Deploy AI brokers on Amazon Bedrock AgentCore utilizing GitHub Actions

Just lately, AWS introduced Amazon Bedrock AgentCore, a versatile service that helps builders seamlessly create and handle AI brokers throughout completely different frameworks and fashions, whether or not hosted on Amazon Bedrock or different environments. Particularly, AgentCore Runtime gives a safe, serverless, and purpose-built internet hosting surroundings for deploying and working AI brokers or instruments. AgentCore Runtime is framework agnostic, working seamlessly with in style frameworks like LangGraph, Strands, and CrewAI for deploying your AI brokers and instruments with computerized scaling and built-in safety.

On this submit, we exhibit the way to use a GitHub Actions workflow to automate the deployment of AI brokers on AgentCore Runtime. This strategy delivers a scalable resolution with enterprise-level safety controls, offering full steady integration and supply (CI/CD) automation. By implementing a complete pipeline, we allow seamless agent deployment with AWS greatest practices, together with OpenID Join (OIDC) authentication, least-privilege entry controls, and surroundings separation. Our resolution facilitates environment friendly updates for current brokers and integrates steady safety scans and rigorous code high quality checks. The end result is a strong deployment technique that helps decrease operational complexity, improve safety, and speed up AI agent improvement throughout enterprise environments.

Advantages of Amazon Bedrock AgentCore Runtime

AgentCore Runtime is the perfect service for manufacturing agent deployments:

• Supplies a framework agnostic surroundings to run your brokers
• Works with massive language fashions (LLMs) equivalent to fashions supplied by Amazon Bedrock and Anthropic Claude
• Supplies session isolation by working every consumer session in a devoted microVM with remoted CPU, reminiscence, and file system sources
• Helps each real-time interactions and long-running workloads as much as 8 hours
• Presents built-in capabilities for authentication and observability

Resolution overview

We’ve developed a complete CI/CD pipeline with GitHub Actions that streamlines the deployment of Brokers in compliance with safety commonplace. The pipeline is obtainable as a ready-to-use resolution that may combine seamlessly together with your current improvement workflow.The answer consists of the next key elements:

The next diagram illustrates the structure for the answer.

The info circulate consists of the next steps:

1. A developer commits code modifications from their native repository to the GitHub repository. On this resolution, the GitHub Motion is triggered manually, however this may be automated.
2. The GitHub Motion triggers the construct stage.
3. GitHub’s OIDC makes use of tokens to authenticate with AWS and entry sources.
4. GitHub Actions invokes the command to construct and push the agent container picture to Amazon ECR immediately from the Dockerfile.
5. AWS Inspector triggers a sophisticated safety scan when the picture is uploaded.
6. An AgentCore Runtime occasion is created utilizing the container picture.
7. The agent can additional question the Amazon Bedrock mannequin and invoke instruments in keeping with its configuration.

Within the following sections, we stroll by means of the steps to deploy the answer:

1. Obtain the supply code from the GitHub repo.
2. Create your agent code.
3. Arrange GitHub secrets and techniques.
4. Create an IAM function and insurance policies.
5. Create the GitHub Actions workflow.
6. Set off and monitor the pipeline.
7. Confirm the deployment.

Conditions

Earlier than you should use our safe CI/CD pipeline for deploying brokers to AgentCore Runtime, confirm you might have the next stipulations in place:

Obtain supply code

Clone the supply code repository: bedrock-agentcore-runtime-cicd

git clone https://github.com/aws-samples/sample-bedrock-agentcore-runtime-cicd.git

The repository folder consists of the next construction:

bedrock-agentcore-runtime-cicd/
├── .github/
│   └── workflows/
│       └── deploy-agentcore.yml         # file accommodates the set of motion to construct and deploy the agent on AgentCore Runtime
│       └── test-agent.yml               # after deployment this file is used to check agent through guide workflow dispatch
├── brokers/
│   ├── strands_agent.py                 # makes use of BedrockAgentCoreApp app that creates an AI agent utilizing the Strands framework with Claude because the underlying mannequin
│   ├── necessities.txt                 # accommodates dependencies 
├── scripts
│   ├── create_iam_role.py               # IAM function required for Bedrock AgentCore Runtime
│   ├── deploy_agent.py                  # deploys a customized agent to AWS Bedrock's AgentCore Runtime platform, which lets you run containerized AI brokers on AWS infrastructure 
│   └── setup_oidc.py                    # OIDC setup for Github Authentication and Authorization to entry AWS account to deploy required companies
│   └── cleanup_ecr.py                   # retains 9 current photos in ECR registry, may be custom-made
│   └── create_guardrail.py              # setup minimal guardrail for content material filtering, may be custom-made in keeping with use case
│   └── test_agent.py                    # accommodates check circumstances
└── Dockerfile                           # include directions to construct Docker picture
└── README.md

