AWS bedrock-agentcore documentation change
Summary
Updated principal type documentation to include both OAuthUser and IamEntity types, adding details about IamEntity for IAM-authenticated gateways
Security assessment
This change adds documentation for a new IamEntity principal type with id attribute containing IAM ARN, enabling pattern matching for access control. This enhances security documentation by clarifying authorization mechanisms for IAM-authenticated gateways, but doesn't address a specific security issue.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-schema-constraints.md b/bedrock-agentcore/latest/devguide/policy-schema-constraints.md index f76e8c2cb..bcdff33d2 100644 --- a//bedrock-agentcore/latest/devguide/policy-schema-constraints.md +++ b//bedrock-agentcore/latest/devguide/policy-schema-constraints.md @@ -5 +5 @@ -Principal TypeResource TypeActionsContextWhat You Cannot Do +Principal TypesResource TypeActionsContextWhat You Cannot Do @@ -13 +13 @@ Policies for Amazon Bedrock AgentCore Gateway must validate against a specific C - * Principal Type + * Principal Types @@ -26 +26 @@ Policies for Amazon Bedrock AgentCore Gateway must validate against a specific C -## Principal Type +## Principal Types @@ -28 +28 @@ Policies for Amazon Bedrock AgentCore Gateway must validate against a specific C - * Must be `AgentCore::OAuthUser` +The principal type depends on the authentication method configured for your AgentCore Gateway: @@ -30 +30,4 @@ Policies for Amazon Bedrock AgentCore Gateway must validate against a specific C - * Represents OAuth-authenticated users +`AgentCore::OAuthUser` + + + * Used for OAuth-authenticated gateways @@ -38,0 +42,12 @@ Policies for Amazon Bedrock AgentCore Gateway must validate against a specific C +`AgentCore::IamEntity` + + + * Used for IAM-authenticated gateways (AWS_IAM authorizer) + + * Has an `id` attribute containing the caller's IAM ARN + + * Does not support tags; use pattern matching on `principal.id` for access control + + + +