AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-06-04 · Documentation low

File: bedrock-agentcore/latest/devguide/identity-add-api-key.md

Summary

Added option to provide API keys via AWS Secrets Manager instead of direct input, including new configuration fields for secret ARN and JSON key.

Security assessment

The change promotes security best practices by allowing secrets to be stored in Secrets Manager instead of direct configuration, enabling rotation and access control. However, there's no evidence this addresses a specific vulnerability.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-add-api-key.md b/bedrock-agentcore/latest/devguide/identity-add-api-key.md
index adac5c78d..95bfc6b35 100644
--- a//bedrock-agentcore/latest/devguide/identity-add-api-key.md
+++ b//bedrock-agentcore/latest/devguide/identity-add-api-key.md
@@ -19 +19,11 @@ API keys provide key-based authentication for services that require direct key a
-  4. For **API key** , enter the key value provided by your external service. AgentCore Identity securely stores this value and makes it available to your agent at runtime.
+  4. For **API key selection method** , choose one of the following options:
+
+    1. **Provide API key** – Enter the API key value directly.
+
+      1. For **API key** , enter the key value provided by your external service. AgentCore Identity securely stores this value and makes it available to your agent at runtime.
+
+    2. **Provide API key via Secrets Manager** – Reference a secret stored in AWS Secrets Manager instead of entering the value directly.
+
+      1. For **Secrets Manager** , enter or select the ARN of the Secrets Manager secret that contains your API key.
+
+      2. For **JSON key** , enter the JSON key in your Secrets Manager secret that contains the API key value.