DEV Community: Budiono Santoso

Amazon Elastic Container Services (ECS) : Express Mode and Custom Mode for Receipt Extraction

Budiono Santoso — Tue, 19 May 2026 03:02:25 +0000

Hello everyone. I want to continue writing about receipt extraction application. In this blog tutorial, I want to create API on Amazon Elastic Container Services (ECS) using ECR receipt extraction image that already created before. Amazon ECS is a fully managed container orchestration service that build, manage, and run container without the complexity of infrastructure management.

REQUIREMENTS :

Amazon SageMaker AI blog tutorial, you can see this link
AWS account, you can sign up/sign in here
Make sure Terraform already installed. Terraform AWS provider for Infrastructure as Code, you can see this link
(Optional) Streamlit for UI / front-end, you can see this link

EXPRESS MODE :

ECS Express Mode using Amazon ECR private/public image (primary_container), IAM execution role/AmazonECSTaskExecutionRolePolicy and IAM infrastructure role/AmazonECSInfrastructureRoleforExpressGatewayServices only.

Additional configuration is optional such as IAM task role because I use IAM task role to invoke SageMaker endpoint only. If you don't use a custom VPC, ECS express mode automatically use default VPC. I using a custom VPC because want more control over the networking side.

Create Terraform files such as iam.tf, main.tf, vpc.tf and ecs.tf in ONE folder (available on GitHub). The AWS console is only for viewing the results of this process.

This is ecs.tf file for creating ECS cluster and ECS service express mode.

# Create ECS Cluster
resource "aws_ecs_cluster" "fastapiecs" {
  name = "fastapiecs"
}

# Create ECS Express Service that linked with receipt extraction ECR image
resource "aws_ecs_express_gateway_service" "fastapi" {
  cluster                 = aws_ecs_cluster.fastapiecs.name
  execution_role_arn      = aws_iam_role.execution.arn
  infrastructure_role_arn = aws_iam_role.infrastructure.arn
  task_role_arn           = aws_iam_role.task.arn
  health_check_path       = "/health"
  cpu                     = "256"
  memory                  = "512"
  region                  = data.aws_region.current.region

  primary_container {
    image          = "${local.account_id}.dkr.ecr.${local.region}.amazonaws.com/receipt-extraction-gemma-4:latest"
    container_port = 8000
  }

  network_configuration {
    subnets         = aws_subnet.public[*].id
    security_groups = [aws_security_group.alb_sg.id]
  }

  scaling_target {
    auto_scaling_metric       = "AVERAGE_CPU"
    auto_scaling_target_value = 70
    min_task_count            = 1
    max_task_count            = 3
  }
}

Terraform ecs.tf file explanation :

execution_role_arn, infrastructure_role_arn and task_role_arn to get IAM role ARN from iam.tf
health_check_path to check the health of ECR image API.
container_port for ECR image API container port.
network_configuration for configure networking such as subnet and security group in Amazon VPC.
scaling_target for minimum and maximum auto-scaling usage based on CPU average.

This is iam.tf file for creating IAM roles for ECS express mode.

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

# Get AWS Account ID and AWS Region from above data
locals {
  account_id = data.aws_caller_identity.current.account_id
  region     = data.aws_region.current.region
}

# ECS Express Infrastructure Role
resource "aws_iam_role" "infrastructure" {
  name               = "ecsExpressInfrastructureRole"
  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = {
          Service = "ecs.amazonaws.com"
        }
        Action    = "sts:AssumeRole"
      }
    ]
  })
}

# ECS Express Infrastructure Policy
resource "aws_iam_role_policy_attachment" "infrastructure" {
  role       = aws_iam_role.infrastructure.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRoleforExpressGatewayServices"
}

# ECS Express Execution Role
resource "aws_iam_role" "execution" {
  name               = "ecsExpressExecutionRole"
  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
        Action    = "sts:AssumeRole"
      }
    ]
  })
}

# ECS Express Execution Policy
resource "aws_iam_role_policy_attachment" "execution" {
  role       = aws_iam_role.execution.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

# ECS Express Task Role
resource "aws_iam_role" "task" {
  name               = "ecsExpressTaskRole"
  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = {
          Service = "ecs-tasks.amazonaws.com"
        }
        Action    = "sts:AssumeRole"
      }
    ]
  })
}

# ECS Express Task Policy for SageMaker Endpoint
resource "aws_iam_role_policy" "sagemaker" {
  name   = "ecsExpressSagemaker"
  role   = aws_iam_role.task.name
  policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = [
            "sagemaker:InvokeEndpoint"
        ]
        Resource = "arn:aws:sagemaker:${local.region}:${local.account_id}:endpoint/*"
      }
    ]
  })
}

Terraform iam.tf file explanation :

data "current" {} to get the AWS account ID and AWS region.
resource "aws_iam_role" "infrastructure" to create IAM infrastructure role.
resource "aws_iam_role_policy_attachment" "infrastructure" to create IAM infrastructure policy for creating load balancer, target group and etc.
resource "aws_iam_role" "execution" to create IAM execution role.
resource "aws_iam_role_policy_attachment" "execution" to create IAM execution policy for get ECR image, create CloudWatch logs and etc.
resource "aws_iam_role" "task" to create IAM task role.
resource "aws_iam_role_policy" "sagemaker" to create IAM task policy for invoke SageMaker endpoint.

This is main.tf file for define Terraform AWS provider version and AWS region.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "6.45.0"
    }
  }
}

provider "aws" {
  region = "us-west-2"
}

This is vpc.tf file for creating VPC resources such as public subnet, private subnet, internet gateway, route table and security group.

data "aws_availability_zones" "available" {}

resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true

  tags = {
    Name = "ecs-express-vpc"
  }
}

resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.main.id
}

resource "aws_subnet" "public" {
  count                   = 2
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.${count.index + 10}.0/24"
  availability_zone       = data.aws_availability_zones.available.names[count.index]
  map_public_ip_on_launch = true
  tags = {
      Name = "express-mode-public-subnet-${count.index}"
  }
}

resource "aws_subnet" "private" {
  count                   = 2
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.${count.index}.0/24"
  availability_zone       = data.aws_availability_zones.available.names[count.index]
  map_public_ip_on_launch = false
  tags = {
      Name = "express-mode-private-subnet-${count.index}"
  }
}

resource "aws_route_table" "public" {
  vpc_id = aws_vpc.main.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.igw.id
  }
}

resource "aws_route_table_association" "public" {
  count          = 2
  subnet_id      = aws_subnet.public[count.index].id
  route_table_id = aws_route_table.public.id
}

resource "aws_route_table" "private" {
  vpc_id = aws_vpc.main.id
}

resource "aws_route_table_association" "private" {
  count          = 2
  subnet_id      = aws_subnet.private[count.index].id
  route_table_id = aws_route_table.private.id
}

resource "aws_security_group" "alb_sg" {
  name   = "alb-sg"
  vpc_id = aws_vpc.main.id

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

After 4 Terraform files is available, write and run this Terraform script.

terraform init

terraform init is initialize Terraform latest version in main.tf

terraform plan

terraform plan is check make sure your Terraform file is true and right format. If false and wrong format, you must check your Terraform file again.

terraform apply --auto-approve

terraform apply is apply/create all AWS service resources based all Terraform file. If not write --auto-approve, you must write/enter "yes" every want to apply Terraform file.

