AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-05-16 · Security-related high

File: bedrock-agentcore/latest/devguide/harness-tools.md

Summary

Added documentation for securely referencing API keys from AgentCore Identity Token Vault using ARN syntax in remote MCP tool configurations

Security assessment

The change introduces secure credential management by replacing plain-text API keys with references to a credential vault (${arn:...} syntax). This prevents credential leakage in configurations and enables automated rotation.

Diff

diff --git a/bedrock-agentcore/latest/devguide/harness-tools.md b/bedrock-agentcore/latest/devguide/harness-tools.md
index 35e0a7fde..3cf1257d5 100644
--- a//bedrock-agentcore/latest/devguide/harness-tools.md
+++ b//bedrock-agentcore/latest/devguide/harness-tools.md
@@ -59,0 +60,6 @@ The `--type` flag uses underscore-separated names (e.g., `agentcore_browser`), w
+    # Add a remote MCP server with an API key from AgentCore Identity Token Vault.
+    # Use ${arn:...} syntax in header values to reference a credential provider.
+    agentcore add tool --harness my-agent --type remote_mcp \
+      --name exa-secure --url https://mcp.exa.ai/mcp \
+      --header 'x-api-key=${arn:aws:bedrock-agentcore:us-west-2:123456789012:token-vault/default/apikeycredentialprovider/my-exa-key}'
+    
@@ -100 +106 @@ Pass `tools` at create, update, or invoke time:
-        # MCP server with authentication headers
+        # MCP server with authentication headers (plain text)
@@ -109 +115,12 @@ Pass `tools` at create, update, or invoke time:
-        # For managed credential rotation and API key storage, put your MCP server
+        # MCP server with API key stored in AgentCore Identity Token Vault.
+        # Use ${arn:...} to reference a credential provider — the ARN is resolved
+        # to the actual API key at invocation time.
+        {
+            "type": "remote_mcp",
+            "name": "exa-secure",
+            "config": {"remoteMcp": {
+                "url": "https://mcp.exa.ai/mcp",
+                "headers": {"x-api-key": "${arn:aws:bedrock-agentcore:us-west-2:123456789012:token-vault/default/apikeycredentialprovider/my-exa-key}"}
+            }},
+        },
+        # For managed credential rotation and OAuth-protected tools, put your MCP server