Introduction
Amazon Bedrock AgentCore Identity is an identity and credential management service designed specifically for AI agents and automated workloads. It provides secure authentication, authorization, and credential management capabilities that enable agents and tools to access AWS resources and third-party services on behalf of users while helping to maintain strict security controls and audit trails. Agent identities are implemented as workload identities with specialized attributes that enable agent-specific capabilities while helping to maintain compatibility with industry-standard workload identity patterns. The service integrates natively with Amazon Bedrock AgentCore to provide identity and credential management for agent applications, including Amazon Bedrock AgentCore Runtime and Amazon Bedrock AgentCore Gateway.
In the rapidly evolving landscape of AI agents, organizations need robust identity management solutions that can handle the unique challenges associated with non-human identities. Amazon Bedrock AgentCore Identity addresses these challenges by providing a centralized capability for managing agent identities, securing credentials, and enabling seamless integration with AWS and third-party services through Sigv4, standardized OAuth 2.0 flows, and API keys.
The service implements authentication and authorization controls that verify each request independently, requiring explicit verification for all access attempts regardless of source. It integrates seamlessly with AWS services while also enabling agents to securely access external tools and services. Whether you're building simple automation scripts or complex multi-agent systems, AgentCore Identity provides the identity foundation to help your applications operate securely and efficiently.
AgentCore Identity offers a set of features designed to address the unique challenges of workload identity management and credential security:
- Centralized agent identity management
- Secure credential storage
- OAuth 2.0 flow support
- Agent identity and access controls
- AgentCore SDK Integration
- Request verification security
For more information, please read the following article.
Authentication types
There 2 type of authentications: Inbound and Outbound. This picture from the source describes the responsibilities of both authentications:
- Inbound Auth: Inbound Auth authenticates and authorizes the caller to get access to an agent, tool, runtime, or Gateway. You can configure using either IAM or JSON web tokens (for example, OAuth tokens) from your identity provider.
- Outbound Auth: Outbound Auth uses either an API key or an OAuth client that allows an agent, tool or Gateway access to downstream resources. You can use the Outbound Auth ARN in your agent or tool code.
This picture taken from the Amazon Bedrock AgentCore Identity service shows how both authentications work:
Throughout my article series about Amazon Bedrock AgentCore Gateway and Amazon Bedrock AgentCore Runtime we've already used both
Inbound and Outbound authentication. Let's recall those solutions and also explore other available options.
Inbound Auth
In our series Amazon Bedrock AgentCore Runtime we used IAM authentication for the Inbound authentication for all our agents. This is how the permissions look like for one of our AgentCore Runtimes:
We gave the agent the exact permissions it required:
- To pull the Docker image from the ECR repository which contains the image of our agent.
- To write logs and push metrics and traces to CloudWatch.
- To access the specific AgentCore Gateway (for which we require Cognito Pool permissions).
- To access the created AgentoCore Memory. Permissions varied depending on the memory type (short or long-term).
There is another option for the Inbound Auth - to use JSON Web Tokens (JWT) tokens compatible with OIDC (OpenID Connect):
- Either using Cognito as the Identity provider (more on this later):
.
The workflow then looks like this (source):
- Or using existing Identity provider (e.g. Okta, Auth0) configurations to enable OAuth 2.0:
The workflow then looks like this (source):
In our Amazon Bedrock AgentCore Gateway series we also user Inbound Auth for all our created AgentCore Gateways based on (JWT) token using Cognito as the Identity provider. Here is an example of one of those:
For the step by step introduction on how to create such a token, please read my article Amazon Bedrock AgentCore Gateway - Exposing existing Amazon API Gateway REST API via MCP and Gateway endpoint which we re-used in the part 3. The goal was to create Cognito token issuer endpoint. When creating MCP Client with Strands and Spring AI, we passed this (bearer) token as HTTP "Authorization" header.
Outbound Auth
We used outbound authentication to connect our AgentCore Gateways with the "external" resources, like Amazon API Gateway, see part 2 and AWS Lambda functions, see part 3 for the detailed explanation. The overall workflow for the Open API as a Gateway target looks like this (for very similar for the Lambda function as a target):
If we visit AgentCore service page and navigate to "Identity" we'll see Outbound Auth configuration like this:
In our case we used "API Key" credential configuration. To authenticate Amazon API Gateway with API Key we need to pass its value as HTTP header with the name x-api-key. Other APIs may require passing the API Key as a query parameter. The credentialLocation parameter which is used for this purpose can be either HEADER or QUERY_PARAMETER, "API Key" configuration is always backed by storing the credentials in the "AWS Secrets Manager" :
Another option to create Outbound Auth is to use OAuth Client:
Here we can select between included providers like Google, Microsoft, LinkedIn, Slack, GitHub Salesforce and others or configure the custom provider:
Conclusion
In this article, we explored Amazon Bedrock AgentCore Identity - an identity and credential management service designed specifically for AI agents and automated workloads. It provides secure authentication, authorization, and credential management capabilities that enable agents and tools to access AWS resources and third-party services on behalf of users while helping to maintain strict security controls and audit trails. We also described currently available options for the Inbound and Outbound authentications and pointed out some already used approaches throughout my Amazon Bedrock AgentCore Gateway and Runtime article series.
Please also check out my Amazon Bedrock AgentCore Gateway and Amazon Bedrock AgentCore Runtime article series.
Top comments (0)