Wait until ECS services express mode to become available. The results of this Terraform process can see in AWS console like this screenshots.

I copy and use ECS express service application URL, try test predict API using FastAPI/Streamlit and this is worked. I copy and use public load balancer URL, try test predict API also using FastAPI/Streamlit and this is not worked also load balancer can not be used.

Then I tried using a private subnet and a public load balancer to make the ECS express service application URL private (can't connected to the internet) and using the public load balancer URL. However, both were private and inaccessible. To fix this issue, I choose ECS custom mode.

If you provide custom public subnets, Express Mode will provision an internet-facing ALB and turn on assignPublicIP for your tasks. If you provide private subnets (subnets without an internet gateway in their route table), Express Mode will provision an internal ALB. (from ECS express mode documentation)

If want to delete ECS express mode, write and run this Terraform script.

terraform destroy --auto-approve

terraform destroy is destroy/delete all AWS service resources based all Terraform file. If not write --auto-approve, you must write/enter "yes" every want to apply Terraform file.

CUSTOM MODE :

Create Terraform files such as iam.tf, main.tf, vpc.tf, ecs.tf, load-balancer.tf, security-groups.tf and vpc-endpoint.tf in ONE folder (available on GitHub). The AWS console is only for viewing the results of this process but some screenshots is same results, I uploaded some different screenshots.

I copy and use ECS express service application URL, try test predict API using FastAPI/Streamlit and this is failed because private-subnet based that no need connected to internet. I copy and use public load balancer URL, try test predict API also using FastAPI/Streamlit and this is worked means load balancer can be used.

CONCLUSION :

ECS express mode is used to build web application and API faster.
ECS custom mode is used for custom use case such as private subnet and public load balancer.

DOCUMENTATION :

GITHUB REPOSITORY : https://github.com/budionosanai/google-gemma-sagemaker-vllm-fastapi-receipt-extraction

Thank you,
Budi.

Amazon SageMaker AI : SageMaker Studio, vLLM, Gemma 4 and Terraform for Receipt Extraction

Budiono Santoso — Mon, 18 May 2026 14:10:14 +0000

Hello everyone. I want to create receipt extraction application using Amazon SageMaker AI. Amazon SageMaker AI is a fully managed service most comprehensive set of AI tools and capabilities to enable high-performance and low-cost AI model development for any use case.

In this blog tutorial, I using Amazon SageMaker AI products such as SageMaker Studio as my online IDE, SageMaker Model, SageMaker Endpoint Configuration and SageMaker Endpoint.

REQUIREMENTS :

AWS account, you can sign up/sign in here
vLLM image for inference and serving, you can see this link
Gemma 4 model for open-source LLM, you can see this link
Terraform AWS provider for Infrastructure as Code, you can see this link
FastAPI for create API, you can see this link

STEP-BY-STEP :

Open Amazon SageMaker AI like this screenshot then click "Set up for a single user" for create SageMaker Studio.
Wait until SageMaker Studio is ready. After SageMaker Studio is ready, click "Open Studio".
This is what SageMaker Studio looks like. Click JupyterLab logo top left corner then click "Create JupyterLab space".
After space is created, click "Run space" then wait until show "Open JupyterLab" is available and status is Running.
Open SageMaker AI (not SageMaker Studio) console then click your Quick setup domain. Click "User profiles" -> click "default-..." then copy execution role for create SageMaker Endpoint step. For app configuration, click "Enable Docker on this domain" to can pull vLLM image and push to Amazon ECR.
Pull vLLM image and push to Amazon ECR with one shell script. In the terminal, run this shell script.

chmod +x vllm-to-ecr.sh
./vllm-to-ecr.sh

Search "0.19.1-gpu-py312-cu129-ubuntu22.04-sagemaker-v1.0" in image tags of vLLM because vLLM 0.19.1 version ready support Gemma 4 and use SageMaker version.

Open and check Amazon ECR private repository "vllm-gemma-4".

Open AWS IAM console then click Roles, search your IAM execution role that already copy before and add some policies because SageMaker Studio as a IDE needs to connect to AWS services. But what happens if you don't add some policies? Yes, access to AWS services is denied.

Then open AWS Service Quotas for request SageMaker Endpoint quota then search "SageMaker" then click "View quotas".

Write "g6.2x large for endpoint" then click "Request increase at account level".

Fill number in Increase quota value then click "Request".

In my case, my request was automatically Approved in just a few seconds. Then why must request an Endpoint quota? If do not request an Endpoint quota, will receive an error during the Endpoint creation process such as your endpoint instance are 0 and you need to request a Service Quota.

Then create SageMaker model, endpoint configuration and endpoint. (Code for this available on GitHub).

After SageMaker Endpoint is created, wait until SageMaker Endpoint is ready for inference and serving. Can see in Deployments -> Endpoints.

You also can see SageMaker model, endpoint configuration and endpoint in Amazon SageMaker AI console like this screenshot. Can see in Deployments & inference -> Deployable models, endpoints and endpoint configurations.

When SageMaker Endpoint is ready for inference and serving, now can test some sample photos (code available on GitHub) and display JSON-based structured output like this.

{"storeName": "OAK STREET MARKET", "purchaseDate": "26-10-2023", "total": 42.58}

NOTE : DELETE your SageMaker model, endpoint configuration and endpoint after testing because this endpoint use real-time endpoint that always running.

So why and how to create SageMaker model, endpoint configuration and endpoint using Terraform? Because Terraform is an Infrastructure as Code (IaC) tool, you can automatically create SageMaker resources faster and delete SageMaker resources with just one line of code.

Install Terraform with run this shell script.

