AWS bedrock-agentcore high security documentation change
Summary
Added two new sections: 1) Creating a gateway with NONE authorizer (no authentication/authorization) with examples across multiple tools 2) Creating gateways with interceptor configurations for request processing
Security assessment
The NONE authorizer documentation explicitly states it disables all authentication/authorization, creating an inherent security risk by allowing unauthenticated access. The change includes a security warning about this configuration but introduces a high-risk option. The interceptor section enables custom request processing which could impact security validation mechanisms.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-create-api.md b/bedrock-agentcore/latest/devguide/gateway-create-api.md index f4c359f3f..e1753e5d6 100644 --- a//bedrock-agentcore/latest/devguide/gateway-create-api.md +++ b//bedrock-agentcore/latest/devguide/gateway-create-api.md @@ -5 +5 @@ -Create a gateway: basic example (Custom JWT authorization)Create a gateway: basic example (IAM authorization)Create a gateway with semantic searchCreate a gateway with debugging messages +Create a gateway: basic example (Custom JWT authorization)Create a gateway: basic example (IAM authorization)Create a gateway: basic example (NONE authorizer)Create a gateway with semantic searchCreate a gateway with debugging messagesCreate a gateway with interceptor configurations @@ -18,0 +19,2 @@ To see examples of how to create a gateway, expand the section that corresponds + * Create a gateway: basic example (NONE authorizer) + @@ -22,0 +25,2 @@ To see examples of how to create a gateway, expand the section that corresponds + * Create a gateway with interceptor configurations + @@ -232,0 +237,90 @@ Boto3 +## Create a gateway: basic example (NONE authorizer) + +This section provides basic examples of creating a gateway with a NONE authorizer type. This represents a gateway that will not perform authentication or authorization for any incoming requests. + +###### Note + + * The NONE authorizer type represents a gateway that will not perform authentication or authorization for any incoming requests. See [inbound authorization](./gateway-inbound-auth.html) for security concerns and details around using this configuration. + + * If you choose an option that involves specifying an overt gateway service role ARN, ensure that you specify an existing one that you've set up. For more information, see [AgentCore Gateway service role permissions](./gateway-prerequisites-permissions.html#gateway-service-role-permissions). + + + + +Select one of the following methods: + +AgentCore starter toolkit (CLI) + + +The AgentCore starter toolkit CLI provides a simple way to create a gateway with NONE authorizer type in a command line interface. + +The following command shows how to create a gateway with NONE authorizer type: + + + agentcore create_mcp_gateway \ + --region us-west-2 \ + --name my-gateway \ + --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \ + --authorizer-type NONE \ + --enable_semantic_search + +The `gatewayUrl` in the response is the endpoint to use when you invoke the gateway. + +AgentCore starter toolkit (Python) + + +The AgentCore starter toolkit helps you easily create a gateway with NONE authorizer type. First, you initialize a client and then you use the `create_mcp_gateway` method of the client. + +The following example code shows how to create a gateway with NONE authorizer type: + + + from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient + + # Initialize the Gateway client + client = GatewayClient(region_name="us-west-2") + + # Create the gateway with NONE authorizer type + gateway = client.create_mcp_gateway( + name="my-gateway", + role_arn="arn:aws:iam::123456789012:role/my-gateway-service-role", + authorizer_type="NONE", + enable_semantic_search=False + ) + + print(f"MCP Endpoint: {gateway['gatewayUrl']}") + +AWS CLI + + +Run the following code in a terminal to create a gateway with NONE authorizer type using the AWS CLI: + + + aws bedrock-agentcore-control create-gateway \ + --name my-gateway \ + --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \ + --protocol-type MCP \ + --authorizer-type NONE + +The `gatewayUrl` in the response is the endpoint to use when you invoke the gateway. + +AWS Python SDK (Boto3) + + +The following Python code shows how to create a gateway with NONE authorizer type using the AWS Python SDK (Boto3): + + + import boto3 + + # Initialize the AgentCore client + client = boto3.client('bedrock-agentcore-control') + + # Create a gateway + gateway = client.create_gateway( + name="my-gateway", + roleArn="arn:aws:iam::123456789012:role/my-gateway-service-role", + protocolType="MCP", + authorizerType="NONE" + ) + + print(f"MCP Endpoint: {gateway['gatewayUrl']}") + @@ -379,0 +474,144 @@ The following Python code shows how to create a basic gateway with the AWS Pytho +## Create a gateway with interceptor configurations + +This section provides examples of creating a gateway that has interceptors configured. Interceptors will be invoked at runtime of the gateway for each request. + +###### Note + + * Interceptors will be invoked at runtime of the gateway for each request. + + * If you choose an option that involves specifying an overt gateway service role ARN, ensure that you specify an existing one that you've set up. For more information, see [AgentCore Gateway service role permissions](./gateway-prerequisites-permissions.html#gateway-service-role-permissions). + + + + +Select one of the following methods: + +AgentCore starter toolkit (CLI) + + +The AgentCore starter toolkit CLI provides a simple way to create a gateway with interceptor configurations in a command line interface. + +The following command shows how to create a gateway with interceptor configurations: + + + agentcore create_mcp_gateway \ + --region us-west-2 \ + --name my-gateway \ + --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \ + --authorizer-config '{ + "customJWTAuthorizer": { + "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration", + "allowedClients": ["clientId"] + } + }' \ + --interceptor-configurations '[{ + "interceptor": { + "lambda": { + "arn":"arn:aws:lambda:us-west-2:123456789012:function:my-interceptor-lambda" + } + }, + "interceptionPoints": ["REQUEST"] + }]' \ + --enable_semantic_search + +The `gatewayUrl` in the response is the endpoint to use when you invoke the gateway. + +AgentCore starter toolkit (Python) + + +The AgentCore starter toolkit helps you easily create a gateway with interceptor configurations. First, you initialize a client and then you use the `create_mcp_gateway` method of the client. + +The following example code shows how to create a gateway with interceptor configurations: + + + from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient + + # Initialize the Gateway client + client = GatewayClient(region_name="us-west-2") + + # Create the gateway with interceptor configurations + gateway = client.create_mcp_gateway( + name="my-gateway", + role_arn="arn:aws:iam::123456789012:role/my-gateway-service-role", + authorizer_config={ + "customJWTAuthorizer": { + "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration", + "allowedClients": ["clientId"] + } + }, + interceptor_configurations=[{ + "interceptor": { + "lambda": { + "arn":"arn:aws:lambda:us-west-2:123456789012:function:my-interceptor-lambda" + } + }, + "interceptionPoints": ["REQUEST"] + }], + enable_semantic_search=False + ) + + print(f"MCP Endpoint: {gateway['gatewayUrl']}") + +AWS CLI + + +Run the following code in a terminal to create a gateway with interceptor configurations using the AWS CLI: + + + aws bedrock-agentcore-control create-gateway \ + --name my-gateway \ + --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \ + --protocol-type MCP \ + --authorizer-type CUSTOM_JWT \ + --authorizer-configuration '{ + "customJWTAuthorizer": { + "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration",