AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-04 · Documentation low

File: bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md

Summary

Updated documentation for credential provider configuration in CreateGatewayTarget, added specific guidance for IAM authorization with MCP server targets requiring service name for SigV4 signing, and corrected API key authorization field name and enum value.

Security assessment

The changes clarify and expand documentation for authorization mechanisms (IAM, OAuth, API keys) but do not indicate any security vulnerability being fixed. The addition of MCP server target configuration for SigV4 signing is a documentation enhancement for proper security implementation, not a response to a security incident.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md b/bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md
index 0332e596f..f9a5b780f 100644
--- a//bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md
+++ b//bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md
@@ -9 +9 @@ AgentCore Gateway service role (IAM) authorizationOAuth authorizationAPI key aut
-You provide the credential provider configuration as a member of the array that the `credentialProviderConfigurations` field in the [CreateGatewayTarget](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateGatewayTarget.html) request body maps to. The configuration that you provide depends on the outbound authorization that you set up. For reference information about the API structure for the credential provider configuration, see [CredentialProviderConfiguration](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CredentialProviderConfiguration.html). For more information on outbound authorization, see [Set up outbound authorization for your gateway](./gateway-outbound-auth.html).
+In the [CreateGatewayTarget](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateGatewayTarget.html) request body, you specify the credential provider configuration in the `credentialProviderConfigurations` array. The configuration depends on the outbound authorization type that you set up. For reference information about the API structure for the credential provider configuration, see [CredentialProviderConfiguration](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CredentialProviderConfiguration.html). For more information on outbound authorization, see [Set up outbound authorization for your gateway](./gateway-outbound-auth.html).
@@ -26 +26,5 @@ To learn more about a credential provider configuration, select a topic:
-If you're using IAM authorization through an AgentCore Gateway service role for your target, you can just specify the `credentialProviderType` as `GATEWAY_IAM_ROLE"` and omit the `credentialProvider` field, as in the following example:
+If you're using IAM authorization through an AgentCore Gateway service role for your target, specify the `credentialProviderType` as `GATEWAY_IAM_ROLE`. The configuration depends on your target type.
+
+**For Lambda, API Gateway, and Smithy targets**
+
+The `iamCredentialProvider` configuration is not needed because the target service name is already known to the AgentCore Gateway service. Use only the `credentialProviderType` configuration, as shown in the following example:
@@ -32,0 +37,28 @@ If you're using IAM authorization through an AgentCore Gateway service role for
+**For MCP server targets**
+
+For MCP server targets, you must also provide an `iamCredentialProvider` with the service name used for [AWS Signature Version 4 (Sig V4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) signing. The `service` field is required. The `region` field is optional and defaults to the gateway's Region.
+    
+    
+    {
+        "credentialProviderType": "GATEWAY_IAM_ROLE",
+        "credentialProvider": {
+            "iamCredentialProvider": {
+                "service": "bedrock-agentcore",
+                "region": "us-west-2"
+            }
+        }
+    }
+
+The following table describes the fields in the `iamCredentialProvider` object:
+
+Field | Required | Description  
+---|---|---  
+`service` | Yes | The AWS service name used for SigV4 signing. This value must match the service name that the target expects when verifying the SigV4 signature. The following are common values: 
+
+  * `bedrock-agentcore` – For MCP servers hosted on Amazon Bedrock AgentCore, such as the runtime (see [Deploy MCP servers in AgentCore Runtime](./runtime-mcp.html)) or another gateway.
+  * `execute-api` – For MCP servers behind Amazon API Gateway.
+  * `lambda` – For MCP servers behind Lambda Function URLs.
+
+  
+`region` | No | The AWS Region for SigV4 signing. If omitted, defaults to the gateway's Region.  
+  
@@ -99 +131 @@ To learn more about 3LO authentication, see [OAuth 2.0 authorization URL session
-If you set up API key authorization, you specify the `credentialProviderType` as `API_KEY`. In the object that the `credentialProvider` field maps to, map an `oauthCredentialProvider` field name to an [OAuthCredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_OAuthCredentialProvider.html) object and provide the values based on your outbound authorization setup. The following JSON shows the structure:
+If you set up API key authorization, you specify the `credentialProviderType` as `API_KEY`. In the object that the `credentialProvider` field maps to, map an `apiKeyCredentialProvider` field name to an [ApiKeyCredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_ApiKeyCredentialProvider.html) object and provide the values based on your outbound authorization setup. The following JSON shows the structure:
@@ -107 +139 @@ If you set up API key authorization, you specify the `credentialProviderType` as
-                "credentialLocation": "HEADER" | "QUERY PARAMETER",
+                "credentialLocation": "HEADER" | "QUERY_PARAMETER",