AWS bedrock-agentcore medium security documentation change
Summary
Modified OAuth documentation to use environment variables for credentials and region, and restructured setup instructions
Security assessment
The change eliminates hardcoded passwords from code examples and moves credential handling to environment variables, which helps prevent accidental credential leakage. This implements security best practices for sensitive data handling.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-oauth.md b/bedrock-agentcore/latest/devguide/runtime-oauth.md index fb3a70ccf..781bfcc45 100644 --- a//bedrock-agentcore/latest/devguide/runtime-oauth.md +++ b//bedrock-agentcore/latest/devguide/runtime-oauth.md @@ -13 +13 @@ For a complete example, see [https://github.com/awslabs/amazon-bedrock-agentcore -For information about using OAuth to with an MCP server, see [Deploy MCP servers in AgentCore Runtime](./runtime-mcp.html). +For information about using OAuth with an MCP server, see [Deploy MCP servers in AgentCore Runtime](./runtime-mcp.html). @@ -56 +56 @@ This configuration requires: -A runtime can only support either IAM SigV4 or JWT Bearer Token based inbound auth. You can always create custom endpoints for your runtime and configure them for different inbound authorization types. +An AgentCore Runtime can support either IAM SigV4 or JWT Bearer Token based inbound auth, but not both simultaneously. You can always create different versions of your AgentCore Runtime and configure them for different inbound authorization types. @@ -168,3 +168 @@ For more information, see [Step 2: Set up an OAuth 2.0 Credential Provider](./id - 1. Create a file named `setup_cognito.sh` with the following content: - -Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choosing. + * Create a file named `setup_cognito.sh` with the following content: @@ -178 +176 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - --region us-east-1 | jq -r '.UserPool.Id') + --region $REGION | jq -r '.UserPool.Id') @@ -186 +184 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - --region us-east-1 | jq -r '.UserPoolClient.ClientId') + --region $REGION | jq -r '.UserPoolClient.ClientId') @@ -191,3 +189,2 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - --username "testuser" \ - --temporary-password "TEMP_PASSWORD" \ - --region us-east-1 \ + --username $USERNAME \ + --region $REGION \ @@ -199,3 +196,3 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - --username "testuser" \ - --password "PERMANENT_PASSWORD" \ - --region us-east-1 \ + --username $USERNAME \ + --password $PASSWORD \ + --region $REGION \ @@ -208,2 +205,2 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - --auth-parameters USERNAME='testuser',PASSWORD='PERMANENT_PASSWORD' \ - --region us-east-1 | jq -r '.AuthenticationResult.AccessToken') + --auth-parameters USERNAME=$USERNAME,PASSWORD=$PASSWORD \ + --region $REGION | jq -r '.AuthenticationResult.AccessToken') @@ -213 +210 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - echo "Discovery URL: https://cognito-idp.us-east-1.amazonaws.com/$POOL_ID/.well-known/openid-configuration" + echo "Discovery URL: https://cognito-idp.$REGION.amazonaws.com/$POOL_ID/.well-known/openid-configuration" @@ -217 +214 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - 2. Run the script to create the Cognito resources: +Open a terminal window and set the following environment variables: @@ -219 +216,3 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - source setup_cognito.sh + * `REGION` – the AWS Region that you want to use + + * `USERNAME` – the user name for the new user @@ -221 +220 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - 3. Note the output values, which will look similar to: + * `PASSWORD` – the password for the new user @@ -223,4 +222,7 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo - Pool id: us-east-1_poolid - Discovery URL: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_userpoolid/.well-known/openid-configuration - Client ID: clientid - Bearer Token: bearertoken + export REGION=us-east-1 // set your desired Region + export USERNAME=USER NAME + export PASSWORD=PASSWORD + +In the terminal window, run the script: + + source setup_cognito.sh @@ -228 +230 @@ Change `TEMP_PASSWORD` and `PERMANENT_PASSWORD` to secure passwords of your choo -You'll need these values in the next steps. +Note the output from the script. You'll need these values in the next steps.