AWS bedrock-agentcore documentation change
Summary
Updated documentation for configuring custom headers and JWT authentication in AgentCore, restructuring steps and changing from YAML to JSON configuration with CLI and SDK examples
Security assessment
The changes add detailed documentation about configuring inbound JWT authentication (OAuth-based access) which is a security feature, including setting up authorizerType, discoveryUrl, allowedAudience, and allowedClients. However, there is no evidence this addresses a specific security vulnerability or incident - it appears to be routine documentation improvement and feature documentation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-header-allowlist.md b/bedrock-agentcore/latest/devguide/runtime-header-allowlist.md index c4a5a04b4..53643bec6 100644 --- a//bedrock-agentcore/latest/devguide/runtime-header-allowlist.md +++ b//bedrock-agentcore/latest/devguide/runtime-header-allowlist.md @@ -5 +5 @@ -Step 1: Create your agentStep 2: Deploy your agentStep 3: Invoke your agent with custom headersStep 4: (Optional) Pass the JWT token used for OAuth based inbound access to your agent +Step 1: Create your agentStep 2: Configure and deploy your agent with custom headersStep 3: Invoke your agent with custom headersStep 4: (Optional) Configure inbound JWT authentication @@ -30 +30 @@ Amazon Bedrock AgentCore Runtime lets you pass headers in a request to your agen - * Step 2: Deploy your agent + * Step 2: Configure and deploy your agent with custom headers @@ -34 +34 @@ Amazon Bedrock AgentCore Runtime lets you pass headers in a request to your agen - * Step 4: (Optional) Pass the JWT token used for OAuth based inbound access to your agent + * Step 4: (Optional) Configure inbound JWT authentication @@ -41 +41 @@ Amazon Bedrock AgentCore Runtime lets you pass headers in a request to your agen -Start by creating a basic agent with the following project structure: +Create an AgentCore project using the AgentCore CLI: @@ -44,3 +44,2 @@ Start by creating a basic agent with the following project structure: - your_project_directory/ - ├── agent_example.py # Your main agent code - └── requirements.txt # Dependencies for your agent + agentcore create --name MyHeaderAgent + cd MyHeaderAgent @@ -48,6 +47 @@ Start by creating a basic agent with the following project structure: - -Create the following files: - -###### agent_example.py - -Create your main agent code file and add the following code: +Update your agent's entrypoint file to access the custom headers from the request context: @@ -78,0 +73 @@ Create your main agent code file and add the following code: +## Step 2: Configure and deploy your agent with custom headers @@ -80 +75 @@ Create your main agent code file and add the following code: -###### requirements.txt +Configure the request header allowlist on your agent runtime so that custom headers are forwarded to your agent code at invocation time. @@ -82 +77 @@ Create your main agent code file and add the following code: -Create your dependencies file and add the following dependencies: +AgentCore CLI @@ -85,2 +80 @@ Create your dependencies file and add the following dependencies: - strands-agents - bedrock-agentcore +Add the `requestHeaderAllowlist` field to your agent configuration in `agentcore/agentcore.json`: @@ -89 +83,11 @@ Create your dependencies file and add the following dependencies: -## Step 2: Deploy your agent + { + "agents": [ + { + "name": "MyHeaderAgent", + "requestHeaderAllowlist": [ + "X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1", + "X-Amzn-Bedrock-AgentCore-Runtime-Custom-UserId" + ] + } + ] + } @@ -91 +95 @@ Create your dependencies file and add the following dependencies: -###### Tip +Deploy your agent: @@ -93 +96,0 @@ Create your dependencies file and add the following dependencies: -You can configure the request header allowlist interactively by navigating to your project directory and running `agentcore configure --request-header-allowlist "X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1"`. @@ -95 +98 @@ You can configure the request header allowlist interactively by navigating to yo -Alternatively, manually edit your agent's `.bedrock_agentcore.yaml` with the request header allowlist: + agentcore deploy @@ -96,0 +100 @@ Alternatively, manually edit your agent's `.bedrock_agentcore.yaml` with the req +Note the agent runtime ARN from the output. You need it if you plan to invoke using the AWS SDK. @@ -98,2 +102 @@ Alternatively, manually edit your agent's `.bedrock_agentcore.yaml` with the req - request_header_allowlist: - - "X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1" +AWS SDK @@ -101 +103,0 @@ Alternatively, manually edit your