AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-01 · Documentation low

File: bedrock-agentcore/latest/devguide/gateway-outbound-auth.md

Summary

Added documentation for three new outbound authorization types: Caller IAM credentials, Token exchange grant (On-behalf-of), and Token passthrough. Updated authorization support matrix with new columns and target types.

Security assessment

The changes document new authentication/authorization mechanisms but don't reference any security vulnerability fix. They enhance security documentation by explaining credential delegation, token exchange standards (RFC 8693/RFC 7523), and token forwarding patterns.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
index cdfbcb202..8354facfe 100644
--- a//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
+++ b//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
@@ -18,0 +19,2 @@ AgentCore Gateway supports the following types of outbound authorization:
+  * **Caller IAM credentials** – The gateway uses the caller’s IAM credentials to sign requests to the target. The gateway assumes a role on behalf of the caller using the Federated Access Service (FAS) and signs the outbound request with the caller’s identity. This is useful when the target service needs to authorize based on the original caller’s identity rather than the gateway service role.
+
@@ -24,0 +27,4 @@ AgentCore Gateway supports the following types of outbound authorization:
+    * **Token exchange grant (On-behalf-of)** – The gateway exchanges the inbound user’s access token for a new, scoped access token that targets a downstream resource server, using [RFC 8693 token exchange](https://datatracker.ietf.org/doc/html/rfc8693) or [RFC 7523 JWT authorization grants](https://datatracker.ietf.org/doc/html/rfc7523). The exchanged token carries both the user’s identity and the agent’s identity, enabling downstream services to enforce fine-grained authorization at every hop without triggering additional consent flows. For more information, see [On-behalf-of token exchange](./on-behalf-of-token-exchange.html).
+
+  * **Token passthrough** – The gateway passes the inbound authorization token directly to the target without modification. The target service is responsible for validating the token. This requires the gateway to use `AUTHENTICATE_ONLY` inbound authorization so that the token is validated but preserved for forwarding.
+
@@ -32,7 +38,8 @@ The type of outbound authorization that you can set up is dependent on the gatew
-Target type | No authorization | Gateway service role | OAuth (client credentials) | OAuth (authorization code) | API key  
----|---|---|---|---|---  
-API Gateway stage |  Yes |  Yes |  No |  No |  Yes  
-Lambda function |  No |  Yes |  No |  No |  No  
-MCP server |  Yes |  Yes |  Yes |  No |  No  
-OpenAPI schema |  No |  No |  Yes |  Yes |  Yes  
-Smithy schema |  No |  Yes |  Yes |  No |  No  
+Target type | No authorization | Gateway service role | Caller IAM credentials | OAuth (client credentials) | OAuth (authorization code) | OAuth (token exchange) | Token passthrough | API key  
+---|---|---|---|---|---|---|---|---  
+API Gateway stage |  Yes |  Yes |  No |  No |  No |  No |  No |  Yes  
+Lambda function |  No |  Yes |  No |  No |  No |  No |  No |  No  
+MCP server |  Yes |  Yes |  No |  Yes |  No |  Yes |  No |  No  
+OpenAPI schema |  No |  No |  No |  Yes |  Yes |  Yes |  No |  Yes  
+Smithy schema |  No |  Yes |  No |  Yes |  No |  No |  No |  No  
+AgentCore Runtime (HTTP) |  No |  Yes |  Yes |  Yes |  No |  No |  Yes |  No