Reference your individual AWS Secrets and techniques Supervisor secrets and techniques in Amazon Bedrock AgentCore Identification

AI brokers are solely as highly effective because the instruments they will entry. Whether or not retrieving buyer knowledge from a CRM, posting updates to Slack, or querying a GitHub repository, brokers have to name exterior APIs, and which means securely passing credentials at runtime. Getting that proper, with out hardcoding secrets and techniques in code or exposing them in agent prompts, is among the defining challenges of constructing production-ready agentic techniques.

Amazon Bedrock AgentCore Identification meets this problem by way of credential suppliers and a token vault that routinely create and handle a secret in AWS Secrets and techniques Supervisor in your account for every Outbound credential supplier useful resource. This secret accommodates both the API key or consumer secret together with the opposite metadata for the exterior id supplier. Whereas AgentCore Identification absolutely creates and manages these secrets and techniques, prospects couldn’t configure customized tags, rotation insurance policies, or buyer managed AWS Key Administration Service (AWS KMS) key encryption at creation time.

Immediately, we’re excited to announce the flexibility to reference a secret in AWS Secrets and techniques Supervisor for AgentCore Identification, so you may reference your individual preconfigured secret from Secrets and techniques Supervisor and retain full management over how it’s managed. With this capacity, you may lengthen your group’s current secrets and techniques governance processes to AgentCore. You may present an current, preconfigured AWS Secrets and techniques Supervisor secret to make use of together with your credential supplier sources. You keep full management over its encryption configuration, rotation, replication, tags, and useful resource insurance policies, simply as you’d handle different secrets and techniques in Secrets and techniques Supervisor. You may also select a secret from one other AWS account inside the identical AWS Area, although cross-Area secret sharing isn’t supported. This additionally helps secrets and techniques introduced in by way of AWS Secrets and techniques Supervisor exterior connectors, enabling integration with third-party secret managers.

On this publish, we’ll assessment instance use instances, and stroll by way of the way to get began configuring your credential supplier sources with an current secret.

Instance use instances

The next are instance use instances:

1. Your agent accesses an exterior API your group already has a secret for: Present the ARN of that current secret to your credential supplier sources as an alternative of getting AgentCore Identification create a brand new one. You may also reference a secret from one other AWS account inside the identical Area, and secrets and techniques introduced in by way of AWS Secrets and techniques Supervisor exterior connectors are supported, enabling integration with third-party secret managers.
2. You want to rotate your secret for safety greatest practices and wish your agent to proceed working as you rotate: If you rotate the key worth, AgentCore Identification retrieves the up to date worth on its subsequent learn. You don’t have to replace or recreate the credential supplier sources.
3. You scope secret entry to the supposed agent use: Configure the useful resource coverage in your secret straight in AWS Secrets and techniques Supervisor. You management which AWS Identification and Entry Administration (IAM) principals can entry the key and scope entry circumstances.
4. Your agent operates in a regulated setting the place each credential should be encrypted together with your buyer managed key: Create the key together with your buyer managed encryption key earlier than offering it to AgentCore Identification. That is particularly helpful in case your group enforces SCPs and RCPs to assist confirm that every one knowledge is encrypted utilizing buyer managed CMKs. By referencing an current secret, your encryption configuration is absolutely preserved.
5. Your group requires useful resource tags on secrets and techniques for price allocation, compliance monitoring, or governance auditing: Create and tag the key based on your requirements earlier than offering it to AgentCore Identification.

To be taught extra concerning the secret configuration choices accessible, see the AWS Secrets and techniques Supervisor Person Information.

Stipulations

To observe alongside, you want the next:

1. An current AWS Secrets and techniques Supervisor secret with the API key or OAuth consumer secret.
2. IAM permissions to provide the AgentCore Identification service principal secretsmanager:GetSecretValue entry to the key.
3. In case you’re utilizing a buyer managed AWS KMS key, kms:Decrypt permission on that key for the service principal.
4. Entry to the Amazon Bedrock AgentCore Identification console or AWS Command Line Interface (AWS CLI).

Getting began

To reference a secret in AWS Secrets and techniques Supervisor, present the key ARN and JSON key when creating your credential supplier sources by way of the AgentCore Identification API. AgentCore Identification retrieves the credential worth from the desired JSON key in your secret at runtime.

The next sections present the way to create a credential supplier useful resource with a referenced secret utilizing the AWS Administration Console, the AWS CLI, or an AI agent.

