • Azure Managed Grafana
  • Azure Data Explorer (Kusto)
  • Azure Resource Graph
  • Azure Resource Manager

Authentication is handled by the signed‑in Azure CLI account or a Managed Identity—no passwords or keys are stored.

✨ Demo

  1. Given 'manual-for-ai.md', show me 5 VMs that I can turn off machines to save money.

    Result

  2. Given 'manual-for-ai.md', help me find 2 VMs that I can turned off to save money. Please also turn them off. Please ask for permission for each VM before you do this.

    Result

  3. Given 'manual-for-ai.md', get me the CPU quota for subscription '3a7edf7d-1488-4017-a908-e50d0a1642a6'

    Result

🚀 Quick start

0 · Clone the repository

Clone the repository to get the necessary files, including recipes and usage examples found in manual-for-ai.md.

git clone https://github.com/Azure/blue-bridge.git
cd blue-bridge

1 · Run the container

Blue Bridge supports Azure Resource Graph and Azure Resource Manager out-of-the-box without any additional configuration.

To connect to Azure Managed Grafana or Azure Data Explorer (Kusto), set the corresponding environment variables when running the container.

Set the optional environment variables you need and start the image:

docker run --name bluebridge -p 6688:6688 \
  -e AzureManagedGrafanaEndpoint=https://<my‑grafana>.wcus.grafana.azure.com \
  -e KustoUri=https://<my‑kusto>.westus2.kusto.windows.net \
  bluebridge.azurecr.io/bluebridge:latest

If you only need Kusto:

docker run --name bluebridge -p 6688:6688 \
  -e KustoUri=https://<my‑kusto>.westus2.kusto.windows.net \
  bluebridge.azurecr.io/bluebridge:latest

Or with no external services:

docker run --name bluebridge -p 6688:6688 \
  bluebridge.azurecr.io/bluebridge:latest

2 · Authenticate once

On first start the container prints a device‑code prompt such as:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin
and enter the code ABCD‑EFGH to authenticate.

Open the link, enter the code, and grant consent.
After that the server is ready at http://localhost:6688.

3 · Add to your MCP host

{
  "mcpServers": {
    "blue-bridge": {
      "url": "http://localhost:6688/sse",
      "transportType": "sse",
      "timeout": 60,
      "disabled": false,
      "autoApprove": []
    }
  }
}

4 · Run a quick test

Ask your MCP host:

Given 'manual-for-ai.md', show me 5 VMs that I can turn off machines to save money.

Result

🔧 Environment variables

VariablePurposeRequired
AzureManagedGrafanaEndpointAzure Managed Grafana endpoint URLNo
KustoUriAzure Data Explorer (Kusto) cluster URINo
UseManagedIdentitySet to true to use managed identity.No
ManagedIdentityClientIdClient ID of the managed identity to use.No

When UseManagedIdentity is set to true, Blue Bridge will attempt to authenticate using the managed identity available on the compute resource. This works automatically if there is only one managed identity (either system-assigned or user-assigned).

If the compute resource has multiple managed identities, you must specify which one to use by setting the ManagedIdentityClientId environment variable to the client ID of the desired managed identity. Note that setting ManagedIdentityClientId implies the use of managed identity, so setting UseManagedIdentity to true is not necessary in this case.

📚 Links