agent's `.bedrock_agentcore.yaml` with the req -Deploy your agent with the starter toolkit: @@ -102,0 +105,4 @@ Deploy your agent with the starter toolkit: +After deploying your agent, update the runtime configuration using the AWS SDK: + + + import boto3 @@ -104 +110 @@ Deploy your agent with the starter toolkit: - agentcore launch + client = boto3.client('bedrock-agentcore') @@ -105,0 +112,8 @@ Deploy your agent with the starter toolkit: + client.update_agent_runtime( + agentRuntimeId='your-runtime-id', + requestHeaderConfiguration={ + 'requestHeaderAllowlist': [ + 'X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1' + ] + } + ) @@ -107 +121 @@ Deploy your agent with the starter toolkit: -Note the agent runtime ARN from the output. you need it in the next step. +You can find your runtime ID by running `agentcore status`. @@ -111 +125,4 @@ Note the agent runtime ARN from the output. you need it in the next step. -Starter toolkit +Pass custom headers when invoking your agent so that your agent code can access them through the request context. + +AgentCore CLI + @@ -112,0 +130 @@ Starter toolkit +Use the `-H` flag to pass custom headers with `agentcore invoke`: @@ -114 +131,0 @@ Starter toolkit -Use the Amazon Bedrock AgentCore starter toolkit command line interface to invoke your agent with custom headers. @@ -115,0 +133,2 @@ Use the Amazon Bedrock AgentCore starter toolkit command line interface to invok + agentcore invoke "Tell me a joke" \ + -H "X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1: test header1" @@ -117 +136 @@ Use the Amazon Bedrock AgentCore starter toolkit command line interface to invok - agentcore invoke '{"prompt": "Hello what is 1+1?"}' --headers "X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1:test header" +You can pass multiple headers by repeating the `-H` flag: @@ -120 +139,3 @@ Use the Amazon Bedrock AgentCore starter toolkit command line interface to invok -Python + agentcore invoke "Tell me a joke" \ + -H "X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1: test header1" \ + -H "X-Amzn-Bedrock-AgentCore-Runtime-Custom-UserId: user-123" @@ -121,0 +143 @@ Python +AWS SDK @@ -123 +144,0 @@ Python -Use boto3 with event handlers to add custom headers to your agent invocation. @@ -125 +146 @@ Use boto3 with event handlers to add custom headers to your agent invocation. -For more details on botocore events, see [botocore events documentation](https://botocore.amazonaws.com/v1/documentation/api/latest/topics/events.html). +Use boto3 with event handlers to add custom headers to your agent invocation. For more details on botocore events, see [botocore events documentation](https://botocore.amazonaws.com/v1/documentation/api/latest/topics/events.html). @@ -138 +157,0 @@ For more details on botocore events, see [botocore events documentation](https:/ - # Constants for event handler configuration @@ -144 +162,0 @@ For more details on botocore events, see [botocore events documentation](https:/ - """Add custom header for agent runtime authentication/identification.""" @@ -163 +180,38 @@ For more details on botocore events, see [botocore events documentation](https:/ -## Step 4: (Optional) Pass the JWT token used for OAuth based inbound access to your agent +## Step 4: (Optional) Configure inbound JWT authentication + +To pass the JWT token used for OAuth-based inbound access to your agent, configure `authorizerType` and `authorizerConfiguration` in your agent configuration. + +AgentCore CLI + + +Add the authorizer configuration to your agent in `agentcore/agentcore.json`: + + + { + "agents": [ + { + "name": "MyHeaderAgent", + "authorizerType": "CUSTOM_JWT", + "authorizerConfiguration": { + "customJwtAuthorizer": { + "discoveryUrl": "https://cognito-idp.us-east-1.amazonaws.com/user-pool-id/.well-known/openid-configuration", + "allowedAudience": ["your-client-id"], + "allowedClients": ["your-client-id"] + } + }, + "requestHeaderAllowlist": [ + "Authorization" + ] + } + ] + } + +Deploy to apply the configuration: + + + agentcore deploy + +With this configuration, the `Authorization` header from incoming requests is validated against your OIDC provider and forwarded to your agent code. + +AWS SDK + @@ -165 +219 @@ For more details on botocore events, see [botocore events documentation](https:/ -For information about setting up an agent with OAuth inbound access and enabling an Authorization header to be passed into AgentCore Runtime, see [Authenticate and authorize with Inbound Auth and Outbound Auth](./runtime-oauth.html). +For information about setting up an agent with OAuth inbound access using the AWS SDK, see [Authenticate and authorize with Inbound Auth and Outbound Auth](./runtime-oauth.html).