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv bash)"

brew install gcc

brew tap hashicorp/tap

brew install hashicorp/tap/terraform

terraform --version

Then create Terraform files such as iam.tf, main.tf and sagemaker.tf in ONE folder (available on GitHub).

iam.tf for create IAM role such as SageMaker execution role and SageMaker ECR policy.
main.tf for Terraform AWS version and AWS region.
sagemaker.tf for create SageMaker model, endpoint configuration and endpoint.

iam.tf

# SageMaker Execution Role
resource "aws_iam_role" "sagemaker" {
  name               = "sagemakerExecutionRole"
  assume_role_policy = jsonencode({
    Version   = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "sagemaker.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      }
    ]
  })
}

# SageMaker ECR Policy
resource "aws_iam_role_policy_attachment" "ecr" {
  role       = aws_iam_role.sagemaker.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess"
}

main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "6.45.0"
    }
  }
}

provider "aws" {
  region = "us-west-2"
}

sagemaker.tf

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

# Get AWS Account ID and AWS Region from above data
locals {
  account_id = data.aws_caller_identity.current.account_id
  region     = data.aws_region.current.region
}

# Create SageMaker Model with Gemma 4 on vLLM
resource "aws_sagemaker_model" "model" {
  name                = "gemma-4-receipt-extraction-vllm"
  execution_role_arn  = aws_iam_role.sagemaker.arn
  primary_container {
    image             = "${local.account_id}.dkr.ecr.${local.region}.amazonaws.com/vllm-gemma-4:0.19.1-sagemaker"
    environment       = {
      "SM_VLLM_MODEL" = "google/gemma-4-E4B-it"
    }
  }
}

# Create SageMaker Endpoint Configuration
resource "aws_sagemaker_endpoint_configuration" "endpointConfig" {
  name  = aws_sagemaker_model.model.name
  production_variants {
    variant_name           = "AllTraffic"
    model_name             = aws_sagemaker_model.model.name
    initial_instance_count = 1
    instance_type          = "ml.g6.2xlarge"
  }
}

# Create SageMaker Endpoint
resource "aws_sagemaker_endpoint" "endpoint" {
  name                 = aws_sagemaker_model.model.name
  endpoint_config_name = aws_sagemaker_endpoint_configuration.endpointConfig.name
}

After 3 Terraform files is available, write and run this Terraform script.

terraform init

terraform init is initialize Terraform latest version in main.tf

terraform plan

terraform plan is check make sure your Terraform file is true and right format. If false and wrong format, you must check your Terraform file again.

terraform apply --auto-approve

terraform apply is apply/create all AWS service resources based all Terraform file. If not write --auto-approve, you must write/enter "yes" every want to apply Terraform file.

terraform destroy --auto-approve

terraform destroy is destroy/delete all AWS service resources based all Terraform file. If not write --auto-approve, you must write/enter "yes" every want to apply Terraform file.

Wait until SageMaker endpoint is inService. The result of this Terraform process are same as SageMaker model, endpoint configuration and endpoint screenshots above.

Create API using FastAPI then create main.py file, Dockerfile and requirements.txt file in ONE folder (available on GitHub).

Then create Amazon ECR private repository "receipt-extraction-gemma-4" with run this shell script.

aws ecr create-repository \
    --repository-name "receipt-extraction-gemma-4" \
    --image-scanning-configuration scanOnPush=false \
    --image-tag-mutability MUTABLE \
    --region "us-west-2" 2>/dev/null || echo "Repository already exists, skipping creation."

However, when want to build API app and push to Amazon ECR private repository, display error like this screenshot.

To fix this error, use SageMaker Docker Build. SageMaker Docker Build is CLI tool for building Docker images in SageMaker Studio using AWS CodeBuild.

Install SageMaker Docker Build with run this shell script.

pip install sagemaker-studio-image-build

After SageMaker Docker Build is installed, run this shell script to build and push to ECR and wait until finished.

sm-docker build . --repository receipt-extraction-gemma-4:latest

Result of this process will be like this screenshot.

This ECR receipt extraction image be used for next step using Amazon Elastic Container Service (Express Mode and custom mode) in next blog tutorial.

CONCLUSION :

SageMaker Studio can be used as a online IDE. If you have a laptop with limited specifications, I recommended this online IDE.
vLLM can be used for inference and serving on ECR.
Gemma 4 can running in SageMaker Endpoint.
Terraform help create automatically SageMaker resources faster and also destroy/delete all SageMaker resources faster.
FastAPI help create API for receipt extraction.

DOCUMENTATION :

Amazon SageMaker AI documentation
vLLM Gemma 4 documentation
Gemma 4 model documentation
Terraform AWS (Amazon SageMaker) documentation
FastAPI documentation is same as above requirements.

GITHUB REPOSITORY : https://github.com/budionosanai/google-gemma-sagemaker-vllm-fastapi-receipt-extraction

Thank you,
Budi

Deploy and Invoke AI Agent to AgentCore Runtime with Github Actions

Budiono Santoso — Wed, 28 Jan 2026 15:02:04 +0000

What is Github Actions? Github Actions is a Github CI/CD (continuous integration/continous deployment or continous delivery) feature that automate end-to-end (build, test and deploy) workflow.

This tutorial blog explained how to deploy AI agent to AgentCore Runtime and test invoke AI agent using Github Actions.

REQUIREMENTS :

AWS account (or AWS credentials), you can sign up/sign in here
Google Gemini account, you can sign up/sign in here
Langgraph
Github account, you can sign up/sign in here.
To get an IAM role for AgentCore Runtime, you can see this notebook then open and run the notebook.

FLASHBACK : I have already deploy production AI candidate screening agent to AgentCore Runtime in this tutorial blog. I think it is time to automate end-to-end workflow from deployment to testing invocation using CI/CD by Github Actions.

STEP-BY-STEP :

A. Follow this tutorial blog.

B. Follow this steps in Github repository:

Create new repository, click Settings, click Secrets and variables in Security section, click Actions.
Click Repository secrets then click "New repository secret".
Input secret name and secret key : AWSACCESSKEY and your AWS access key & AWSSECRETKEY and your AWS secret key.
Click "Add secret". Now go to Github Codespaces to create IDE online.
Choose repository, click "Create codespace".

C. Create workflow file to execute CI/CD automation workflow. In this tutorial, file name is workflow.yaml in .github/workflows folder. Write workflow code like this workflow code.

Explanation this workflow file :

on: push: mean when developer ready to deploy to AgentCore Runtime and invoke AI agent with git push automatically running.
on: push: paths: mean when developer update code from several files then push to repository and automatically running.
jobs: deploy: mean job running deploy to AgentCore Runtime.
steps mean running several steps with name of explanation.
outputs: mean workflow have output (agent runtime ID).
jobs: test: mean job running test invoke AI agent on AgentCore Runtime.
needs: mean need deploy job must running before running test job. If deploy job is failed, test job is not running.

D. Copy langgraph_agentcore.py and requirements.txt in requirements notebook then paste to runtime folder (in Github Codespaces).

E. Create deployment file to deploy AI agent to AgentCore Runtime. In this tutorial, file name is deploy-runtime.py. Write deployment code like this code.

Explanation this deployment code file :

# Retrieve AWS Account ID comment mean get AWS account ID that used in IAM execution role for AgentCore Runtime.
What different? Requirements notebook writing auto_create_execution_role=True mean automatically create IAM execution role while this deployment code writing auto_create_execution_role=False mean not need new IAM execution role and need input IAM execution role to execution_role.
agent_id = launch_result.agent_id mean agent runtime ID for invoke-agent.py file.

F. Create invocation file to invoke AI agent on AgentCore Runtime. In this tutorial, file name is invoke-agent.py. Write invocation code like this code.

Explanation this invocation code file :

# Get Agent Runtime ID mean get agent runtime ID from result in deploy-runtime.py file then get agent runtime ARN from agent runtime ID.

G. Add, commit and push all code to Github repository and automatically deploy AI agent to AgentCore Runtime and invoke AI agent.

NOTE : After push to Github repository then when deploy AI agent to AgentCore Runtime get error like this screenshot below.

Go to Amazon Bedrock AgentCore -> Agent runtime then click your agent name that already created.

Click "Version 1" then click IAM service role of Permissions like this screenshot.

This error is happened because ECRImageAccess action is allow bedrock-agentcore-gemini_langgraph repository only. How to fix? Click permission name, edit/modify permissions from bedrock-agentcore-gemini_langgraph to /* in policy editor then click Next and click Save.

Then add, commit and push all code again to Github repository. Go to Actions in this repository to see first push action.

Go to AgentCore Runtime console like this screenshot.

Click "Dashboard" of Observability in Endpoints section to open AgentCore Observability.

Agent metrics of AI agent runtime.

System error, client error and throttle.

Runtime metrics of AI agent runtime.

CONCLUSION : With CI/CD automation workflow provided by Github Actions, deploy and invoke AI agent is easy, need IAM execution role only.

RESOURCES :

GITHUB REPOSITORY : https://github.com/budionosanai/agentcore-runtime-github-actions

Thank you,
Budi :)

Amazon Bedrock AgentCore : MCP Server on AgentCore Runtime and AgentCore Gateway

Budiono Santoso — Mon, 12 Jan 2026 00:41:56 +0000

What is MCP? MCP (Model Context Protocol) is a open-source standard for connecting AI application to external systems such as APIs, databases, software and etc.

But how to create and deploy MCP server so that we can access MCP server using MCP client? Here it is using AgentCore Runtime and AgentCore Gateway. This tutorial blog explained how to create and deploy receipt extraction MCP server on AgentCore Runtime then integrate with AgentCore Gateway.

This MCP server help you extract receipt photo information such as store name, purchase date and total/amount then write output of extract information to Amazon DynamoDB table and send email of output of extract information using Amazon SNS. Then test this MCP server with Langchain.

REQUIREMENTS :

AWS account (or AWS credentials), you can sign up/sign in here
Google Gemini account, you can sign up/sign in here
Langchain.

The AWS services used by this MCP server such as :

AWS service	Description
Amazon S3	upload file from local to S3 and download file from S3 to receipt extraction MCP server processes.
AWS Secret Manager	store Gemini API Key and LLM inference in receipt extraction MCP server.
AgentCore Runtime, AgentCore Gateway and AgentCore Identity.
AgentCore Starter Toolkit	quickly configure and deploy MCP server with several AWS services such as Amazon ECR, AWS CodeBuild, and AWS IAM.
Amazon Cognito	Authentication and authorization for AgentCore Identity.
Amazon DynamoDB	Write result of receipt extraction to NoSQL database.
Amazon SNS	Send email notification about result of receipt extraction.

STEP-BY-STEP :

A. Creating Amazon S3 bucket, store Gemini API key in AWS Secret Manager, creating Amazon DynamoDB table and creating Amazon SNS topic/subs.

!pip install python-dotenv boto3

from google.colab import userdata
from dotenv import load_dotenv
import boto3
import json
import os

os.environ["AWS_ACCESS_KEY_ID"] = userdata.get('AWSACCESSKEY')
os.environ["AWS_SECRET_ACCESS_KEY"] = userdata.get('AWSSECRETKEY')

# Get Gemini API Key and email address
load_dotenv("geminiapikey.txt")
gemini = os.getenv("GEMINI_API_KEY")
gmail = os.getenv("EMAIL")
secret_name = "geminiapikey"
table_name = "receiptsExtraction"
topic_name = "receiptsExtractionEmail"
region = "us-west-2"

Use this code to create a Amazon S3 bucket.

s3 = boto3.client('s3', region)
s3.create_bucket(
    Bucket="receipts-extraction",
    CreateBucketConfiguration={
        'LocationConstraint': region
    }
)
print("This bucket is now available.")

Use this code to create Gemini API Key in AWS Secret Manager.

apikey = boto3.client('secretsmanager', region)
secret_dict = {"GEMINI_API_KEY": gemini}
response = apikey.create_secret(
    Name=secret_name,
    Description="Gemini API Key",
    SecretString=json.dumps(secret_dict)
)
print("Gemini API Key is now stored.")

Use this code to create result of receipt extraction table in Amazon DynamoDB.

dynamodb = boto3.client('dynamodb', region)
table = dynamodb.create_table(
    TableName=table_name,
    KeySchema=[{'AttributeName': 'storeName', 'KeyType': 'HASH'}],
    AttributeDefinitions=[{'AttributeName': 'storeName', 'AttributeType': 'S'}],
    BillingMode='PAY_PER_REQUEST',
    OnDemandThroughput={'MaxReadRequestUnits': 200,'MaxWriteRequestUnits': 200}
)
print("Receipt extraction table is now available and save output from MCP server.")

Use this code to create email notification about result of receipt extraction using Amazon SNS.

sns = boto3.client('sns', region)
topic = sns.create_topic(Name=topic_name)
topic_arn = topic['TopicArn']
# Subscribe email to topic but must open your inbox email and click 'Confirm Subscription'
sns.subscribe(
    TopicArn=topic_arn,
    Protocol="email",
    Endpoint=gmail
)
print("Open your inbox with subject AWS Notification - Subscription Confirmation and click Confirm Subscription.")

B. MCP Server Development

This structure is very important for creating MCP server. Write Python code for MCP server receipt extraction with detailed explanation :

receiptExtraction : Extract store name, purchase date and total/amount based this receipt photo with structure output using Google Gemini 2.5 Flash based ReceiptExtractionResult class format like this

class ReceiptExtractionResult(BaseModel):
        """Extracted receipt information."""
        storeName: str = Field(description="Name of store or store name. Must uppercase.")
        purchaseDate: str = Field(description="Purchase date with \"DD-MM-YYYY\" format date.")
        total: float = Field(description="Total or amount. Number and (.) only without any such as $ or other currency.")

writeOutput : Write receipt extraction results to Amazon DynamoDB table.
sendEmail : Send email notification with receipt extraction results using Amazon SNS.

Create Amazon Cognito User Pool, Domain, Resource Server and User Pool Client for AgentCore Gateway and AgentCore Runtime Inbound Authentication. This step is so that user/application can access agent/tool in AgentCore Runtime or AgentCore Gateway.