Utilizing the console

You may configure a referenced secret when creating new credential supplier sources straight from the Amazon Bedrock AgentCore Identification console. The characteristic helps each API key and OAuth consumer credential sorts.

Determine 1: AgentCore Identification console, creating an Outbound Auth useful resource with a referenced secret.

A. Add an API key with a referenced secret

So as to add an API key with a referenced secret, full the next steps:

1. Open the Amazon Bedrock AgentCore console.
2. Within the left navigation pane, select Identification.
3. Within the Outbound Auth part, select Add Outbound Auth.
4. Select Add API key.
5. Enter a Identify in your Outbound Auth useful resource.
6. Underneath API key choice methodology, select Present API key by way of Secrets and techniques Supervisor.
7. Within the Secrets and techniques Supervisor ARN subject, enter or select the ARN of your current secret. The record shows secrets and techniques accessible in your account. For instance: arn:aws:secretsmanager:us-east-1:123456789012:secret:myApiKeySecret-AbCdEf.
8. Within the JSON key subject, specify the important thing inside your Secrets and techniques Supervisor secret that accommodates the API key worth.
9. Select Add.
10. Confirm that the credential supplier was created by checking that it seems within the Outbound Auth record.

Determine 2: AgentCore Identification console, including an API key from Secrets and techniques Supervisor.

B. Add an OAuth consumer secret with a referenced secret

So as to add an OAuth consumer secret with a referenced secret, full the next steps:

1. From the Identification web page, select Add Outbound Auth.
2. Select Add OAuth consumer.
3. Enter a Identify in your OAuth consumer (for instance, google-oauth-client-v5fz5).
4. Underneath Supplier, select your supposed included or customized supplier.
5. Enter your Consumer ID as assigned by the id supplier.
6. Underneath Consumer secret, select Present Consumer secret by way of Secrets and techniques Supervisor.
7. Within the Secrets and techniques Supervisor ARN subject, enter the ARN of the key that accommodates your OAuth consumer secret.
8. Within the JSON key subject, specify the important thing inside the secret that accommodates the consumer secret worth.
9. Select Add OAuth Consumer.
10. Confirm that the credential supplier was created by checking that it seems within the Outbound Auth record.

Determine 3: AgentCore Identification console, including an OAuth consumer secret from Secrets and techniques Supervisor.

Utilizing the AWS CLI

You may configure a referenced secret when creating a brand new Outbound Auth useful resource straight for an OAuth consumer secret from the AWS CLI as proven within the following code:

aws bedrock-agentcore-control create-oauth2-credential-provider 
    --name "google-oauth-client-v5fz5" 
    --credential-provider-vendor "GoogleOauth2" 
    --oauth2-provider-config-input '{
        "googleOauth2ProviderConfig": {
            "clientId": "",
            "clientSecretSource": "EXTERNAL",
            "clientSecretConfig": {
                "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:myGoogleKeySecret-AbCdEf",
                "jsonKey": "key"
            }
        }
    }'

Utilizing an AI agent in your desktop

In case you’re utilizing an AI coding agent (like Kiro or related), you may immediate it to configure a referenced secret straight:

“I’ve an current secret in AWS Secrets and techniques Supervisor at ARN arn:aws:secretsmanager:us-east-1:123456789012:secret:my-api-key. Create an OAuth2 credential supplier in Amazon Bedrock AgentCore Identification named , utilizing GoogleOauth2 as the seller. The consumer ID is , the consumer secret supply is EXTERNAL, and the key JSON secret’s key.”

Notice: Change and together with your values.

Essential: Give AgentCore Identification permission to learn your secret by including a useful resource coverage to the key that enables the service principal to name secretsmanager:GetSecretValue. In case your secret is encrypted with a buyer managed KMS key, additionally give the service principal kms:Decrypt permission on that key.

Conclusion

With the flexibility to reference a secret in AWS Secrets and techniques Supervisor, AgentCore Identification offers you the flexibleness to make use of your current secrets and techniques and secret administration practices when configuring outbound auth in your AI brokers. You may retain full management over how your credentials are encrypted, rotated, and accessed, whereas AgentCore Identification handles retrieving them at runtime.

To get began, see the Amazon Bedrock AgentCore Identification documentation. For extra on secret administration, see the AWS Secrets and techniques Supervisor Person Information.

Concerning the authors