AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/gateway-outbound-auth.md

Summary

Updated documentation formatting and typographical changes (straight quotes to curly quotes), restructured example sections with proper headings and step numbering for OAuth client and API key setup procedures.

Security assessment

The changes are primarily cosmetic and organizational - converting straight quotes to curly quotes, restructuring example sections with proper markdown formatting, and adding step numbers. No security vulnerabilities, patches, or new security features are documented. The content remains about existing authentication methods (IAM, OAuth, API keys) without substantive security changes.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
index 82f0f2eed..869ae488f 100644
--- a//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
+++ b//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
@@ -19 +19 @@ AgentCore Gateway supports the following types of outbound authorization:
-    * **Client credentials grant** – Machine-to-machine authentication (also known as 2-legged OAuth). The client application access resources on the application's behalf, rather than on behalf of the user.
+    * **Client credentials grant** – Machine-to-machine authentication (also known as 2-legged OAuth). The client application access resources on the application’s behalf, rather than on behalf of the user.
@@ -63 +63 @@ Select a topic to learn how to set up that type of authorization:
-IAM-based outbound authorization lets you use the gateway service role's IAM credentials to authorize with [AWS Signature Version 4 (Sig V4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html). This option lets the Amazon Bedrock AgentCore service authenticate to gateway targets on your gateway callers' behalf.
+IAM-based outbound authorization lets you use the gateway service role’s IAM credentials to authorize with [AWS Signature Version 4 (Sig V4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) . This option lets the Amazon Bedrock AgentCore service authenticate to gateway targets on your gateway callers' behalf.
@@ -73 +73 @@ When you use IAM-based outbound authorization with an MCP server target, you mus
-  * **region** (optional) – The AWS Region for SigV4 signing. If you don't specify a Region, the gateway uses its own Region.
+  * **region** (optional) – The AWS Region for SigV4 signing. If you don’t specify a Region, the gateway uses its own Region.
@@ -84 +84 @@ To set up outbound authorization with an OAuth client, you use the AgentCore Ide
-###### To set up outbound authorization with an OAuth client
+**To set up outbound authorization with an OAuth client**
@@ -88 +88 @@ To set up outbound authorization with an OAuth client, you use the AgentCore Ide
-  2. You'll receive a client ID, client secret, and possibly other values that you'll reference when you set up the outbound authorization.
+  2. You’ll receive a client ID, client secret, and possibly other values that you’ll reference when you set up the outbound authorization.
@@ -102 +102 @@ The shape of the JSON object that the `oauth2ProviderConfigInput` field maps to
-  4. Take note of the generated credential ARN (`credentialProviderArn` in the API) and the AWS Secrets Manager secret ARN (`secretArn` in the API). You'll use these values when you create your gateway target.
+  4. Take note of the generated credential ARN ( `credentialProviderArn` in the API) and the AWS Secrets Manager secret ARN ( `secretArn` in the API). You’ll use these values when you create your gateway target.
@@ -104 +104 @@ The shape of the JSON object that the `oauth2ProviderConfigInput` field maps to
-  5. (If you're using a custom gateway service role) Attach the following identity-based policy to your gateway service role:
+  5. (If you’re using a custom gateway service role) Attach the following identity-based policy to your gateway service role:
@@ -158 +158 @@ The following examples show you how to set authorization through an OAuth client
-AgentCore CLI
+###### Example
@@ -159,0 +160 @@ AgentCore CLI
+AgentCore CLI
@@ -161 +161,0 @@ AgentCore CLI
-The AgentCore CLI credential commands must be run inside an existing agentcore project. If you don't have one yet, create a project first with `agentcore create`.
@@ -162,0 +163 @@ The AgentCore CLI credential commands must be run inside an existing agentcore p
+  1. The AgentCore CLI credential commands must be run inside an existing agentcore project. If you don’t have one yet, create a project first with `agentcore create`.
@@ -172 +172,0 @@ The AgentCore CLI credential commands must be run inside an existing agentcore p
-AWS CLI
@@ -176 +176,4 @@ AWS CLI
-    aws bedrock-agentcore-control create-oauth2-credential-provider \
+AWS CLI
+    
+
+  1.     aws bedrock-agentcore-control create-oauth2-credential-provider \
@@ -189 +191,0 @@ AWS CLI
-Boto3
@@ -193 +195,4 @@ Boto3
-    import boto3
+Boto3
+    
+
+  1.     import boto3
@@ -213 +221 @@ To set up outbound authorization with an API key, you use the AgentCore Identity
-###### To set up outbound authorization with an OAuth client
+**To set up outbound authorization with an OAuth client**
@@ -217 +225 @@ To set up outbound authorization with an API key, you use the AgentCore Identity
-  2. Set up an API key for the provider's service. Take note of the following values, which you'll specify when you add the gateway target:
+  2. Set up an API key for the provider’s service. Take note of the following values, which you’ll specify when you add the gateway target:
@@ -229 +237 @@ To set up outbound authorization with an API key, you use the AgentCore Identity
-  4. Take note of the following values, which you'll specify when you add the gateway target:
+  4. Take note of the following values, which you’ll specify when you add the gateway target:
@@ -237 +245 @@ To set up outbound authorization with an API key, you use the AgentCore Identity
-  5. (If you're using a custom gateway service role) Attach the following identity-based policy to your gateway service role:
+  5. (If you’re using a custom gateway service role) Attach the following identity-based policy to your gateway service role:
@@ -291 +299 @@ The following examples show you how to set an API key for your gateway target:
-AgentCore CLI
+###### Example
@@ -292,0 +301 @@ AgentCore CLI
+AgentCore CLI
@@ -294 +302,0 @@ AgentCore CLI
-The AgentCore CLI credential commands must be run inside an existing agentcore project. If you don't have one yet, create a project first with `agentcore create`.
@@ -295,0 +304 @@ The AgentCore CLI credential commands must be run inside an existing agentcore p
+  1. The AgentCore CLI credential commands must be run inside an existing agentcore project. If you don’t have one yet, create a project first with `agentcore create`.
@@ -303 +311,0 @@ The AgentCore CLI credential commands must be run inside an existing agentcore p
-AWS CLI
@@ -307 +315,4 @@ AWS CLI
-    aws bedrock-agentcore-control create-api-key-credential-provider \
+AWS CLI
+    
+
+  1.     aws bedrock-agentcore-control create-api-key-credential-provider \
@@ -311 +321,0 @@ AWS CLI
-Boto3
@@ -315 +325,4 @@ Boto3
-    import boto3
+Boto3
+    
+
+  1.     import boto3