Use this code to configure the AgentCore Runtime.

from bedrock_agentcore_starter_toolkit import Runtime
agentcore_runtime = Runtime()
region = "us-west-2"
agent_name = "gemini-mcp-server"

runtime = agentcore_runtime.configure(
    entrypoint="mcp_server.py",
    auto_create_execution_role=True,
    auto_create_ecr=True,
    requirements_file="requirements.txt",
    region=region,
    agent_name=agent_name,
    protocol="MCP",
    authorizer_configuration={
        "customJWTAuthorizer": {
            "allowedClients": [runtime_cognito_client_id],
            "discoveryUrl": f"https://cognito-idp.{region}.amazonaws.com/{runtime_cognito_pool_id}/.well-known/openid-configuration",
        }
    }
)
runtime

Explaining the above code:

from first row until second row means import and initialize AgentCore Runtime.
agentcore_runtime.configure means configure the AgentCore Runtime with entry point (MCP server Python code), create IAM role for Runtime, create ECR image, requirements (install libraries), region and agent name.

Use this code to launch AI agent to AgentCore Runtime. Wait up to one minute.

launch_result = agentcore_runtime.launch()

C. TROUBLESHOOTING / VERY IMPORTANT INFORMATION

After AgentCore Runtime is available then invoke MCP server and get error like this screenshot below.

Open CloudWatch Logs or AgentCore Observability to see what happened with this error.

Go to Amazon Bedrock AgentCore -> Agent runtime then click your agent name that already created. Click "Observability dashboard" or "Cloudwatch logs" to see this error.

This error is happened because DynamoDB and SNS action is not allowed in IAM role for Runtime.

Go to Amazon Bedrock AgentCore -> Agent runtime then click your agent name that already created.

Click "Version 1" then click IAM service role of Permissions (e.g. AmazonBedrockAgentCoreSDKRuntime-{region-name}-{random-number-letter}) like above screenshot.

Click IAM policy name that related (e.g. BedrockAgentCoreRuntimeExecutionPolicy-{your-agent-name}) like above screenshot.

Go to AWS Secret Manager, click secret name then copy Secret ARN of Gemini API Key.

Add your Secret ARN of Gemini API Key in resource of "secretsManager:GetSecretValue" action with this code :

arn:aws:secretsmanager:us-west-2:{aws_account_id}:secret:geminiapikey-{random-number-letter}

Then click Add new statement -> Write AWS services (S3, DynamoDB and SNS) -> Checklist All actions -> Add resource -> Click Next, click Save and and view the IAM policy after changing it.

OR Edit permission in this IAM policy and write this permission after Sid": "AwsJwtFederation row -> Click Next, click Save and view the IAM policy after changing it.

{
    "Sid": "DynamoDB",
    "Effect": "Allow",
        "Action": [
        "dynamodb:*"
    ],
    "Resource": [
        "arn:aws:dynamodb:us-west-2:{aws_account_id}:table/*"
    ]
},
{
    "Sid": "AmazonSNS",
    "Effect": "Allow",
    "Action": [
        "sns:*"
    ],
    "Resource": [
        "*"
    ]
},
{
    "Sid": "S3",
    "Effect": "Allow",
    "Action": [
        "s3:*"
    ],
    "Resource": [
        "*"
    ]
}

D. AgentCore Gateway

Based AgentCore Gateway documentation, MCP server target type only support OAuth (client credentials) or M2M (machine-to-machine) auth. Based AgentCore Identity documentation, to using M2M auth need create a user pool, resource server, client credentials, and discovery URL configuration.

Create AgentCore Identity for Runtime Outbound Auth. This step is so that agent/tool can access Gateway target such as MCP server, OpenAPI/REST API, API Gateway, Lambda function.

Create AgentCore Gateway using Gateway User Pool. This step is to integrate MCP server on AgentCore Runtime to AgentCore Gateway.

Create MCP Server on AgentCore Runtime as a AgentCore Gateway target. This step is to invoke MCP server via Gateway target to Runtime.

Try invoke MCP Server using Langchain MCP Client.

CONCLUSION : Amazon Bedrock AgentCore Runtime can create MCP server and AgentCore Gateway can integrate between MCP server to gateway.

DOCUMENTATION :

GITHUB REPOSITORY : https://github.com/budionosanai/amazon-bedrock-agentcore-one-to-one/tree/main/mcp-server

Thank you,
Budi :)

Amazon Bedrock AgentCore : Runtime with Langgraph, CrewAI and Google Gemini

Budiono Santoso — Tue, 06 Jan 2026 04:55:28 +0000

Amazon Bedrock AgentCore is a agentic platform for building, deploying, and operating agents using any framework and any foundation model.

AgentCore Service	Description
AgentCore Runtime	Serverless agent and tools such as MCP and A2A deployment.
AgentCore Gateway	Connect agent to services such as Lambda function and API that converted to MCP compatible.
AgentCore Identity	Identity and access management for agent and tool.
AgentCore Memory	Store context across interaction both short-term and long-term.
AgentCore Browser	Browser runtime that interact with web app.
AgentCore Code Interpreter	Execute code across multiple languages such as Python.
AgentCore Observability	Monitoring agent and tools in Amazon CloudWatch.
AgentCore Evaluation	Improve agent quality and performance.
AgentCore Policy	Control agent and tool interaction.

However, I create 3 blog only for explain how to AgentCore works.

AgentCore Runtime using Langgraph, CrewAI, Google Gemini and AgentCore Observability (this blog).
MCP Server on AgentCore Runtime and AgentCore Gateway this blog
AgentCore Identity and AgentCore Memory.

FLASHBACK : I have already created AI candidate screening agent using Langgraph, CrewAI and Amazon Nova on Amazon Bedrock in my Github repository. I think it is time to deploy this AI agent to Amazon Bedrock AgentCore Runtime with Google Gemini.

REQUIREMENTS :

AWS account (or AWS credentials), you can sign up/sign in here
Google Gemini account, you can sign up/sign in here
Langgraph and CrewAI.

The AWS services used by this AI agent such as :

Amazon S3 : upload file from local to S3 and download file from S3 to AI agent processes.
AWS Secret Manager : store Gemini API Key and LLM inference in AI agent.
AgentCore Runtime and AgentCore Observability (or CloudWatch Logs).
AgentCore Starter Toolkit : quickly configure and deploy AI agent with several AWS services such as Amazon ECR, AWS CodeBuild, and AWS IAM.

STEP-BY-STEP :

A. Creating Amazon S3 bucket and store Gemini API key in AWS Secret Manager.

Use this code to create a Amazon S3 bucket.

s3 = boto3.client('s3', 'us-west-2')
s3.create_bucket(
    Bucket="screening-candidate",
    CreateBucketConfiguration={
        'LocationConstraint': 'us-west-2'
    }
)
print("This bucket is now available.")

Use this code to create Gemini API Key in AWS Secret Manager.

apikey = boto3.client('secretsmanager', 'us-west-2')
secret_dict = {"GEMINI_API_KEY": gemini}
response = apikey.create_secret(
    Name=secret_name,
    Description="Gemini API Key",
    SecretString=json.dumps(secret_dict)
)
print("Gemini API Key is now stored.")

