AWS bedrock-agentcore documentation change
Summary
Added option to provide API keys via AWS Secrets Manager instead of direct input, including new configuration fields for secret ARN and JSON key.
Security assessment
The change promotes security best practices by allowing secrets to be stored in Secrets Manager instead of direct configuration, enabling rotation and access control. However, there's no evidence this addresses a specific vulnerability.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-add-api-key.md b/bedrock-agentcore/latest/devguide/identity-add-api-key.md index adac5c78d..95bfc6b35 100644 --- a//bedrock-agentcore/latest/devguide/identity-add-api-key.md +++ b//bedrock-agentcore/latest/devguide/identity-add-api-key.md @@ -19 +19,11 @@ API keys provide key-based authentication for services that require direct key a - 4. For **API key** , enter the key value provided by your external service. AgentCore Identity securely stores this value and makes it available to your agent at runtime. + 4. For **API key selection method** , choose one of the following options: + + 1. **Provide API key** – Enter the API key value directly. + + 1. For **API key** , enter the key value provided by your external service. AgentCore Identity securely stores this value and makes it available to your agent at runtime. + + 2. **Provide API key via Secrets Manager** – Reference a secret stored in AWS Secrets Manager instead of entering the value directly. + + 1. For **Secrets Manager** , enter or select the ARN of the Secrets Manager secret that contains your API key. + + 2. For **JSON key** , enter the JSON key in your Secrets Manager secret that contains the API key value.