Replaces `ghcr.io/astral-sh/uv:python<ver>-bookworm-slim` with
`public.ecr.aws/docker/library/python:<ver>-slim-trixie` and copies
the `uv`/`uvx` binaries from `ghcr.io/astral-sh/uv:latest`.
The bookworm base ships an OpenSSL build affected by a CVE; trixie
ships the patched version (OpenSSL 3.5.5). Python minor versions are
preserved per Dockerfile (3.11/3.12/3.13/3.14) so dependency
resolution is unchanged.
Verified end-to-end on the riskiest Dockerfile
(claude-agent/claude-sdk — apt nodejs via NodeSource, uv pip install,
Python 3.11): image builds, container starts, /ping returns healthy.
* temp
* Token exchange
* README.md
* Adding column-level access control
* Fixed S3 bucket creation outside us-east-1
* After dry-run testing
* Cleanup
* Rollback unnecessary change
* Rollback unnecessary change
* Rollback unnecessary change
* Added Architecture diagram and tested / fixed notebooks 01-03
* Fix aws path and invalid notebook for 06
* Securing the code
* Fixed the error - Error executing secure Athena query: Query failed: COLUMN_NOT_FOUND: Column 'adjuster_user_id' cannot be resolved or requester is not authorized
* Added scenarios, updated README and enhanced Architecture diagram to show latest changes
* Clarify deletion of Dynamodb table in the cleanup step
* Updated readme with scenario screenshots, added masking for PII for adjuster with wildcard exclude list
* Completed end to end testing for all scenarios
* Updated README and added Dockerfile to gitignore
* Updated README to remove Production Ready clause
* Fixed Pylint issues - f-string with no placeholders and empty except
---------
Co-authored-by: Gi Kim <giryoong@amazon.com>
Co-authored-by: Sunita Koppar <skoppar@amazon.com>
Adds a production-grade reference implementation demonstrating RFC 8693
Token Exchange in a multi-agent system on AWS Bedrock AgentCore Runtime.
The coordinator agent exchanges the user's Auth0 JWT for attenuated,
least-privilege tokens before invoking each sub-agent — implementing
scope attenuation across a 3-agent financial services system.
Key features:
- OAuth 2.0 PKCE login flow via Auth0
- RFC 8693 Token Exchange with per-agent scope policies
- 3 agents: coordinator, customer_profile, accounts
- Streamlit web UI with JWT viewer and API call log
- AWS Secrets Manager integration
- OpenTelemetry observability
- Shell script and CDK deployment options
- Unit test suite
* Fix wording typo in notebook about user consent flow
cosmetic update
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add pyyaml to requirements.txt
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add HardikThakkar94 to CONTRIBUTORS.md
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Updates to fix the Streamlit app access when running in sagemaker
Modified
- Requirements.txt (added dependencies)
- chatbot_app_cognito.py (added get_streamlit_url, for sagemaker access)
- runtime_with_strands_and_egress_3lo.ipynb (streamlit piece for access url, cosmetic updates)
* Fixing Ruff errors reported by python-lint
* removing Ruff errors from python-lint
* passing 3.7 as the model for workshop
* Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook
* Revert "Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook"
This reverts commit 5dded4c38a.
* Add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook
* cosmetic fix
* Updating OpenAI URL
* Added instructions on the OAuth flow session binding and Streamlit functionality
* All imports are now properly organized at the top of the file, following Python best practices (PEP 8). The linting errors should now be resolved:
- ✅ runtime.py:18:1: E402 - Fixed
- ✅ runtime.py:19:1: E402 - Fixed
- ✅ runtime.py:19:20: F811 - Fixed
- ✅ runtime.py:25:1: E402 - Fixed
* formatting fixed
* Update Identity Outbound tutorial notebooks with corrections and improvements:
1. 05-Outbound_Auth_3lo notebook: Fixed credential provider name typo
2. 06-Outbound_Auth_Github notebook: Multiple improvements including:
- Updated description text for GitHub-specific use case
- Reorganized imports (moved to top of cell)
- Added boto session and region setup
- Reordered OAuth flow description
- Restructured notebook sections (removed redundant policy section, added clearer status check and invoke sections)
- Fixed credential provider name reference
* Fixed Identity Sections based on SageMaker (Workshop) to handle oauth2_callback_server and other cosmetic updates.
