AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/runtime-oauth.md

Summary

Updated documentation for OAuth and JWT authentication with AgentCore Identity. Changes include minor text formatting (e.g., 'you'll' to 'you’ll'), reorganization of sections (e.g., moving a tip, changing headings), and clarification of legacy agent permissions related to a service-linked role change effective October 13, 2025.

Security assessment

The changes are primarily editorial and organizational, focusing on clarity and formatting. The document is inherently about security features (OAuth, JWT authentication, and identity management), but the specific changes do not address a newly discovered vulnerability or incident. The update to the 'Legacy Agent Permissions' section clarifies a policy requirement for agents created before a specific date, which is a routine documentation update for a service change, not evidence of a security issue.

Diff

diff --git a/bedrock-agentcore/latest/devguide/runtime-oauth.md b/bedrock-agentcore/latest/devguide/runtime-oauth.md
index 1203e8b3b..9c5fee962 100644
--- a//bedrock-agentcore/latest/devguide/runtime-oauth.md
+++ b//bedrock-agentcore/latest/devguide/runtime-oauth.md
@@ -9 +9 @@ JWT inbound authorization and OAuth outbound access samplePrerequisitesStep 1: C
-This section shows you how to implement authentication and authorization for your agent runtime using OAuth and JWT bearer tokens with [AgentCore Identity](./identity.html). You'll learn how to set up Cognito user pools, configure your agent runtime for JWT authentication (Inbound Auth), and implement OAuth-based access to third-party resources (outbound Auth).
+This section shows you how to implement authentication and authorization for your agent runtime using OAuth and JWT bearer tokens with [AgentCore Identity](./identity.html) . You’ll learn how to set up Cognito user pools, configure your agent runtime for JWT authentication (Inbound Auth), and implement OAuth-based access to third-party resources (outbound Auth).
@@ -36 +36 @@ Implement audit logging to track the relationship between the authenticated prin
-Remember that Amazon Bedrock AgentCore treats this header value as an opaque identifier and relies on your application's logic to maintain the security boundary between authenticated users and their corresponding `user-id` values.
+Remember that Amazon Bedrock AgentCore treats this header value as an opaque identifier and relies on your application’s logic to maintain the security boundary between authenticated users and their corresponding `user-id` values.
@@ -60,3 +60 @@ This configuration includes:
-An AgentCore Runtime can support either IAM SigV4 or JWT Bearer Token based inbound auth, but not both simultaneously. You can always create different versions of your AgentCore Runtime and configure them for different inbound authorization types.
-
-When you create a runtime with Amazon Bedrock AgentCore, a Workload Identity is created automatically for your runtime with AgentCore Identity service.
+An AgentCore Runtime can support either IAM SigV4 or JWT Bearer Token based inbound auth, but not both simultaneously. You can always create different versions of your AgentCore Runtime and configure them for different inbound authorization types. When you create a runtime with Amazon Bedrock AgentCore, a Workload Identity is created automatically for your runtime with AgentCore Identity service.
@@ -91 +89 @@ When you create a runtime with Amazon Bedrock AgentCore, a Workload Identity is
-This guide walks you through the process of setting up your agent runtime to be invoked with an OAuth compliant access token using JWT format. The sample agent will be authorized using AWS Cognito access tokens. Later, you'll also learn how the agent code can fetch Google tokens on behalf of the user to check Google Drive and fetch contents.
+This guide walks you through the process of setting up your agent runtime to be invoked with an OAuth compliant access token using JWT format. The sample agent will be authorized using AWS Cognito access tokens. Later, you’ll also learn how the agent code can fetch Google tokens on behalf of the user to check Google Drive and fetch contents.
@@ -93 +91 @@ This guide walks you through the process of setting up your agent runtime to be
-###### What you'll learn
+**What you’ll learn**
@@ -95 +93 @@ This guide walks you through the process of setting up your agent runtime to be
-In this guide, you'll learn how to:
+In this guide, you’ll learn how to:
@@ -160 +158 @@ The generated agent code will serve as the foundation for implementing OAuth aut
-To set up a Cognito user pool and create a user, you'll use a shell script that automates the process.
+To set up a Cognito user pool and create a user, you’ll use a shell script that automates the process.
@@ -164 +162 @@ For more information, see [Step 2: Import Identity and Auth modules](./identity-
-###### To set up Cognito user pool and create a user
+**To set up Cognito user pool and create a user**
@@ -228 +226 @@ In the terminal window, run the script:
-Note the output from the script. You'll need these values in the next steps.
+Note the output from the script. You’ll need these values in the next steps.
@@ -237 +235 @@ This script creates a Cognito user pool, a user pool client, adds a user, and ge
-###### Service-Linked Role Change - Effective October 13, 2025
+###### Important
@@ -271 +269 @@ For detailed information about the service-linked role, see [Identity service-li
-Now you'll deploy your agent with JWT authorization using the Cognito user pool you created. You will need to create an agent with authorizer configuration. The following table represents the various authorizer configuration parameters and how we use them to validate the incoming token. 
+Now you’ll deploy your agent with JWT authorization using the Cognito user pool you created. You will need to create an agent with authorizer configuration. The following table represents the various authorizer configuration parameters and how we use them to validate the incoming token.