Create agent code

Create your agent with the framework of your alternative utilizing the AgentCore Runtime toolkit. The toolkit makes use of BedrockAgentCoreApp to create an utility that gives a standardized technique to package deal your AI agent code right into a container that may run on AgentCore Runtime managed infrastructure. It additionally makes use of app.entrypoint, a Python decorator that marks a operate as the primary entry level. When the Amazon Bedrock agent receives the incoming API request, this operate receives and processes the consumer’s request. On this pattern agent code, when somebody calls your Amazon Bedrock agent utilizing an API, AgentCore Runtime will mechanically name the strands_agent_bedrock(payload) operate.

On this submit, we use the brokers/strands_agent.py file to create an agent utilizing the Strands Brokers framework:

"""
This module defines a conversational AI agent that may carry out calculations
utilizing the Strands framework.
"""
from bedrock_agentcore.runtime import BedrockAgentCoreApp
from strands import Agent
from strands.fashions import BedrockModel
from strands_tools import calculator
# Initialize the Bedrock AgentCore utility
app = BedrockAgentCoreApp()
# Configure the Claude mannequin for the agent with guardrail
model_id = "us.anthropic.claude-sonnet-4-20250514-v1:0"
# Load guardrail ID if obtainable
guardrail_config = None
attempt:
    with open("guardrail_id.txt", "r", encoding="utf-8") as f:
        guardrail_id = f.learn().strip()
        if guardrail_id:
            guardrail_config = {
                "guardrailIdentifier": guardrail_id,
                "guardrailVersion": "1",
            }
            print(f"Loaded guardrail: {guardrail_id}")
besides FileNotFoundError:
    print("No guardrail file discovered - working with out guardrail")
mannequin = BedrockModel(model_id=model_id, guardrail=guardrail_config)
# Create the agent with instruments and system immediate
agent = Agent(
    mannequin=mannequin,
    instruments=[calculator],
    system_prompt="You are a useful assistant. You are able to do basic math calculation.",
)
@app.entrypoint
def strands_agent_bedrock(payload):
    """
    Fundamental entrypoint for the Bedrock AgentCore Runtime.
    This operate is known as by AWS Bedrock AgentCore when the agent receives
    a request. It processes the consumer enter and returns the agent's response.
    Args:
        payload (dict): Request payload containing consumer enter
                       Anticipated format: {"immediate": "consumer query"}
    Returns:
        str: The agent's textual content response to the consumer's immediate
    """
    # Extract the consumer's immediate from the payload
    user_input = payload.get("immediate")
    # Course of the enter by means of the agent (handles instrument choice and mannequin inference)
    response = agent(user_input)
    # Extract and return the textual content content material from the response
    return response.message["content"][0]["text"]
if __name__ == "__main__":
    # Run the appliance regionally for testing
    # In manufacturing, that is dealt with by Bedrock AgentCore Runtime
    app.run()

Arrange GitHub secrets and techniques

The GitHub Actions workflow should entry sources in your AWS account. On this submit, we use an IAM OpenID Join identification supplier and IAM roles with IAM insurance policies to entry AWS sources. OIDC lets your GitHub Actions workflows entry sources in AWS with no need to retailer the AWS credentials as long-lived GitHub secrets and techniques. These credentials are saved as GitHub secrets and techniques inside your GitHub repository Settings beneath Secrets and techniques possibility. For extra data, see Utilizing secrets and techniques in GitHub Actions.

Create IAM roles and insurance policies

To run brokers or instruments in AgentCore Runtime, you want an IAM execution function. For details about creating an IAM function, see IAM function creation.

On this submit, we create the required belief coverage and execution function for AgentCore Runtime. See IAM Permissions for AgentCore Runtime for extra particulars.