B. Langgraph and CrewAI Development

Use this code to packaging AgentCore Starter Toolkit with AI agent code.

from bedrock_agentcore.runtime import BedrockAgentCoreApp
app = BedrockAgentCoreApp()

Explaining the above code:

from bedrock_agentcore.runtime import BedrockAgentCoreApp means import runtime.
app = BedrockAgentCoreApp() means initialize runtime.

Use this code to retrieve Gemini API Key from AWS Secret Manager.

secretmanager = boto3.client('secretsmanager', region_name="us-west-2")
response = secretmanager.get_secret_value(SecretId='geminiapikey')
secret_json = json.loads(response["SecretString"])
api_key = secret_json["GEMINI_API_KEY"]
llm = init_chat_model("google_genai:gemini-2.5-flash", google_api_key=api_key)

Explaining the above code:

from first row until four row means retrieve Gemini API key from AWS Secret Manager.
last row means initialize Langgraph/Langchain chat model using Gemini 2.5 Flash with Gemini API Key.

This structure is very important for creating AI agent using Langgraph or CrewAI.

Candidate upload CV PDF file then extract CV PDF file.
Compare and Match between Job Requirements and CV.
Score to the Next Step of the Recruitment Process.
Create Rejection or Interview Email.
Create Interview Question for candidate who pass the interview session.

Use this code to configure the AgentCore Runtime.

from bedrock_agentcore_starter_toolkit import Runtime
agentcore_runtime = Runtime()
region = "us-west-2"
agent_name = ... # gemini_Langgraph or gemini_crewai

response = agentcore_runtime.configure(
    entrypoint= ... # langgraph or crewai
    auto_create_execution_role=True,
    auto_create_ecr=True,
    requirements_file="/runtime/requirements.txt",
    region=region,
    agent_name=agent_name
)
response

Explaining the above code:

from first row until second row means import and initialize AgentCore Runtime.
agentcore_runtime.configure means configure the AgentCore Runtime with entry point (AI agent Python code), create IAM role for Runtime, create ECR image, requirements (install libraries), region and agent name.

Use this code to launch AI agent to AgentCore Runtime. Wait up to one minute.

launch_result = agentcore_runtime.launch()

C. TROUBLESHOOTING / VERY IMPORTANT INFORMATION

After AgentCore Runtime is available then invoke AI agent and get error like this screenshot below.

Open CloudWatch Logs or AgentCore Observability to see what happened with this error.

Go to Amazon Bedrock AgentCore -> Agent runtime then click your agent name that already created. Click "Observability dashboard" or "Cloudwatch logs" to see this error.

This error is happened because secretsmanager:GetSecretValue action is not allowed in IAM role for Runtime.

Go to Amazon Bedrock AgentCore -> Agent runtime then click your agent name that already created.

Click "Version 1" then click IAM service role of Permissions (e.g. AmazonBedrockAgentCoreSDKRuntime-{region-name}-{random-number-letter}) like above screenshot.

Click IAM policy name that related (e.g. BedrockAgentCoreRuntimeExecutionPolicy-{your-agent-name}) like above screenshot.

Go to AWS Secret Manager, click secret name then copy Secret ARN of Gemini API Key.

Add your Secret ARN of Gemini API Key in resource of "secretsManager:GetSecretValue" action with this code :

arn:aws:secretsmanager:us-west-2:{aws_account_id}:secret:geminiapikey-{random-number-letter}

Add S3 access action like this screenshot below :

Click Next, click Save, and view the IAM policy after changing it.

Try invoke agent runtime again.

Open AgentCore Observability or CloudWatch Logs. I prefer open AgentCore Observability like this screenshot and invocation completed successfully.

D. AgentCore Observability

Open AgentCore Runtime -> Agent runtime then click your agent name that already created. I have already created one AI agent using Langgraph and one using CrewAI. For this tutorial, I am using Langgraph because observability of Langgraph and CrewAI is the same.

Click View dashboard.

Click Sessions and click session ID.

Click "CloudWatch logs" in Agent runtime that automatically open a new tab and see log events like this screenshot.

Open Amazon ECR (Elastic Container Registry) console then click image of agent runtime like this screenshot.

Open AWS CodeBuild console then click build of agent runtime like this screenshot.

CONCLUSION : Amazon Bedrock AgentCore Runtime can handle AI agent request while AgentCore Observability can help monitoring session and trace of AI agent. I using AWS CDK for infrastructure as code to improve my AI engineering skill. Stay tune!

DOCUMENTATION :

GITHUB REPOSITORY : https://github.com/budionosanai/amazon-bedrock-agentcore-one-to-one/tree/main/runtime

Thank you,
Budi :)

Amazon Quick Suite : Quick Sight

Budiono Santoso — Sat, 29 Nov 2025 03:05:08 +0000

Amazon Quick Sight is business intelligence AI-generated powered platform that can create data visualization from many more data source, create dashboard, story, scenario, topic.

REQUIREMENTS :

AWS account, you can sign up/sign in here
Sales dataset, you can see this link

STEP-BY-STEP :

A. Quick Sight - Dataset

Select "Datasets" in Quick Sight @ Quick Suite console. Click "Create dataset", click "Upload a file", upload sales dataset then click "Visualize". Select "Interactive sheet" and click "Create" to create analyses based sales dataset.

B. Quick Sight - Analyses

In the "Analyses", create several analysis based sales dataset.

However, several analyses are made using AI-generated (Build button) such as :
Top 3 products based highest sales.

Top 3 products based highest profit.

Top 3 countries based highest sales.

Top 3 countries based highest profit.

Top 3 customers based highest sales.

Top 3 customers based highest profit.

% of sales coming from discounts.

After analyses process is done, click "Publish" to create dashboard. Select new dashboard, write dashboard name, select sheets (can select several sheets or all sheets) then click "Publish dashboard".

C. Quick Sight - Dashboard

This dashboard is derived from analysis that has already been created with same visualizations unchanged.

Click "Create". If want to create presentation-based or page-based story, select "Story" and if want to create insight of data, select "Scenario".

D. Quick Sight - Stories

Write description story that you want, select several or all visuals from analyses or dashboard and click "Build".

The story is now available automatically scrollable-page-based format.

Change from scrollable-page-based to slideshow-based format. Total of slide is 15 slides.

E. Quick Sight - Scenario

Write description problem that need to solve, select data from Quick Sight dashboard that already created then click "Start analysis".
After analysis process is done, available several questions or threads. You can choose question or write question that you needs.
This scenario has 3 questions or threads that explain about sales and profit.

CONCLUSION : Amazon Quick Sight can help create analyses from dataset with several visualization and AI-generated visualization, create dashboard for sharing, create story for presentation to business user and create scenario to get insight from dashboard.