@@ -280,0 +279,2 @@ If both client_id and aud is provided, the agent runtime authorizer will verify
+###### Example
+
@@ -284 +284 @@ AgentCore CLI
-###### To configure and deploy your agent
+  1. [#deploy-agent.title] **To configure and deploy your agent**
@@ -286 +286 @@ AgentCore CLI
-  1. Create your agent project with the AgentCore CLI:
+  2. Create your agent project with the AgentCore CLI:
@@ -292 +292 @@ When prompted, choose your framework (choose Strands Agents for this tutorial).
-  2. Deploy your agent:
+  3. Deploy your agent:
@@ -296 +296 @@ When prompted, choose your framework (choose Strands Agents for this tutorial).
-  3. Note the agent runtime ARN from the output. You'll need this in the next step.
+  4. Note the agent runtime ARN from the output. You’ll need this in the next step.
@@ -297,0 +298 @@ When prompted, choose your framework (choose Strands Agents for this tutorial).
+###### Tip
@@ -298,0 +300 @@ When prompted, choose your framework (choose Strands Agents for this tutorial).
+You can also run the `agentcore create` command without flags for a fully interactive experience that guides you through project setup.
@@ -301 +302,0 @@ When prompted, choose your framework (choose Strands Agents for this tutorial).
-###### Tip
@@ -303 +303,0 @@ When prompted, choose your framework (choose Strands Agents for this tutorial).
-You can also run the `agentcore create` command without flags for a fully interactive experience that guides you through project setup.
@@ -308,2 +308 @@ Python
-    
-    import boto3
+  1.     import boto3
@@ -341 +342 @@ Now that your agent is deployed with JWT authorization, you can invoke it using
-###### Legacy Agent Permissions
+###### Important
@@ -343 +344 @@ Now that your agent is deployed with JWT authorization, you can invoke it using
-**Important for existing users** : Agents created **before October 13, 2025** will continue to use the agent execution role for identity permissions and **require** the above policy to be attached to the agent's execution role.
+**Important for existing users** : Agents created **before October 13, 2025** will continue to use the agent execution role for identity permissions and **require** the above policy to be attached to the agent’s execution role.
@@ -381 +382 @@ Invoke the agent with OAuth.
-Use cURL
+###### Example
@@ -382,0 +384 @@ Use cURL
+Use cURL
@@ -385 +387 @@ Use cURL
-    // Invoke with OAuth token
+  1.     // Invoke with OAuth token
@@ -398 +403 @@ Use Python
-Since boto3 doesn't support invocation with bearer tokens, you'll need to use an HTTP client like the requests library in Python.
+  1. Since boto3 doesn’t support invocation with bearer tokens, you’ll need to use an HTTP client like the requests library in Python.
@@ -400 +405 @@ Since boto3 doesn't support invocation with bearer tokens, you'll need to use an
-###### To invoke your agent with a bearer token
+**To invoke your agent with a bearer token**
@@ -402 +407 @@ Since boto3 doesn't support invocation with bearer tokens, you'll need to use an
-  1. Create a Python script named `invoke_agent.py` with the following content:
+  2. Create a Python script named `invoke_agent.py` with the following content:
@@ -461 +466 @@ Since boto3 doesn't support invocation with bearer tokens, you'll need to use an
-  2. Replace `AWS_REGION` with the AWS Region that you are using. from Step 3.
+  3. Replace `AWS_REGION` with the AWS Region that you are using. from Step 3.
@@ -463 +468 @@ Since boto3 doesn't support invocation with bearer tokens, you'll need to use an
-  3. Replace `YOUR_AGENT_ARN_HERE` with your actual agent runtime ARN from Step 3.
+  4. Replace `YOUR_AGENT_ARN_HERE` with your actual agent runtime ARN from Step 3.
@@ -465 +470 @@ Since boto3 doesn't support invocation with bearer tokens, you'll need to use an
-  4. Run the script:
+  5. Run the script:
@@ -492 +497 @@ You must pre-register your OAuth client in Cognito (via AWS Console or CLI) to o
-In this section, you'll learn how to connect your agent code with AgentCore Credential Providers for secure access to external resources using OAuth2 authentication.
+In this section, you’ll learn how to connect your agent code with AgentCore Credential Providers for secure access to external resources using OAuth2 authentication.
@@ -523 +528 @@ To set up a Google Credential Provider, you need to:
-Obtain the `callbackUrl` from the [ CreateOauth2CredentialProvider ](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateOauth2CredentialProvider.html) response above and add the URI to your Google application's redirect URI list. The callback URL should look like: ` https://bedrock-agentcore.us-east-1.amazonaws.com/identities/oauth2/callback/********-****-****-****-************`
+Obtain the `callbackUrl` from the [CreateOauth2CredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateOauth2CredentialProvider.html) response above and add the URI to your Google application’s redirect URI list. The callback URL should look like: https://bedrock-agentcore.us-east-1.amazonaws.com/identities/oauth2/callback/********-****-****-****-************
@@ -558 +563 @@ For a sample local callback server implementation to handle [ session binding](h
-###### What happens behind the scenes
+**What happens behind the scenes**
@@ -589 +594 @@ In this step you make changes to your agent code so that you can decode and extr
-###### requirements.txt
+**requirements.txt**
@@ -596 +601 @@ Add PyJWT dependency to the `requirements.txt` file in your generated project.
-###### Update your agent code
+**Update your agent code**
@@ -649 +654 @@ If you encounter issues with token authentication, you can decode the token to i
-This will output the token's payload, which looks similar to:
+This will output the token’s payload, which looks similar to: