AWS bedrock-agentcore documentation change
Summary
Added documentation for using AgentCore CLI commands to create OAuth 2.0 credential providers and store API keys, including information about where sensitive values are stored.
Security assessment
The change adds documentation about securely storing sensitive credentials (client secrets, API keys) in `agentcore/.env.local` file, which helps prevent accidental exposure in version control. This is a security best practice enhancement to the documentation, not a response to a specific security vulnerability.
Diff
diff --git a/bedrock-agentcore/latest/devguide/resource-providers.md b/bedrock-agentcore/latest/devguide/resource-providers.md index b803df49e..b3d474b9f 100644 --- a//bedrock-agentcore/latest/devguide/resource-providers.md +++ b//bedrock-agentcore/latest/devguide/resource-providers.md @@ -15 +15,15 @@ Resource credential providers integrate deeply with the token vault to provide s -Provider configurations in AgentCore Identity define the basic parameters needed for credential management with different resources and authentication systems. The following example demonstrates how to use the AgentCore SDK to configure an OAuth 2.0 credential provider to use with GitHub. +Provider configurations in AgentCore Identity define the basic parameters needed for credential management with different resources and authentication systems. + +If you are using the AgentCore CLI, you can create an OAuth 2.0 credential provider with the `agentcore add credential` command: + + + agentcore add credential --type oauth \ + --name github-provider \ + --discovery-url https://your-idp/.well-known/openid-configuration \ + --client-id your-github-client-id \ + --client-secret your-github-client-secret \ + --scopes repo,user + +The CLI stores the credential configuration in `agentcore/agentcore.json` and saves sensitive values (client ID and client secret) to `agentcore/.env.local`. + +Alternatively, you can use the AgentCore SDK to configure an OAuth 2.0 credential provider programmatically. The following example configures a provider for GitHub. @@ -21,9 +35,9 @@ Provider configurations in AgentCore Identity define the basic parameters needed - "name": "github-provider", - "credentialProviderVendor": "GithubOauth2", - "oauth2ProviderConfigInput": { - "githubOauth2ProviderConfig": { - "clientId": "your-github-client-id", - "clientSecret": "your-github-client-secret" - } - } - }) + "name": "github-provider", + "credentialProviderVendor": "GithubOauth2", + "oauth2ProviderConfigInput": { + "githubOauth2ProviderConfig": { + "clientId": "your-github-client-id", + "clientSecret": "your-github-client-secret" + } + } + }) @@ -33 +47,8 @@ Provider configurations in AgentCore Identity define the basic parameters needed -For services that use API keys for authentication rather than OAuth, AgentCore Identity will securely store and retrieve keys for your agents. The example below illustrates using the AgentCore SDK to store an API key. For information about API key credential provider limits, see [AgentCore Identity Service Quotas](./bedrock-agentcore-limits.html#identity-service-limits). +For services that use API keys for authentication rather than OAuth, AgentCore Identity will securely store and retrieve keys for your agents. For information about API key credential provider limits, see [AgentCore Identity Service Quotas](./bedrock-agentcore-limits.html#identity-service-limits). + +If you are using the AgentCore CLI, you can store an API key with a single command: + + + agentcore add credential --name your-service-name --api-key your-api-key + +Alternatively, you can use the AgentCore SDK to store an API key programmatically: @@ -39,3 +60,3 @@ For services that use API keys for authentication rather than OAuth, AgentCore I - "name": "your-service-name", - "apiKey": "your-api-key" - }) + "name": "your-service-name", + "apiKey": "your-api-key" + })