Amazon Bedrock Agentcore (bedrock-agentcore)

2025-10-15

1 new action, 6 new conditions | 8 updated actions, 5 updated resources

Additions

Actions

CompleteResourceTokenAuth
- Description: Grants permission to retrieve access token with OAuth2 for 3LO flow to access external resource
- Access: Read
- Resources:
  Name: oauth2credentialprovider
  
  Required: Yes
  
  Name: token-vault
  
  Required: Yes
  
  Name: workload-identity
  
  Required: Yes
  
  Name: workload-identity-directory
  
  Required: Yes
- Conditions:
  bedrock-agentcore:InboundJwtClaim/iss
  
  bedrock-agentcore:InboundJwtClaim/sub
  
  bedrock-agentcore:InboundJwtClaim/aud
  
  bedrock-agentcore:InboundJwtClaim/scope
  
  bedrock-agentcore:InboundJwtClaim/client_id
  
  bedrock-agentcore:userid

Conditions

bedrock-agentcore:InboundJwtClaim/aud
- Description: Filters access by the audience claim (aud) in the JWT passed in the request
- Type: ArrayOfString
bedrock-agentcore:InboundJwtClaim/client_id
- Description: Filters access by the client_id claim in the JWT passed in the request
- Type: String
bedrock-agentcore:InboundJwtClaim/iss
- Description: Filters access by the issuer (iss) claim present in the JWT passed in the request
- Type: String
bedrock-agentcore:InboundJwtClaim/scope
- Description: Filters access by the scope claim in the JWT passed in the request
- Type: ArrayOfString
bedrock-agentcore:InboundJwtClaim/sub
- Description: Filters access by the subject claim (sub) in the JWT passed in the request
- Type: String
bedrock-agentcore:userid
- Description: Filters access by the static user ID value passed in the request
- Type: String

Updates

Actions

CreateBrowser
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:TagKeys
CreateWorkloadIdentity
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:TagKeys
DeleteAgentRuntime
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:TagKeys
GetWorkloadAccessTokenForUserId
- ＋ bedrock-agentcore:InboundJwtClaim/iss
- ＋ bedrock-agentcore:InboundJwtClaim/sub
- ＋ bedrock-agentcore:InboundJwtClaim/aud
- ＋ bedrock-agentcore:InboundJwtClaim/scope
- ＋ bedrock-agentcore:InboundJwtClaim/client_id
GetWorkloadIdentity
- ＋ bedrock-agentcore:userid
ListWorkloadIdentities
- ＋ apikeycredentialprovider
- ＋ oauth2credentialprovider
- ＋ token-vault
- ＋ workload-identity
- ＋ workload-identity-directory
UntagResource
- ＋ apikeycredentialprovider
- ＋ oauth2credentialprovider
- ＋ token-vault
- ＋ workload-identity
- ＋ workload-identity-directory
UpdateAgentRuntime
- ＋ apikeycredentialprovider
- ＋ oauth2credentialprovider
- ＋ token-vault
- ＋ workload-identity
- ＋ workload-identity-directory

Resources

workload-identity
- ＋ aws:ResourceTag/${TagKey}
oauth2credentialprovider
- ＋ aws:ResourceTag/${TagKey}
apikeycredentialprovider
- ＋ aws:ResourceTag/${TagKey}
workload-identity-directory
- ＋ aws:ResourceTag/${TagKey}
token-vault
- ＋ aws:ResourceTag/${TagKey}