The next code is for the AgentCore Runtime belief coverage:

{
  "Model": "2012-10-17",
  "Assertion": [
    {
      "Sid": "AssumeRolePolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "bedrock-agentcore.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "accountId"
            },
            "ArnLike": {
                "aws:SourceArn": "arn:aws:bedrock-agentcore:region:accountId:*"
            }
       }
    }
  ]
}

The next code is for the AgentCore Runtime execution function:

{
        "Model": "2012-10-17",
        "Assertion": [
            {
                "Effect": "Allow",
                "Action": [
                    "bedrock:InvokeModel",
                    "bedrock:InvokeModelWithResponseStream",
                    "bedrock:Converse",
                    "bedrock:ConverseStream"
                ],
                "Useful resource": [
                    "arn:aws:bedrock:*::foundation-model/us.anthropic.claude-sonnet-4-*",
                    "arn:aws:bedrock:*::foundation-model/anthropic.claude-*",
                    "arn:aws:bedrock:*:*:inference-profile/us.anthropic.claude-sonnet-4-*",
                    "arn:aws:bedrock:*:*:inference-profile/anthropic.claude-*"
                ]
            },
            {
                "Impact": "Enable",
                "Motion": [
                    "ecr:GetAuthorizationToken",
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:BatchGetImage"
                ],
                "Useful resource": "arn:aws:ecr:::repository/bedrock-agentcore-*"
            },
            {
                "Impact": "Enable",
                "Motion": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents"
                ],
                "Useful resource": "arn:aws:logs:*:*:*"
            }
        ]
    }

Create the GitHub Actions workflow

Refer the CI/CD workflow file at .github/workflows/deploy-agentcore.yml for particulars to create the workflow.The next steps shall be carried out by the workflow:

• It makes use of the default Ubuntu Github Runner for the duty supplied within the pipeline.
• The workflow installs the required dependencies talked about within the requirement.txt file.
• It builds the Docker picture and deploys it on the ECR repository.
• The picture is scanned with Amazon Inspector to establish potential vulnerabilities.
• AgentCore Runtime deploys the agent as an endpoint.
• The workflow exams the agent endpoint to confirm performance.

Set off and monitor pipeline

This pipeline may be triggered both by altering a code within the brokers folder or manually utilizing the workflow dispatch possibility. This may additional change in keeping with your group’s branching technique. Replace the code in .github/workflows/deploy-agentcore.yml to vary this set off habits.

Check agent

After the agent is deployed, we are going to confirm its performance by triggering the Check Agent workflow manually through workflow dispatch possibility.

AgentCore Runtime versioning and endpoints

Amazon Bedrock AgentCore implements computerized versioning for AgentCore Runtime and allows you to handle completely different configurations utilizing endpoints. Endpoints present a technique to reference particular variations of AgentCore Runtime. For extra particulars and pattern code, see AgentCore Runtime versioning and endpoints.

Clear up

To keep away from incurring future costs, full the next steps:

1. Delete the ECR photos from the Amazon ECR console created by means of the deployment utilizing GitHub Actions.
2. Delete the agent deployed in AgentCore Runtime.

Conclusion

On this submit, we demonstrated a complete strategy to utilizing GitHub Actions for a safer and scalable deployment of AI brokers on AgentCore Runtime. Our resolution gives a sturdy, automated, and managed surroundings for generative AI functions, addressing important enterprise deployment challenges by automating dependency administration, implementing steady code high quality checks, performing complete vulnerability scanning, and facilitating constant deployment processes. By abstracting infrastructure complexities, this pipeline helps builders deal with agent logic and performance, whereas offering a framework-agnostic strategy that helps seamless administration of a number of AI brokers at scale. As AI brokers proceed to rework enterprise capabilities, this resolution represents a big step in direction of streamlining AI agent improvement and operational administration, providing a standardized, safe, and environment friendly deployment mechanism for contemporary generative AI functions.

As a subsequent step, you should use Amazon Q to intelligently improve and customise your AI agent deployment pipeline, reworking your CI/CD processes with superior, context-aware automation.

Concerning the authors

Prafful Gupta is an Assoc. Supply Marketing consultant at AWS primarily based in Gurugram, India. Having began his skilled journey with Amazon a yr in the past, he makes a speciality of DevOps and Generative AI options, serving to prospects navigate their cloud transformation journeys. Past work, he enjoys networking with fellow professionals and spending high quality time with household. Join on LinkedIn at: linkedin.com/in/praffulgupta11/

Anshu Bathla is a Lead Marketing consultant – SRC at AWS, primarily based in Gurugram, India. He works with prospects throughout various verticals to assist strengthen their safety infrastructure and obtain their safety targets. Exterior of labor, Anshu enjoys studying books and gardening at his residence backyard. Join on LinkedIn at: linkedin.com/in/anshu-bathla/