AWS bedrock-agentcore documentation change
Summary
Expanded documentation for adding MCP server targets with detailed examples for IAM (SigV4) and OAuth authorization types, including AWS CLI, Boto3, and AgentCore CLI examples.
Security assessment
The changes add comprehensive documentation about authentication/authorization methods (IAM SigV4 and OAuth) for MCP server targets, which are security features. There is no evidence of addressing a specific security vulnerability; rather, this appears to be enhanced documentation for existing security capabilities.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-add-target-api-target-config.md b/bedrock-agentcore/latest/devguide/gateway-add-target-api-target-config.md index b1261e1d2..a9cb131b6 100644 --- a//bedrock-agentcore/latest/devguide/gateway-add-target-api-target-config.md +++ b//bedrock-agentcore/latest/devguide/gateway-add-target-api-target-config.md @@ -439 +439 @@ The wizard then prompts you for the target name, path to the Smithy model file, -You can add an MCP server target using the AgentCore CLI or the AWS Python SDK (Boto3). +You can add an MCP server target using the AgentCore CLI or AWS Python SDK (Boto3). The following examples show how to create an MCP server target with different outbound authorization types. @@ -441 +441 @@ You can add an MCP server target using the AgentCore CLI or the AWS Python SDK ( -AgentCore CLI +**MCP server with IAM (SigV4) authorization** @@ -442,0 +443 @@ AgentCore CLI +The following example creates an MCP server target with IAM authorization. The gateway signs requests to the MCP server using SigV4 with the gateway service role's credentials. You must specify the `service` name for signing. The `region` is optional and defaults to the gateway's Region. @@ -444 +445 @@ AgentCore CLI -To add an MCP server target, run `agentcore add gateway-target` with the `--type mcp-server` option and provide the endpoint URL of your MCP server: +The value of `service` depends on where your MCP server is hosted. The following are common values: @@ -445,0 +447 @@ To add an MCP server target, run `agentcore add gateway-target` with the `--type + * `bedrock-agentcore` – For MCP servers hosted on Amazon Bedrock AgentCore, such as the runtime (see [Deploy MCP servers in AgentCore Runtime](./runtime-mcp.html)) or another gateway. @@ -447,6 +449,32 @@ To add an MCP server target, run `agentcore add gateway-target` with the `--type - agentcore add gateway-target \ - --name MyMCPTarget \ - --type mcp-server \ - --endpoint https://your-mcp-server.example.com/mcp \ - --gateway MyGateway - agentcore deploy + * `execute-api` – For MCP servers behind Amazon API Gateway. + + * `lambda` – For MCP servers behind Lambda Function URLs. + + + + +Select one of the following methods: + +AWS CLI + + + + aws bedrock-agentcore-control create-gateway-target \ + --gateway-identifier "your-gateway-id" \ + --name "MyMCPTarget" \ + --target-configuration '{ + "mcp": { + "mcpServer": { + "endpoint": "https://my-server.bedrock-agentcore.us-west-2.api.aws" + } + } + }' \ + --credential-provider-configurations '[{ + "credentialProviderType": "GATEWAY_IAM_ROLE", + "credentialProvider": { + "iamCredentialProvider": { + "service": "bedrock-agentcore", + "region": "us-west-2" + } + } + }]' @@ -462,0 +491,109 @@ The wizard then prompts you for the target name, MCP server endpoint URL, and ou +Boto3 + + + + import boto3 + + agentcore_client = boto3.client('bedrock-agentcore-control') + + target = agentcore_client.create_gateway_target( + gatewayIdentifier="your-gateway-id", + name="MyMCPTarget", + targetConfiguration={ + "mcp": { + "mcpServer": { + "endpoint": "https://my-server.bedrock-agentcore.us-west-2.api.aws" + } + } + }, + credentialProviderConfigurations=[ + { + "credentialProviderType": "GATEWAY_IAM_ROLE", + "credentialProvider": { + "iamCredentialProvider": { + "service": "bedrock-agentcore", + "region": "us-west-2" + } + } + } + ] + ) + +**MCP server with OAuth authorization** + +The following example creates an MCP server target with OAuth (client credentials) authorization. + +Select one of the following methods: + +AWS CLI + + + + aws bedrock-agentcore-control create-gateway-target \ + --gateway-identifier "your-gateway-id" \ + --name "MyMCPTarget" \ + --target-configuration '{ + "mcp": { + "mcpServer": { + "endpoint": "https://my-mcp-server.example.com" + } + } + }' \ + --credential-provider-configurations '[{ + "credentialProviderType": "OAUTH", + "credentialProvider": { + "oauthCredentialProvider": { + "providerArn": "arn:aws:bedrock-agentcore:us-west-2:123456789012:token-vault/default/oauth2credentialprovider/my-oauth-provider", + "scopes": [] + } + } + }]' + +AgentCore CLI + + +To add an MCP server target with OAuth authorization, run `agentcore add gateway-target` with the `--type mcp-server` option and specify the OAuth credentials: + + + agentcore add gateway-target \ + --type mcp-server \ + --name MyMCPTarget \ + --endpoint https://my-mcp-server.example.com \ + --gateway MyGateway \ + --outbound-auth oauth \ + --oauth-client-id my-client \ + --oauth-client-secret my-secret \ + --oauth-discovery-url https://auth.example.com/.well-known/openid-configuration + agentcore deploy + +Boto3 + + + + import boto3 + + agentcore_client = boto3.client('bedrock-agentcore-control') + + target = agentcore_client.create_gateway_target( + gatewayIdentifier="your-gateway-id", + name="MyMCPTarget", + targetConfiguration={ + "mcp": { + "mcpServer": { + "endpoint": "https://my-mcp-server.example.com" + } + } + }, + credentialProviderConfigurations=[ + { + "credentialProviderType": "OAUTH", + "credentialProvider": { + "oauthCredentialProvider": { + "providerArn": "arn:aws:bedrock-agentcore:us-west-2:123456789012:token-vault/default/oauth2credentialprovider/my-oauth-provider", + "scopes": [] + } + } + } + ] + ) +