AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-06-19 · Documentation medium

File: bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md

Summary

Added documentation for two new authorization types: Caller IAM credentials authorization and JWT passthrough authorization. Updated target compatibility for IAM authorization.

Security assessment

The changes introduce new authorization methods (CALLER_IAM_CREDENTIALS and JWT_PASSTHROUGH) which are security features, but there's no evidence of addressing a specific vulnerability. The additions enhance security documentation by describing new credential handling mechanisms.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md b/bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md
index c93150536..1eb22ea35 100644
--- a//bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md
+++ b//bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md
@@ -7 +7 @@
-AgentCore Gateway service role (IAM) authorizationOAuth authorizationAPI key authorization
+AgentCore Gateway service role (IAM) authorizationOAuth authorizationAPI key authorizationCaller IAM credentials authorizationJWT passthrough authorization
@@ -22,0 +23,4 @@ To learn more about a credential provider configuration, select a topic:
+  * Caller IAM credentials authorization
+
+  * JWT passthrough authorization
+
@@ -30 +34 @@ If you’re using IAM authorization through an AgentCore Gateway service role fo
-**For Lambda, API Gateway, and Smithy targets**
+**For Lambda, API Gateway, Smithy and Connector targets**
@@ -184,0 +189,26 @@ If you set up API key authorization, you specify the `credentialProviderType` as
+## Caller IAM credentials authorization
+
+If you want the gateway to use the IAM identity and permissions of the caller to sign requests to the downstream target, specify the `credentialProviderType` as `CALLER_IAM_CREDENTIALS`. With this authorization type, the gateway makes a request to the downstream target on behalf of the gateway caller using SigV4. This allows the downstream target to apply IAM policies based on who originally called the gateway.
+
+###### Note
+
+`CALLER_IAM_CREDENTIALS` is only available for gateways that have `AWS_IAM` or `AUTHENTICATE_ONLY` as the authorizer type.
+    
+    
+    {
+        "credentialProviderType": "CALLER_IAM_CREDENTIALS"
+    }
+
+## JWT passthrough authorization
+
+If you want the gateway to pass the bearer token from the incoming request directly to the downstream target without modification, specify the `credentialProviderType` as `JWT_PASSTHROUGH`. The gateway validates the inbound token and then forwards it to the target in the outbound request. This is useful when the target service handles its own authorization using the original caller’s token.
+
+###### Note
+
+`JWT_PASSTHROUGH` is only available for HTTP targets (passthrough and AgentCore Runtime).
+    
+    
+    {
+        "credentialProviderType": "JWT_PASSTHROUGH"
+    }
+