AWS bedrock-agentcore medium security documentation change
Summary
Updated Google OAuth configuration instructions with explicit secret handling and added token validation note
Security assessment
Explicitly warns developers to skip signature validation only when tokens are pre-validated by AgentCore Runtime, preventing potential insecure custom implementations. Also adds proper secret placeholder replacement warnings.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-oauth.md b/bedrock-agentcore/latest/devguide/runtime-oauth.md index 0506f1caa..bb312adc7 100644 --- a//bedrock-agentcore/latest/devguide/runtime-oauth.md +++ b//bedrock-agentcore/latest/devguide/runtime-oauth.md @@ -442 +442 @@ To set up a Google Credential Provider, you need to: - 2. Create an OAuth credential provider using the AWS CLI: + 2. Create an OAuth credential provider using the AWS CLI. Replace `your-client-id` and `your-client-secret` with your actual Google OAuth2 client ID and client secret: @@ -444,2 +444 @@ To set up a Google Credential Provider, you need to: - aws agent-credential-provider create-oauth2-credential-provider \ - --provider-type "google" \ + aws bedrock-agentcore-control create-oauth2-credential-provider \ @@ -447,4 +446,6 @@ To set up a Google Credential Provider, you need to: - --scopes '["https://www.googleapis.com/auth/drive.metadata.readonly"]' \ - --google-config '{\ - "clientId": "your-client-id",\ - "clientSecret": "your-client-secret"\ + --credential-provider-vendor "GoogleOauth2" \ + --oauth2-provider-config-input '{ + "googleOauth2ProviderConfig": { + "clientId": "your-client-id", + "clientSecret": "your-client-secret" + } @@ -521 +522 @@ Add PyJWT dependency to your requirements.txt file. -Change your main agent code as shown in the following code. You can decode without validation since your token was already validated by AgentCore Runtime when authorization was done. +Change your main agent code as shown in the following code. You can skip validating the token signature here since it has already been validated by AgentCore Runtime when the inbound authorization was done. @@ -536,0 +538 @@ Change your main agent code as shown in the following code. You can decode witho + # Skip signature validation as agent runtime has validated the token already. @@ -622 +624 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Stream agent responses +Pass custom headers