AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-06-16 · Security-related high

File: bedrock-agentcore/latest/devguide/scope-credential-provider-access.md

Summary

Expanded documentation on IAM policy patterns for credential provider access control, added sections on denying specific providers, using separate workload identities, and clarified ARN formats and best practices.

Security assessment

The changes explicitly focus on security best practices for credential access control, including least-privilege patterns, explicit deny statements for sensitive providers, and workload identity segregation. This directly addresses potential credential exposure risks by providing concrete implementation guidance for restricting access.

Diff

diff --git a/bedrock-agentcore/latest/devguide/scope-credential-provider-access.md b/bedrock-agentcore/latest/devguide/scope-credential-provider-access.md
index e188b28bf..9a9fb7836 100644
--- a//bedrock-agentcore/latest/devguide/scope-credential-provider-access.md
+++ b//bedrock-agentcore/latest/devguide/scope-credential-provider-access.md
@@ -7 +7 @@
-IAM policy examplesImplementation steps
+IAM policy examplesDeny access to a specific credential providerUse separate workload identities for different credential providersImplementation steps
@@ -12,0 +13,6 @@ You can use IAM policies to control which workload identities have access to spe
+###### Note
+
+The IAM role you assign to an agent controls which credential providers the agent can call. The service does not enforce additional binding between workload identities and credential providers in the same account. To follow least-privilege practices, scope your IAM policy `Resource` blocks to specific workload identity and credential provider ARNs rather than using `*`.
+
+A successful call to a credential provider does not mean credentials are automatically returned. The credentials a workload retrieves are scoped to the user identity in its workload access token. For OAuth2 (3LO) providers, the end user must have completed authorization before any credentials exist to retrieve for that workload identity and user combination.
+
@@ -20,0 +27,2 @@ You can use IAM policies to control which workload identities have access to spe
+  * **Credential provider scoping** – Restrict which credential providers a workload identity can access by including credential provider ARNs in the policy `Resource` block
+
@@ -27,0 +36,4 @@ You can use IAM policies to control which workload identities have access to spe
+  * Deny access to a specific credential provider
+
+  * Use separate workload identities for different credential providers
+
@@ -35 +47,3 @@ You can use IAM policies to control which workload identities have access to spe
-The following examples demonstrate how to create IAM policies that restrict credential provider access based on workload identity:
+The following examples demonstrate how to create IAM policies that restrict credential provider access based on workload identity and credential provider.
+
+**Restrict access to a specific API key credential provider**
@@ -37 +51 @@ The following examples demonstrate how to create IAM policies that restrict cred
-**Restrict API key provider access**
+This policy allows a workload identity to retrieve API keys only from a specific credential provider. The credential provider ARN in the `Resource` block restricts access to that provider.
@@ -52 +66,2 @@ The following examples demonstrate how to create IAM policies that restrict cred
-            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default"
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default/api-key/<provider-name>"
@@ -58 +73,3 @@ The following examples demonstrate how to create IAM policies that restrict cred
-**Restrict OAuth2 credential provider access**
+**Restrict access to a specific OAuth2 credential provider**
+
+This policy allows a workload identity to retrieve OAuth2 tokens only from a specific OAuth2 credential provider.
@@ -73 +90,2 @@ The following examples demonstrate how to create IAM policies that restrict cred
-            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default"
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default/oauth2-credential-provider/<provider-name>"
@@ -80,0 +99,2 @@ The following examples demonstrate how to create IAM policies that restrict cred
+This policy allows multiple workload identities to retrieve API keys from the same credential provider.
+    
@@ -96 +116,86 @@ The following examples demonstrate how to create IAM policies that restrict cred
-            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default"
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default/api-key/<provider-name>"
+          ]
+        }
+      ]
+    }
+
+## Deny access to a specific credential provider
+
+You can explicitly deny a workload identity access to a specific credential provider using a `Deny` statement. Deny statements take precedence over Allow statements, making them useful for creating guardrails.
+    
+    
+    {
+    "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "DenyAccessToSensitiveProvider",
+          "Effect": "Deny",
+          "Action": [
+            "bedrock-agentcore:GetResourceApiKey",
+            "bedrock-agentcore:GetResourceOauth2Token"
+          ],
+          "Resource": [
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default/api-key/<sensitive-provider-name>",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default/oauth2-credential-provider/<sensitive-provider-name>"
+          ]
+        }
+      ]
+    }
+
+## Use separate workload identities for different credential providers
+
+If you need different agents to access different credential providers, create separate workload identities with separate IAM roles. Each IAM role is scoped to only the credential providers that the agent needs.
+
+For example, if Agent A should access only Provider X and Agent B should access only Provider Y:
+
+  1. Create workload identity `agent-a` and workload identity `agent-b`
+
+  2. Create IAM role `AgentARole` with a policy that allows access only to Provider X
+
+  3. Create IAM role `AgentBRole` with a policy that allows access only to Provider Y
+
+  4. Associate each workload identity with its corresponding IAM role
+
+
+
+
+**IAM policy for Agent A (access to Provider X only)**
+    
+    
+    {
+    "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AgentAAccessProviderX",
+          "Effect": "Allow",
+          "Action": [
+            "bedrock-agentcore:GetResourceApiKey"
+          ],
+          "Resource": [
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:workload-identity-directory/default",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:workload-identity-directory/default/workload-identity/agent-a",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default/api-key/provider-x"
+          ]
+        }
+      ]
+    }
+
+**IAM policy for Agent B (access to Provider Y only)**
+    
+    
+    {
+    "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AgentBAccessProviderY",
+          "Effect": "Allow",
+          "Action": [
+            "bedrock-agentcore:GetResourceApiKey"
+          ],
+          "Resource": [
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:workload-identity-directory/default",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:workload-identity-directory/default/workload-identity/agent-b",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default",
+            "arn:aws:bedrock-agentcore:us-east-1:<account_id>:token-vault/default/api-key/provider-y"
@@ -108 +213,5 @@ To implement workload identity-based access control for credential providers:
-  2. **Determine credential provider ARNs** – Identify the specific credential providers you want to control access to
+  2. **Determine credential provider ARNs** – Identify the specific credential providers you want to control access to. Credential provider ARNs follow these formats:
+
+     * `arn:aws:bedrock-agentcore:<region>:<account_id>:token-vault/default/api-key/<provider-name>`
+
+     * `arn:aws:bedrock-agentcore:<region>:<account_id>:token-vault/default/oauth2-credential-provider/<provider-name>`
@@ -122,0 +232,6 @@ To implement workload identity-based access control for credential providers:
+  * Include credential provider ARNs in the `Resource` block to scope access to specific providers, rather than granting access to all providers in the account
+
+  * Use separate workload identities and IAM roles when different agents need access to different credential providers
+
+  * Use explicit `Deny` statements to create guardrails that prevent access to sensitive credential providers regardless of other policies
+