AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-06-04 · Documentation low

File: bedrock-agentcore/latest/devguide/resource-providers.md

Summary

Added documentation for integrating AWS Secrets Manager with credential providers, including OAuth2, API keys, and payment processors (Coinbase CDP/Stripe Privy). Provided CLI, Boto3, and SDK examples for storing secrets externally.

Security assessment

The changes document secure secret management using AWS Secrets Manager instead of hardcoding credentials. This promotes security best practices but doesn't address a specific vulnerability. No evidence of patching a security issue.

Diff

diff --git a/bedrock-agentcore/latest/devguide/resource-providers.md b/bedrock-agentcore/latest/devguide/resource-providers.md
index a3cbcb8d3..c0c6ecba5 100644
--- a//bedrock-agentcore/latest/devguide/resource-providers.md
+++ b//bedrock-agentcore/latest/devguide/resource-providers.md
@@ -30,0 +31,18 @@ The CLI stores the credential configuration in `agentcore/agentcore.json` and sa
+Alternatively, you can bring your own secret by providing a reference to a client secret already stored in AWS Secrets Manager:
+    
+    
+    aws bedrock-agentcore-control create-oauth2-credential-provider \
+      --name "github-provider" \
+      --credential-provider-vendor "GithubOauth2" \
+      --oauth2-provider-config-input '{
+        "githubOauth2ProviderConfig": {
+          "clientId": "your-github-client-id",
+          "clientSecretSource": "EXTERNAL",
+          "clientSecretConfig": {
+            "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret",
+            "jsonKey": "clientSecret"
+          }
+        }
+      }' \
+      --region us-east-1
+
@@ -57,0 +76,9 @@ If you are using the AgentCore CLI, you can store an API key with a single comma
+Alternatively, you can bring your own secret by providing a reference to an API key already stored in AWS Secrets Manager:
+    
+    
+    aws bedrock-agentcore-control create-api-key-credential-provider \
+      --name "your-service-name" \
+      --api-key-secret-source EXTERNAL \
+      --api-key-secret-config secretId=arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret,jsonKey=api_key \
+      --region us-east-1
+
@@ -72 +99 @@ For services that use payment-processor credentials such as Coinbase CDP or Stri
-Payment credential providers currently support two vendors: `CoinbaseCDP` and `StripePrivy`. Supply exactly one configuration block under `providerConfigurationInput` that matches the `credentialProviderVendor` you choose.
+Payment credential providers currently support two vendors: `CoinbaseCDP` and `StripePrivy`. Supply exactly one configuration block under `providerConfigurationInput` that matches the `credentialProviderVendor` you choose. Alternatively, you can bring your own secret by providing a reference to a secret already stored in AWS Secrets Manager.
@@ -93,0 +121,23 @@ The following example creates a payment credential provider for Coinbase CDP:
+The following example creates a Coinbase CDP payment credential provider with secrets stored in AWS Secrets Manager:
+    
+    
+    aws bedrock-agentcore-control create-payment-credential-provider \
+      --name "coinbase-provider" \
+      --credential-provider-vendor "CoinbaseCDP" \
+      --provider-configuration-input '{
+        "coinbaseCdpConfiguration": {
+          "apiKeyId": "your-coinbase-api-key-id",
+          "apiKeySecretSource": "EXTERNAL",
+          "apiKeySecretConfig": {
+            "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-api-secret",
+            "jsonKey": "apiKeySecret"
+          },
+          "walletSecretSource": "EXTERNAL",
+          "walletSecretConfig": {
+            "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-wallet-secret",
+            "jsonKey": "walletSecret"
+          }
+        }
+      }' \
+      --region us-east-1
+
@@ -109,0 +160,24 @@ The following example creates a payment credential provider for Stripe Privy:
+The following example creates a Stripe Privy payment credential provider with secrets stored in AWS Secrets Manager:
+    
+    
+    aws bedrock-agentcore-control create-payment-credential-provider \
+      --name "stripe-privy-provider" \
+      --credential-provider-vendor "StripePrivy" \
+      --provider-configuration-input '{
+        "stripePrivyConfiguration": {
+          "appId": "your-stripe-privy-app-id",
+          "appSecretSource": "EXTERNAL",
+          "appSecretConfig": {
+            "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-secret",
+            "jsonKey": "appSecret"
+          },
+          "authorizationPrivateKeySource": "EXTERNAL",
+          "authorizationPrivateKeyConfig": {
+            "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-auth-key-secret",
