AWS bedrock-agentcore documentation change
Summary
Added documentation about passing JWT tokens via Authorization header and custom metadata headers for runtime context
Security assessment
Explicitly documents security-related capabilities for passing authentication tokens (JWT) and authorization context via headers. While not fixing a security issue, it adds security documentation about authentication/authorization patterns.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-header-allowlist.md b/bedrock-agentcore/latest/devguide/runtime-header-allowlist.md index e78aa9d10..9ee4d6fa6 100644 --- a//bedrock-agentcore/latest/devguide/runtime-header-allowlist.md +++ b//bedrock-agentcore/latest/devguide/runtime-header-allowlist.md @@ -7,2 +6,0 @@ Step 1: Create your agentStep 2: Deploy your agentStep 3: Invoke your agent with -Amazon Bedrock AgentCore is in preview release and is subject to change. - @@ -11 +9,3 @@ Amazon Bedrock AgentCore is in preview release and is subject to change. -You can pass headers from your request to your agent. Amazon Bedrock AgentCore Runtime lets you pass headers from request to your agent code provided the headers match the following criteria: +Custom headers let you pass contextual information from your application directly to your agent code without cluttering the main request payload. This includes authentication tokens like JWT (JSON Web Tokens, which contain user identity and authorization claims) through the `Authorization` header, allowing your agent to make decisions based on who is calling it. You can also pass custom metadata like user preferences, session identifiers, or trace context using headers prefixed with `X-Amzn-Bedrock-AgentCore-Runtime-Custom-`, giving your agent access to up to 20 pieces of runtime context that travel alongside each request. This information can be also used in downstream systems like AgentCore Memory that you can namespace based on those characteristics like `user_id` or `aud` in claims like line of business. + +Amazon Bedrock AgentCore Runtime lets you pass headers in a request request to your agent code provided the headers match the following criteria: