AWS bedrock-agentcore documentation change
Summary
Complete rewrite of the tutorial from using Python starter toolkit to using AgentCore CLI. Changes include: updated prerequisites (Node.js instead of Python), new CLI-based workflow, simplified gateway creation with NONE authorizer for tutorial, updated testing with curl commands, and new cleanup process using CLI commands.
Security assessment
The change is a tutorial rewrite focusing on tooling migration from Python SDK to CLI. It adds security documentation by explicitly mentioning that using '--authorizer-type NONE' is for tutorial simplicity and that production should use IAM or JWT authorization. It also provides clearer guidance on policy engine enforcement modes and Cedar policy validation. However, there's no evidence this addresses a specific security vulnerability or incident.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-getting-started.md b/bedrock-agentcore/latest/devguide/policy-getting-started.md index 18c1b7516..7ef66e7c8 100644 --- a//bedrock-agentcore/latest/devguide/policy-getting-started.md +++ b//bedrock-agentcore/latest/devguide/policy-getting-started.md @@ -5 +5 @@ -PrerequisitesStep 1: Setup and installStep 2: Create policy setup scriptStep 3: Run the setupStep 4: Test the policyWhat you've builtTroubleshootingClean up +PrerequisitesStep 1: Setup and installStep 2: Add a gateway with a policy engineStep 3: DeployStep 4: Test the policyWhat you've builtTroubleshootingClean up @@ -9 +9 @@ PrerequisitesStep 1: Setup and installStep 2: Create policy setup scriptStep 3: -In this tutorial, you'll learn how to set up Policy in AgentCore and integrate it with a Amazon Bedrock AgentCore Gateway using the AgentCore starter toolkit. You'll create a refund processing tool with Cedar policies that enforce business rules for refund amounts. +In this tutorial, you'll learn how to set up Policy in AgentCore and integrate it with a Amazon Bedrock AgentCore Gateway using the AgentCore CLI. You'll create a refund processing tool with Cedar policies that enforce business rules for refund amounts. @@ -17 +17 @@ In this tutorial, you'll learn how to set up Policy in AgentCore and integrate i - * Step 2: Create policy setup script + * Step 2: Add a gateway with a policy engine @@ -19 +19 @@ In this tutorial, you'll learn how to set up Policy in AgentCore and integrate i - * Step 3: Run the setup + * Step 3: Deploy @@ -36 +36 @@ Before starting, make sure you have the following: - * **AWS Account** with credentials configured + * **AWS Account** with credentials configured. To configure credentials, you can install and use the AWS Command Line Interface by following the steps at [Getting started with the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). @@ -38 +38 @@ Before starting, make sure you have the following: - * **Python 3.10+** installed + * **Node.js 18+** installed @@ -41,0 +42,2 @@ Before starting, make sure you have the following: + * **A Lambda function** that processes refund requests. You can use an existing function or create one for this tutorial. Note the function ARN for use in Step 2. + @@ -47 +49 @@ Before starting, make sure you have the following: -Run the following in a terminal to set up the virtual environment: +Install the AgentCore CLI: @@ -50,198 +52 @@ Run the following in a terminal to set up the virtual environment: - mkdir agentcore-policy-quickstart - cd agentcore-policy-quickstart - python3 -m venv .venv - source .venv/bin/activate # On Windows: .venv\Scripts\activate - - -Then install the dependencies: - - - pip install boto3 - pip install bedrock-agentcore-starter-toolkit - pip install requests - - -## Step 2: Create policy setup script - -Create a new file called `setup_policy.py` and insert the following code: - - - """ - Setup script to create Gateway with Policy Engine - Run this first: python setup_policy.py - """ - - from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient - from bedrock_agentcore_starter_toolkit.operations.policy.client import PolicyClient - from bedrock_agentcore_starter_toolkit.utils.lambda_utils import create_lambda_function - import boto3 - import json - import logging - import time - - - def setup_policy(): - # Configuration - region = "us-west-2" - refund_limit = 1000 - - print("🚀 Setting up AgentCore Gateway with Policy Engine...") - print(f"Region: {region}\n") - - # Initialize clients - gateway_client = GatewayClient(region_name=region) - gateway_client.logger.setLevel(logging.INFO) - - policy_client = PolicyClient(region_name=region) - policy_client.logger.setLevel(logging.INFO) - - # Step 1: Create OAuth authorizer - print("Step 1: Creating OAuth authorization server...") - cognito_response = gateway_client.create_oauth_authorizer_with_cognito("PolicyGateway") - print("✓ Authorization server created\n") - - # Step 2: Create Gateway - print("Step 2: Creating Gateway...") - gateway = gateway_client.create_mcp_gateway( - name=None, - role_arn=None, - authorizer_config=cognito_response["authorizer_config"], - enable_semantic_search=False, - ) - print(f"✓ Gateway created: {gateway['gatewayUrl']}\n") - - # Fix IAM permissions - gateway_client.fix_iam_permissions(gateway) - print("⏳ Waiting 30s for IAM propagation...") - time.sleep(30) - print("✓ IAM permissions configured\n") - - # Step 3: Create Lambda function with refund tool - print("Step 3: Creating Lambda function with refund tool...") - - refund_lambda_code = """ - def lambda_handler(event, context): - amount = event.get('amount', 0) - return { - "status": "success", - "message": f"Refund of ${amount} processed successfully", - "amount": amount - } - """ - - session = boto3.Session(region_name=region) - lambda_arn = create_lambda_function( - session=session, - logger=gateway_client.logger, - function_name=f"RefundTool-{int(time.time())}", - lambda_code=refund_lambda_code, - runtime="python3.13", - handler="lambda_function.lambda_handler", - gateway_role_arn=gateway["roleArn"], - description="Refund tool for policy demo", - ) - print("✓ Lambda function created\n") - - print("⏳ Waiting 10s for Lambda settings propagation") - time.sleep(10) - - # Step 4: Add Lambda target with refund tool schema - print("Step 4: Adding Lambda target with refund tool schema...") - lambda_target = gateway_client.create_mcp_gateway_target( - gateway=gateway, - name="RefundTarget", - target_type="lambda", - target_payload={ - "lambdaArn": lambda_arn, - "toolSchema": { - "inlinePayload": [ - { - "name": "process_refund", - "description": "Process a customer refund", - "inputSchema": { - "type": "object", - "properties": { - "amount": { - "type": "integer", - "description": "Refund amount in dollars" - } - }, - "required": ["amount"], - }, - } - ] - }, - }, - credentials=None, - ) - print("✓ Lambda target added\n") - - # Step 5: Create Policy Engine - print("Step 5: Creating Policy Engine...") - engine = policy_client.create_or_get_policy_engine( - name="RefundPolicyEngine", - description="Policy engine for refund governance" - ) - print(f"✓ Policy Engine: {engine['policyEngineId']}\n") - - # Step 6: Create Cedar policy - print(f"Step 6: Creating Cedar policy (refund limit: ${refund_limit})...") - cedar_statement = ( - f"permit(principal, " - f'action == AgentCore::Action::"RefundTarget___process_refund", ' - f'resource == AgentCore::Gateway::"{gateway["gatewayArn"]}") ' - f"when {{ context.input.amount < {refund_limit} }};" - ) - - policy = policy_client.create_or_get_policy( - policy_engine_id=engine["policyEngineId"], - name="refund_limit_policy", - description=f"Allow refunds under ${refund_limit}", - definition={"cedar": {"statement": cedar_statement}}, - ) - print(f"✓ Policy: {policy['policyId']}\n") - - # Step 7: Attach Policy Engine to Gateway - print("Step 7: Attaching Policy Engine to Gateway (ENFORCE mode)...") - gateway_client.update_gateway_policy_engine( - gateway_identifier=gateway["gatewayId"], - policy_engine_arn=engine["policyEngineArn"], - mode="ENFORCE" - ) - print("✓ Policy Engine attached to Gateway\n") - - # Step 8: Save configuration - config = { - "gateway_url": gateway["gatewayUrl"], - "gateway_id": gateway["gatewayId"], - "gateway_arn": gateway["gatewayArn"], - "policy_engine_id": engine["policyEngineId"], - "policy_engine_arn": engine["policyEngineArn"], - "policy_id": policy["policyId"],