Thank you,
Budi :)

Amazon Quick Suite : Quick Flow and Quick Research

Budiono Santoso — Fri, 28 Nov 2025 12:32:56 +0000

REQUIREMENTS :

AWS account, you can sign up/sign in here
Amazon Quick Suite : Integration and Extension blog, you can see this blog

A. Amazon Quick Suite : Quick Flow

PROBLEM : Manual check CV screening need more time, human bias (name, gender, age) then unfair decision and CV format are different.

SOLUTION : Automated CV screening system that extracts candidate information, scores against job requirements, and conditionally sends interview questions to Slack and interview email to Gmail OR rejection email based on scoring criteria.

STEP-BY-STEP :

Open "Flow" in the Quick Suite console. Select "Generate" or "Create a blank flow". Use "Generate" if creating a flow using prompt and use "Create a blank flow" if creating a flow from scratch. In this tutorial, click "Generate". Wait a few seconds to generate flow.

Upload file PDF only, extract CV PDF, compare and match between job requirements and CV extracted. 
Then result of next step must pass 7 of 10 and create condition.
If result are 7 or more of 10, create 5 interview question based CV extracted and 2 interview question based 
leadership note, 
send all interview question to Slack "team-channel" channel then send email simple body about interview 
date/time is 3 days after result is available to candidate that available in the CV extracted.
If result are less 7 of 10, create thank you for your applications in the subject, very simple explanation 
in the body and send email to candidate email that available in the CV extracted.

The result of generating flow using prompt are shown here. The input for this flow uses file to upload a CV PDF file and text to enter job requirements and leadership notes

The output of extract CV information AND compare and score CV match uses AI-generated response.

This flow have conditional processing that uses reasoning instruction to understand if-else condition based scenario if score is 7 or more out of 10 process with interview process and if less than 7 send rejection email. The action of send interview question to Slack channel, send interview invitation email and send rejection email uses application actions/integration that already created.

Amazon Quick Suite - Flow have several component such as in this screenshot.

Next to "Editor" and click "Run mode". Testing upload FIRST CV PDF file, write job requirements and leadership notes then click "Start".

Job Requirements :

Minimum Bachelor's degree in Computer Science, Data Science, Artificial Intelligence, or a related field. 
Minimum 2 years of experience in AI/ML development. In-depth understanding of machine learning, deep learning, NLP, and recommendation systems. 
Proficiency in Python programming languages (TensorFlow, PyTorch, Scikit-learn, HuggingFace). 
Experience in data preprocessing, feature engineering, and model deployment. 
Experience with containerization and orchestration (Docker, Kubernetes). 
Understanding of MLOps (CI/CD for ML), ML pipelines, and model monitoring concepts. 
Experience using cloud AI services (Amazon Sagemaker, GCP Vertex AI, or Azure ML) is a plus.

Leadership Notes :

Lead by Example : Be honest, reliable, and show respect to everyone. 
Communicate Clearly : Keep messages simple and open and listen before deciding. 
Support the Team : Help others grow and learn and appreciate good work. 
Focus on Results : Set clear goals and track progress and fix problems, not blame people. 
Encourage Innovation : Allow new ideas and experiments and learn from mistakes. 
Customer First : Think about how your work helps users. 
Keep Learning : Stay updated with technology and leadership skills.

Wait a few seconds to extract CV information AND compare and score CV match.

The conditional processing is thinking by evaluating score condition and having to know what action to take next. In this FIRST flow, the result of conditional processing is send rejection which means the next action is send rejection email. Then human review is needed and click "Submit".

Go to Gmail account, check and see new inbox like this. It means Gmail send rejection email action is successfully.

Next to "Run mode" and click "New run". Testing upload SECOND CV PDF file, write job requirements and leadership notes then click "Start". Wait a few seconds to extract CV information AND compare and score CV match.

The conditional processing is thinking by evaluating score condition and having to know what action to take next. In this SECOND flow, the result of conditional processing is process to interview which means the next action is send interview invitation email and send interview question. Then human review is needed and click "Submit".

The send rejection email is not have "Submit" button means this action do not needed.

Go to Gmail account, check and see new inbox like this. It means Gmail send interview invitation email action is successfully.

Go to Slack channel in Slack account, check and see new message like this. It means Slack send message channel (send interview question) action is successfully.

CONCLUSION : After using Amazon Quick Suite - Flow with several components such as AI-generated response, action/integration and reasoning instruction, the impacts include focusing on interview that can deepen candidate, saving time, increasing recruitment efficiency, reducing bias during initial selection and hiring candidate faster.

B. Amazon Quick Suite : Quick Research

PROBLEM : Need days, weeks, or months to research, being confused about how to write research note that can share important information and opening more websites for research is also confused.

SOLUTION : Using Quick Research and company document file to create research plan, full research and summaries of full research.

STEP-BY-STEP :

Open "Research" in the Quick Suite console. Write research objective, enable web search, upload file such as company document file then click "Create plan". Wait a few seconds to generate research plan.

We are a worldwide IT consulting company focused on AI technologies such as generative AI.
Plan and explain AI technology developments since January 2023 until now for decision-making report which will be reported to C-level directors.
We focus on emerging AI technology developments, such as agentic AI, physical AI, and new AI technology that very never heard and next-generation.
The result is a technology stack for AI technology development (must be compared and explained), business side including ROI (return on investment), AI trends and predictions through 2030.
Use the document-based file upload and web search for this detailed and complex research.

After research plan are is available, can edit or revise plan based needs. Click "Start researching" if don't need to revise the plan again. Wait about 30-60 minutes to generate full research.

After full research are is available, can add comment or highlight to make sure this research better. Click "Summarize" to create summarize of full research.

The research summary can be downloaded in PDF or Word format.

CONCLUSION : After using Amazon Quick Suite - Research, the impacts include from first step to last step only need one hour to create research plan, full research and summarize of full research without confused.

Thank you,
Budi :)

Amazon Quick Suite : Integration and Extension

Budiono Santoso — Fri, 28 Nov 2025 07:12:56 +0000

Amazon Quick Suite is a generative AI-based business intelligence platform that makes it easy to analysis data, create visualizations, automate workflows, and collaborate across dataset.

Amazon Quick Suite have five integrated capabilities that work together:

Amazon Quick Sight for data visualization.
Amazon Quick Flows for workflow automation.
Amazon Quick Automate for process optimization.
Amazon Quick Index for data discovery.
Amazon Quick Research for comprehensive analysis.

However, I create 3 blog only for explain how to Amazon Quick Suite works.

Amazon Quick Suite - Integration and Extension (this blog).
Amazon Quick Suite - Flows and Research this blog
Amazon Quick Suite - Quick Sight this blog

For my Amazon Quick Automate blog is coming soon...