+            "jsonKey": "authorizationPrivateKey"
+          },
+          "authorizationId": "your-stripe-privy-authorization-id"
+        }
+      }' \
+      --region us-east-1
+
@@ -131,0 +206,27 @@ The following example configures a provider for Coinbase CDP:
+The following example configures a Coinbase CDP provider with secrets stored in AWS Secrets Manager:
+    
+    
+    import boto3
+    
+    client = boto3.client("bedrock-agentcore-control", region_name="us-east-1")
+    
+    coinbase_provider = client.create_payment_credential_provider(
+        name="coinbase-provider",
+        credentialProviderVendor="CoinbaseCDP",
+        providerConfigurationInput={
+            "coinbaseCdpConfiguration": {
+                "apiKeyId": "your-coinbase-api-key-id",
+                "apiKeySecretSource": "EXTERNAL",
+                "apiKeySecretConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-api-secret",
+                    "jsonKey": "apiKeySecret"
+                },
+                "walletSecretSource": "EXTERNAL",
+                "walletSecretConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-wallet-secret",
+                    "jsonKey": "walletSecret"
+                }
+            }
+        }
+    )
+
@@ -151,0 +253,28 @@ The following example configures a provider for Stripe Privy:
+The following example configures a Stripe Privy provider with secrets stored in AWS Secrets Manager:
+    
+    
+    import boto3
+    
+    client = boto3.client("bedrock-agentcore-control", region_name="us-east-1")
+    
+    stripe_privy_provider = client.create_payment_credential_provider(
+        name="stripe-privy-provider",
+        credentialProviderVendor="StripePrivy",
+        providerConfigurationInput={
+            "stripePrivyConfiguration": {
+                "appId": "your-stripe-privy-app-id",
+                "appSecretSource": "EXTERNAL",
+                "appSecretConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-secret",
+                    "jsonKey": "appSecret"
+                },
+                "authorizationPrivateKeySource": "EXTERNAL",
+                "authorizationPrivateKeyConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-auth-key-secret",
+                    "jsonKey": "authorizationPrivateKey"
+                },
+                "authorizationId": "your-stripe-privy-authorization-id"
+            }
+        }
+    )
+
@@ -173,0 +303,27 @@ The following example configures a provider for Coinbase CDP:
+The following example configures a Coinbase CDP provider with secrets stored in AWS Secrets Manager:
+    
+    
+    from bedrock_agentcore.services.identity import IdentityClient
+    
+    identity_client = IdentityClient("us-east-1")
+    
+    coinbase_provider = identity_client.create_payment_credential_provider(
+        name="coinbase-provider",
+        credential_provider_vendor="CoinbaseCDP",
+        provider_configuration_input={
+            "coinbaseCdpConfiguration": {
+                "apiKeyId": "your-coinbase-api-key-id",
+                "apiKeySecretSource": "EXTERNAL",
+                "apiKeySecretConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-api-secret",
+                    "jsonKey": "apiKeySecret"
+                },
+                "walletSecretSource": "EXTERNAL",
+                "walletSecretConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-wallet-secret",
+                    "jsonKey": "walletSecret"
+                }
+            }
+        }
+    )
+
@@ -190,0 +347,28 @@ The following example configures a provider for Stripe Privy:
+        }
+    )
+
+The following example configures a Stripe Privy provider with secrets stored in AWS Secrets Manager:
+    
+    
+    from bedrock_agentcore.services.identity import IdentityClient
+    
+    identity_client = IdentityClient("us-east-1")
+    
+    stripe_privy_provider = identity_client.create_payment_credential_provider(
+        name="stripe-privy-provider",
+        credential_provider_vendor="StripePrivy",
+        provider_configuration_input={
+            "stripePrivyConfiguration": {
+                "appId": "your-stripe-privy-app-id",
+                "appSecretSource": "EXTERNAL",
+                "appSecretConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-secret",
+                    "jsonKey": "appSecret"
+                },
+                "authorizationPrivateKeySource": "EXTERNAL",
+                "authorizationPrivateKeyConfig": {
+                    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-auth-key-secret",
+                    "jsonKey": "authorizationPrivateKey"
+                },
+                "authorizationId": "your-stripe-privy-authorization-id"
+            }