AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2025-10-16 · Documentation low

File: bedrock-agentcore/latest/devguide/gateway-schema-openapi.md

Summary

Restructured OpenAPI target documentation with simplified permissions section, removed detailed implementation examples, and focused on schema specifications/considerations

Security assessment

Changes primarily restructure content and remove specific implementation details (like IAM policy examples and SDK code samples) rather than address security vulnerabilities. While authentication methods are mentioned, this appears to be standard documentation maintenance without evidence of addressing a specific security issue.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-schema-openapi.md b/bedrock-agentcore/latest/devguide/gateway-schema-openapi.md
index ab00f58a3..c34731c28 100644
--- a//bedrock-agentcore/latest/devguide/gateway-schema-openapi.md
+++ b//bedrock-agentcore/latest/devguide/gateway-schema-openapi.md
@@ -5 +5 @@
-Understanding OpenAPI TargetsRequired PermissionsKey considerations and limitationsOpenAPI Specification and Feature SupportCreating an OpenAPI targetUpdating an OpenAPI targetInline OpenAPI specifications
+Key considerations and limitationsOpenAPI schema specification
@@ -7,3 +7 @@ Understanding OpenAPI TargetsRequired PermissionsKey considerations and limitati
-Amazon Bedrock AgentCore is in preview release and is subject to change. 
-
-# Add OpenAPI targets to your gateway
+# OpenAPI schema targets
@@ -13,20 +11 @@ OpenAPI (formerly known as Swagger) is a widely used standard for describing RES
-## Understanding OpenAPI Targets
-
-OpenAPI targets connect your Gateway to REST APIs defined using OpenAPI specifications. The Gateway translates incoming MCP requests into HTTP requests to these APIs and handles the response formatting.
-
-Key components of OpenAPI targets include:
-
-  * **OpenAPI Schema** : The OpenAPI specification that describes the REST API
-
-  * **Credential Provider** : Configuration for how the Gateway authenticates with the API
-
-  * **Outbound Auth** : Configuration for authentication with external services
-
-
-
-
-## Required Permissions
-
-For OpenAPI targets that use API Key or OAuth authentication, your Gateway's execution role needs permissions to access the credential provider:
-
-For OAuth authentication:
+OpenAPI targets connect your gateway to REST APIs defined using OpenAPI specifications. The Gateway translates incoming MCP requests into HTTP requests to these APIs and handles the response formatting.
@@ -33,0 +13 @@ For OAuth authentication:
+Review the key considerations and limitations, including feature support, to help you decide whether an OpenAPI target is applicable to your use case. If it is, you can create a schema that follows the specifications and then set up permissions for the gateway to be able to access the target. Select a topic to learn more:
@@ -35,10 +15 @@ For OAuth authentication:
-    {
-      "Sid": "GetResourceOauth2Token",
-      "Effect": "Allow",
-      "Action": [
-        "bedrock-agentcore:GetResourceOauth2Token"
-      ],
-      "Resource": [
-        "arn:aws:agent-credential-provider:us-east-1:123456789012:token-vault/default/oauth2credentialprovider/abcdefghijk"
-      ]
-    }
+###### Topics
@@ -45,0 +17 @@ For OAuth authentication:
+  * Key considerations and limitations
@@ -47 +19 @@ For OAuth authentication:
-If the credentials are stored in AWS Secrets Manager, the execution role also needs permission to access those secrets:
+  * OpenAPI schema specification
@@ -50,10 +21,0 @@ If the credentials are stored in AWS Secrets Manager, the execution role also ne
-    {
-      "Sid": "GetSecretValue",
-      "Effect": "Allow",
-      "Action": [
-        "secretsmanager:GetSecretValue"
-      ],
-      "Resource": [
-        "arn:aws:secretsmanager:us-east-1:123456789012:secret:your-secret-name"
-      ]
-    }
@@ -95,4 +57 @@ For best results with OpenAPI targets:
-  * Stick to supported media types for maximum compatibility
-
-
-
+  * Only use supported media types for maximum compatibility
@@ -100 +58,0 @@ For best results with OpenAPI targets:
-## OpenAPI Specification and Feature Support
@@ -102 +59,0 @@ For best results with OpenAPI targets:
-The OpenAPI specification defines the REST API that your Gateway will expose. Here's an example of a simple OpenAPI specification:
@@ -104,5 +60,0 @@ The OpenAPI specification defines the REST API that your Gateway will expose. He
-###### Topics
-
-  * OpenAPI Feature Support
-
-  * OpenAPI Specification Format