REQUIREMENTS :

AWS account, you can sign up/sign in here
Zapier account for MCP (Model Context Protocol), you can sign up/sign in here
Slack account, you can sign up/sign in here
Gmail account, you can sign up/sign in here

STEP-BY-STEP :

A. Zapier MCP (Model Context Protocol)

I use Zapier because Zapier and Amazon Quick Suite support MCP. Open your Zapier MCP website. Create MCP server with click "+ New MCP Server".
Select "Other" in the MCP Client, write MCP name "Amazon Quick Suite MCP Server" and click "Create MCP Server".
Click "+ Add tool" in the Tools. The tools used in this tutorial are Slack to send message to channel and Gmail to send email.
Click "Gmail" then click "Send Email". Connect your Gmail account. After your Gmail account is connected, click "Save".
For Slack, follow instruction number 4 (Gmail) but for the action, click "Send Channel Message".
Select "Connect" and copy OAuth Server URL to connect to Amazon Quick Suite integration.

B. Amazon Quick Suite - Integration

Open your AWS account, search and click Amazon Quick Suite service that automatically opened a new tab. Click "Sign up for Amazon Quick Suite".
Write your account name and email for account notifications. The email for account notifications can be different from your AWS account email.

Click "Go to Amazon Quick Suite".
I need integration because will used to Quick Flow. Go to "Integrations", create Amazon Quick Suite integration using MCP (Model Context Protocol) like this screenshot.
Write integration name, description, copy the MCP server endpoint from Zapier MCP. Click "Next" then click "Create and continue".
Zapier MCP now available in Amazon Quick Suite integration. Select "Zapier MCP" then click "Test action APIs".
Test Gmail send email action, write instruction then click "Submit". The result of API response available in seconds.

This is API response that success.
Back to Zapier MCP, select "History". The first action "Gmail send email" is available like this.
Go to Gmail account, check and see new inbox like this. It means Gmail send email action is successfully.
Then back to Quick Suite console, click "My Assistant" and write chat of instruction/action like this and click Enter. But need human review before send email action is run with click "Submit".
Go to Gmail account, check and see new inbox like this. It means Gmail send email action is successfully.

C. Amazon Quick Suite - Extension

Click this Amazon Quick Suite extension link and choose a browser that best suits your needs. I am using Google Chrome for this extension.
After installing the browser extension, click on the extension in the browser and a sign-in screen will appear as shown in the screenshot. Click "Sign in", enter Quick Suite account name then click "Next".
Open any PDF file and can ask any question such as "Summarize only the contents of ..."
Write "write this summary and send to Slack channel" in the chat extension. This action need human review before send the summary to the Slack channel with click "Submit".

This action successfully sent the summary to the Slack channel.
Go to Slack account, check and see new chat in the channel. It means Slack send channel message action is successfully.

CONCLUSION : Amazon Quick Suite can integrate with other tools such as Zapier MCP that already have several tools and actions. Amazon Quick Suite also can integrate with browser extension. The result of two tools (Gmail and Slack) and two actions are is successfully.

Thank you,
Budi :)

RAG (Retrieval Augmented Generation) using Amazon Bedrock and Pinecone

Budiono Santoso — Sun, 06 Jul 2025 04:47:41 +0000

UPDATE : AWS have Amazon Bedrock AgentCore that can create AI agent using memory, identity, gateway, observability, also connect with AI agent framework such as Langgraph, CrewAI, etc. I want to write about this service. Stay tune!

PROBLEM : Previous support have problems such as repeated customer questions, slow response times and limited availability.

SOLUTION : I build a Retrieval-Augmented Generation (RAG) system to improve financial customer service.
I created Bedrock Knowledge Base using Amazon Titan Embedding and Pinecone, store knowledge base (CSV or PDF or anything) to S3, testing knowledge base before deploy to Bedrock Agent.
After deploy to Bedrock Agent, try invoke this agent make sure successfully when LLM retrieve information from knowledge base then answer the question.

REQUIREMENTS :

AWS account, you can sign up/sign in here
Pinecone account to get Pinecone API key, you can sign up/sign in here

STEP-BY-STEP :

A. I use Pinecone because most widely used vector database product, has a free vector database index, and can connect to Amazon Bedrock. Open a Pinecone account and create a database index using the following steps.

Click "Create index".
Select text embedding. Click "llama-text-embed-v2".
Configure text embedding such as dimension to 512.
Select the capacity mode and cloud provider. However, for the starter plan, select serverless and AWS only. You cannot select pods or other cloud providers such as Google Cloud and Azure.
You cannot select other region. Click "Create index".

B. Open your AWS account, search for the AWS Secret Manager service, create a Pinecone secret key using the following steps.

Click "store a new secret".
Select "Other type of secret". Fill in the key/value as Pinecone API Key. It must be "apiKey" and Pinecone API Key because when I fill different other than "apiKey", such as "pineconeapikey", will failed.
Fill in the secret name and click "Store".
After Pinecone API key is stored, copy secret ARN.

C. Create Amazon Bedrock Knowledge Base and Agent using boto3 SDK. The source code is here.

Knowledge base.

Knowledge base overview.

Embedding model using Amazon Titan Embedding and vector database using Pinecone.

Data source from Amazon S3.

Data source configuration.

Sync all knowledge base. This knowledge base sync cannot be sync automatically, it must be updated manually.

Copy inference profile ARN. For this tutorial, copy US Nova Micro. I using Amazon Nova Micro because need text only, lowest latency response and very low cost.

Testing the knowledge base based question outside knowledge base before deploy to Bedrock Agent.

Testing the knowledge base based question inside knowledge base before deploy to Bedrock Agent.

But, if want to sync from another S3 bucket, how to sync? I explain this solution.

Go to IAM then click IAM role for Bedrock Knowledge Base like this. Click S3 policy.

This policy only can sync for "all-in-bedrock" S3 bucket. But if I want to sync another S3 bucket. Example I have S3 bucket name "bedrock-kb", can't sync because this S3 policy can't detect.

Editing S3 policy configuration like this screenshot to can sync all S3 bucket.

Go to Amazon Bedrock then click Agent overview.

Bedrock Agent detail.

Instruction for this agent using Amazon Nova Micro.

Associate agent with knowledge base that already created.

Bedrock Agent version and alias.

Copy inference profile ARN. For this tutorial, copy US Nova Micro. I using Amazon Nova Micro because need text only, lowest latency response and very low cost.

Testing Bedrock Agent with scenario if a question is not related with knowledge base. Result is the agent cannot answer because outside knowledge base.

Testing Bedrock Agent with scenario if a question is related with knowledge base. Result is the agent can answer because inside knowledge base.

You can see result of testing other question at this source code.

CONCLUSION : After created this project, I get impact such as get accurate and faster response, no need training or fine-tuning from scratch, less hallucination, appropriate handling of reworded questions, refuse to answer of off-topic question and efficiency operational.

Through this project, I learn hard skills such as vector databases (Pinecone), embeddings (Amazon Titan), and LLMs (Amazon Nova). I also learn soft skills such as continuous learning because AI trend change faster and detail orientation to make sure answer from question is right and according to dataset.

Thank you,
Budi :)