AWS bedrock-agentcore medium security documentation change
Summary
Updated Cognito setup script to use environment variables for region, username, and password instead of hardcoded values
Security assessment
The change removes hardcoded credentials from the script example and enforces using environment variables for passwords, which reduces risk of credential exposure in scripts. This addresses security best practices for handling credentials.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-mcp.md b/bedrock-agentcore/latest/devguide/runtime-mcp.md index a0c80a9cd..923e49cb2 100644 --- a//bedrock-agentcore/latest/devguide/runtime-mcp.md +++ b//bedrock-agentcore/latest/devguide/runtime-mcp.md @@ -289,9 +289 @@ You can also test your deployed server using the MCP Inspector as described in R -Create a new file `setup_cognito.sh` and add the following content to it. - -Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choosing. - -Run the script using the command `source setup_cognito.sh`. - -###### Note - -For detailed OAuth authentication setup and Service-Linked Role information, see [Authenticate and authorize with Inbound Auth and Outbound Auth](./runtime-oauth.html). +Create a new file `setup_cognito.sh` and add the following content. @@ -306 +298 @@ For detailed OAuth authentication setup and Service-Linked Role information, see - --region us-west-2 | jq -r '.UserPool.Id') + --region $REGION | jq -r '.UserPool.Id') @@ -314 +306 @@ For detailed OAuth authentication setup and Service-Linked Role information, see - --region us-west-2 | jq -r '.UserPoolClient.ClientId') + --region $REGION | jq -r '.UserPoolClient.ClientId') @@ -319,3 +311,2 @@ For detailed OAuth authentication setup and Service-Linked Role information, see - --username "testuser" \ - --temporary-password "TEMP_PASSWORD" \ - --region us-west-2 \ + --username $USERNAME \ + --region $REGION \ @@ -327,3 +318,3 @@ For detailed OAuth authentication setup and Service-Linked Role information, see - --username "testuser" \ - --password "PERMANENT_PASSWORD" \ - --region us-west-2 \ + --username $USERNAME \ + --password $PASSWORD \ + --region $REGION \ @@ -336,2 +327,2 @@ For detailed OAuth authentication setup and Service-Linked Role information, see - --auth-parameters USERNAME='testuser',PASSWORD='PERMANENT_PASSWORD' \ - --region us-west-2 | jq -r '.AuthenticationResult.AccessToken') + --auth-parameters USERNAME=$USERNAME,PASSWORD=$PASSWORD \ + --region $REGION | jq -r '.AuthenticationResult.AccessToken') @@ -341 +332 @@ For detailed OAuth authentication setup and Service-Linked Role information, see - echo "Discovery URL: https://cognito-idp.us-west-2.amazonaws.com/$POOL_ID/.well-known/openid-configuration" + echo "Discovery URL: https://cognito-idp.$REGION.amazonaws.com/$POOL_ID/.well-known/openid-configuration" @@ -344,0 +336,22 @@ For detailed OAuth authentication setup and Service-Linked Role information, see +Open a terminal window and set the following environment variables: + + * `REGION` – the AWS Region that you want to use + + * `USERNAME` – the user name for the new user + + * `PASSWORD` – the password for the new user + + + + + + export REGION=us-east-1 // set your desired Region + export USERNAME=USER NAME + export PASSWORD=PASSWORD + +Run the script using the command `source setup_cognito.sh`. + +###### Note + +For detailed OAuth authentication setup and Service-Linked Role information, see [Authenticate and authorize with Inbound Auth and Outbound Auth](./runtime-oauth.html). +