@@ -109,0 +62 @@ The OpenAPI specification defines the REST API that your Gateway will expose. He
+In considering using OpenAPI schema targets with AgentCore Gateway, review the following feature support table.
@@ -111,3 +64 @@ The OpenAPI specification defines the REST API that your Gateway will expose. He
-
-
-### OpenAPI Feature Support
+### OpenAPI feature support
@@ -117 +68 @@ The following table outlines the OpenAPI features that are supported and unsuppo
-OpenAPI Feature Support Supported Features | Unsupported Features  
+OpenAPI feature support Supported Features | Unsupported Features  
@@ -190 +141,12 @@ OpenAPI Feature Support Supported Features | Unsupported Features
-### OpenAPI Specification Format
+## OpenAPI schema specification
+
+The OpenAPI specification defines the REST API that your Gateway will expose. Refer to the following resources when setting up your OpenAPI specification:
+
+  * For information about the format of the OpenAPI specification, see [OpenAPI Specification](https://swagger.io/specification/).
+
+  * For information about supported and unsupported features when using an OpenAPI specification with AgentCore Gateway, see the table in OpenAPI feature support. Adhere to these requirements to prevent errors during target creation and invocation.
+
+
+
+
+After you define your OpenAPI schema, you can do one of the following:
@@ -192 +154,8 @@ OpenAPI Feature Support Supported Features | Unsupported Features
-When using OpenAPI specifications with Gateway, ensure that your API definitions adhere to the supported features and avoid using unsupported features to prevent errors during target creation and invocation.
+  * Upload it to an Amazon S3 bucket and refer to the S3 location when you add the target to your gateway.
+
+  * Paste the definition inline when you add the target to your gateway.
+
+
+
+
+Expand a section to see examples of supported and unsupported OpenAPI specifications:
@@ -366,294 +332,0 @@ The following shows an example of an unsupported schema with oneOf:
-
-## Creating an OpenAPI target
-
-You can add an OpenAPI target to your Gateway using one of the following methods:
-
-Console
-    
-
-###### To add an OpenAPI target to an existing gateway
-
-  1. Open the AgentCore console at [https://console.aws.amazon.com/bedrock-agentcore/home#](https://console.aws.amazon.com/bedrock-agentcore/home#).
-
-  2. Choose **Gateways**.
-
-  3. Select the gateway to which you want to add a target.
-
-  4. Choose the **Targets** tab.
-
-  5. Choose **Add target**.
-
-  6. Enter a **Target name**.
-
-  7. (Optional) Provide an optional **Target description**.
-
-  8. For **Target type** , choose **REST API** to connect to a REST API Service.
-
-  9. Choose **OpenAPI schema**
-
-  10. For OpenAPI schema, choose to either provide the schema inline or reference an Amazon S3 location containing your OpenAPI specification.
-
-  11. (Optional) In the **Outbound authentication** section, configure authentication for accessing external services:
-
-     * For **Authentication type** , choose **OAuth client** or **API key**.
-
-     * Select the appropriate authentication resource from your account.
-
-  12. Choose **Add target**.
-
-
-
-
-AgentCore SDK
-    
-
-You can add an OpenAPI target with API Key authentication using the AgentCore SDK:
-    
-    
-    from bedrockagentcoresdk.gateway import GatewayClient
-      
-    # Initialize the Gateway client
-    gateway_client = GatewayClient(region_name="us-west-2")
-      
-    # Create an OpenAPI target with API Key authentication
-    open_api_target = gateway_client.create_mcp_gateway_target(
-        gateway=gateway,
-        target_type="openApiSchema",
-        target_payload={
-            "s3": {
-                "uri": "s3://your-bucket/path/to/open-api-spec.json"
-            }
-        },
-        credentials={
-            "api_key": "your-api-key",
-            "credential_location": "HEADER",
-            "credential_parameter_name": "X-API-Key"
-        }
-    )
-                  
-
-You can also add an OpenAPI target with OAuth authentication:
-    
-    
-    # Create an OpenAPI target with OAuth authentication
-    open_api_with_oauth_target = gateway_client.create_mcp_gateway_target(
-        gateway=gateway, 
-        target_type="openApiSchema",
-        target_payload={
-            "s3": {
-                "uri": "s3://your-bucket/path/to/open-api-spec.json"
-            }
-        },
-        credentials={"oauth2_provider_config": {"customOauth2ProviderConfig": {
-          "oauthDiscovery": {
-            "authorizationServerMetadata": {
-              "issuer": "https://example.auth0.com",