AWS bedrock-agentcore documentation change
Summary
Added documentation for creating gateways with AUTHENTICATE_ONLY authorization, updated protocolType description, and standardized example account IDs.
Security assessment
The change adds documentation for AUTHENTICATE_ONLY authorization which describes a security feature where the gateway validates tokens but delegates authorization to targets. This enhances security documentation but doesn't address a specific vulnerability. Account ID changes are routine updates.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-create-api.md b/bedrock-agentcore/latest/devguide/gateway-create-api.md index 5a40edac3..464ade611 100644 --- a//bedrock-agentcore/latest/devguide/gateway-create-api.md +++ b//bedrock-agentcore/latest/devguide/gateway-create-api.md @@ -7 +7 @@ -The authorizer configurationCreate a gateway: basic example (Custom JWT authorization)Create a gateway: basic example (IAM authorization)Create a gateway: basic example (NONE authorizer)Create a gateway with semantic searchCreate a gateway with debugging messagesCreate a gateway with interceptor configurationsCreate a gateway with a policy engine configuration +The authorizer configurationCreate a gateway: basic example (Custom JWT authorization)Create a gateway: basic example (IAM authorization)Create a gateway: basic example (NONE authorizer)Create a gateway: basic example (AUTHENTICATE_ONLY authorization)Create a gateway with semantic searchCreate a gateway with debugging messagesCreate a gateway with interceptor configurationsCreate a gateway with a policy engine configuration @@ -21,2 +20,0 @@ Minimally, you must specify the following fields: - * `protocolType` – The protocol type for the gateway. - @@ -27,0 +26,2 @@ The following optional fields add metadata to your gateway: + * `protocolType` – The protocol type for the gateway. If you set this to `MCP`, the gateway operates in aggregation mode and can only have MCP targets. If you omit this field, the gateway can have both MCP and HTTP targets. + @@ -383 +383 @@ AWS CLI - --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \ + --role-arn arn:aws:iam::111122223333:role/my-gateway-service-role \ @@ -405 +405 @@ AWS Python SDK (Boto3) - roleArn="arn:aws:iam::123456789012:role/my-gateway-service-role", + roleArn="arn:aws:iam::111122223333:role/my-gateway-service-role", @@ -414,0 +415,61 @@ AWS Python SDK (Boto3) +## Create a gateway: basic example (AUTHENTICATE_ONLY authorization) + +This section provides examples of creating a gateway with `AUTHENTICATE_ONLY` authorization. With this authorizer type, the gateway validates the inbound token but does not perform full authorization. The authenticated identity or token is then passed through to the target for downstream authorization. This is useful when you want the gateway to verify that the caller is authenticated while delegating authorization decisions to the target service. + +###### Note + +The `AUTHENTICATE_ONLY` authorizer type requires a JWT authorizer configuration. The gateway validates the token but does not enforce scope or audience restrictions for authorization. If you choose an option that involves specifying an overt gateway service role ARN, ensure that you specify an existing one that you’ve set up. For more information, see [AgentCore Gateway service role permissions](./gateway-prerequisites-permissions.html#gateway-service-role-permissions). + +Select one of the following methods: + +###### Example + +AWS CLI + + + 1. Run the following command to create a gateway with `AUTHENTICATE_ONLY` authorization: + + aws bedrock-agentcore-control create-gateway \ + --name my-gateway \ + --role-arn arn:aws:iam::111122223333:role/my-gateway-service-role \ + --authorizer-type AUTHENTICATE_ONLY \ + --authorizer-configuration '{ + "jwtAuthenticationConfiguration": { + "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration", + "allowedClients": ["clientId"] + } + }' + +The `gatewayUrl` in the response is the endpoint to use when you invoke the gateway. + + + + +AWS Python SDK (Boto3) + + + 1. The following Python code shows how to create a gateway with `AUTHENTICATE_ONLY` authorization: + + import boto3 + + # Initialize the AgentCore client + client = boto3.client('bedrock-agentcore-control') + + # Create a gateway + gateway = client.create_gateway( + name="my-gateway", + roleArn="arn:aws:iam::111122223333:role/my-gateway-service-role", + authorizerType="AUTHENTICATE_ONLY", + authorizerConfiguration={ + "jwtAuthenticationConfiguration": { + "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration", + "allowedClients": ["clientId"] + } + } + ) + + print(f"Gateway URL: {gateway['gatewayUrl']}") + + + +