* Remove unused import and added permissions for 1st time model access for workshops
* formatting fixed.
* parameterize provider, update github image.
* added import boto3 and updated image for GitHub Session Binding
* Update Model and Remove Global Var
* Travel and Shopping concierge agents blueprints
* add missing contributors for the blueprint
* fix python-lint errors
* CodeQL fixes and config
* fix python-lint unused imports
* fix python-lint
* fix linter and cql issues
* run linter
* update codeql suppressions
* suppress codeql
* Revert accidental changes to 01-tutorials and 03-integrations
Remove files accidentally added to 01-tutorials and 03-integrations in previous commits.
These changes were not intended to be part of the blueprint additions.
Reverted files:
- 01-tutorials/03-AgentCore-identity/06-Outbound_Auth_Github/.dockerignore
- 01-tutorials/03-AgentCore-identity/06-Outbound_Auth_Github/Dockerfile
- 01-tutorials/03-AgentCore-identity/06-Outbound_Auth_Github/github_agent.py
- 03-integrations/IDP-examples/EntraID/.agentcore.json
- 03-integrations/IDP-examples/EntraID/.dockerignore
- 03-integrations/IDP-examples/EntraID/Dockerfile
- 03-integrations/IDP-examples/EntraID/strands_entraid_onenote.py
* fix formatting
* Update 05-blueprints/shopping-concierge-agent/tests/utils.py
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* removed tests folders.
* remove info logging
* remove logging
* codeql suppressions
* Update server.py
# codeql[py/clear-text-logging-sensitive-data] Debug logging for certificate verification - logs metadata only, not private key content
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Updating .gitignore and adding lib folder required for the shopping and travel concierge agents
* Add Demo video for agents
* Update demo section in README.md
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add Demo's as Gif, update LFS and add note in ReadMe
* remove the .mp4 files as they are not supported
* change to google products and remove travel specific
* update product link
* fix url in shopping list and purchases
* remove amazon
* Add Visa B2B Use Case
* fix pylint
* CodeQL Fixes
---------
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
Co-authored-by: HT <hardikvt@amazon.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Lakehouse agent which supports role based access control and row level data access protectionat data layer
* Updated the auth flow and moved instructions into notebooks
* Completed a draft
* notebooks added
* Fix: Add aws_session_utils.py to MCP server and update import
* Debug: Add version print statement to verify deployment
* Replace print statements with logging module for OpenTelemetry capture
* Update agent JWT config to accept both app and M2M client IDs
* End to end testing. Readme updated with screenshots
* End to end testing. Readme updated with screenshots
* Added streamlit notebook
* Removed redundant files
* Added Gi and Sunita to CONTRIBUTORS.md
* Added alias
* Update time needed to test values
* added cleanup notebook
* Added architecture diagram
* Ensured local files are cleaned up which was causing stale state of the MCP server and leading to Auth issues
* Ignore errors for optional parameters
* Fixed cleanup issues and ensured end to end cleanup and restore
* Explanation of oauth and authentication flow from user to MCP
* Fixed typo
* updated README
* Correct README to remove Lake Formation references. Lake Formation does not support dynamic column filters. Reverting to use interceptors only
* Added TODO with current limitations of Lakeformation
* Added TODO with current limitations of Lakeformation
* Cleanup of acct id masking file
* Added SSO based credential loading which will default to region of the SSO profile as fallback if no valid credentials are available in .env
* Fixing region resolution to be consistent resolution pattern
---------
Signed-off-by: Sunita Koppar <47020304+skopp002@users.noreply.github.com>
Co-authored-by: Sunita Koppar <skoppar@amazon.com>
Co-authored-by: Gi Kim <giryoong@amazon.com>
* Fix wording typo in notebook about user consent flow
cosmetic update
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add pyyaml to requirements.txt
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add HardikThakkar94 to CONTRIBUTORS.md
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Updates to fix the Streamlit app access when running in sagemaker
Modified
- Requirements.txt (added dependencies)
- chatbot_app_cognito.py (added get_streamlit_url, for sagemaker access)
- runtime_with_strands_and_egress_3lo.ipynb (streamlit piece for access url, cosmetic updates)
* Fixing Ruff errors reported by python-lint
* removing Ruff errors from python-lint
* passing 3.7 as the model for workshop
* Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook
* Revert "Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook"
This reverts commit 5dded4c38a.
* Add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook
* cosmetic fix
* Updating OpenAI URL
* Added instructions on the OAuth flow session binding and Streamlit functionality
* All imports are now properly organized at the top of the file, following Python best practices (PEP 8). The linting errors should now be resolved:
- ✅ runtime.py:18:1: E402 - Fixed
- ✅ runtime.py:19:1: E402 - Fixed
- ✅ runtime.py:19:20: F811 - Fixed
- ✅ runtime.py:25:1: E402 - Fixed
* formatting fixed
* Update Identity Outbound tutorial notebooks with corrections and improvements:
1. 05-Outbound_Auth_3lo notebook: Fixed credential provider name typo
2. 06-Outbound_Auth_Github notebook: Multiple improvements including:
- Updated description text for GitHub-specific use case
- Reorganized imports (moved to top of cell)
- Added boto session and region setup
- Reordered OAuth flow description
- Restructured notebook sections (removed redundant policy section, added clearer status check and invoke sections)
- Fixed credential provider name reference
* Fixed Identity Sections based on SageMaker (Workshop) to handle oauth2_callback_server and other cosmetic updates.
* Remove unused import and added permissions for 1st time model access for workshops
* formatting fixed.
* parameterize provider, update github image.
* added import boto3 and updated image for GitHub Session Binding
* Update Model and Remove Global Var
* Travel and Shopping concierge agents blueprints
* add missing contributors for the blueprint
* fix python-lint errors
* CodeQL fixes and config
* fix python-lint unused imports
* fix python-lint
* fix linter and cql issues
* run linter
* update codeql suppressions
* suppress codeql
* Revert accidental changes to 01-tutorials and 03-integrations
Remove files accidentally added to 01-tutorials and 03-integrations in previous commits.
These changes were not intended to be part of the blueprint additions.
Reverted files:
- 01-tutorials/03-AgentCore-identity/06-Outbound_Auth_Github/.dockerignore
- 01-tutorials/03-AgentCore-identity/06-Outbound_Auth_Github/Dockerfile
- 01-tutorials/03-AgentCore-identity/06-Outbound_Auth_Github/github_agent.py
- 03-integrations/IDP-examples/EntraID/.agentcore.json
- 03-integrations/IDP-examples/EntraID/.dockerignore
- 03-integrations/IDP-examples/EntraID/Dockerfile
- 03-integrations/IDP-examples/EntraID/strands_entraid_onenote.py
* fix formatting
* Update 05-blueprints/shopping-concierge-agent/tests/utils.py
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* removed tests folders.
* remove info logging
* remove logging
* codeql suppressions
* Update server.py
# codeql[py/clear-text-logging-sensitive-data] Debug logging for certificate verification - logs metadata only, not private key content
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Updating .gitignore and adding lib folder required for the shopping and travel concierge agents
* Add Demo video for agents
* Update demo section in README.md
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add Demo's as Gif, update LFS and add note in ReadMe
* remove the .mp4 files as they are not supported
* change to google products and remove travel specific
* update product link
* fix url in shopping list and purchases
* remove amazon
* Add Visa B2B Use Case
* fix pylint
* CodeQL Fixes
---------
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
Co-authored-by: HT <hardikvt@amazon.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Add Cost Optimization Agent use case
- Single-agent LLM-powered AWS cost monitoring and optimization
- Uses Strands framework with Claude 3.5 Sonnet
- Includes 5 tool functions for cost analysis
- Supports Cost Explorer, Budgets, and CloudWatch APIs
- Complete deployment automation with Python SDK
- Comprehensive documentation and architecture diagram
* Update CONTRIBUTORS.md
Add contributor name to CONTRIBUTORS.md
* Fix linting errors in cost-optimization-agent
- Remove unused imports: get_budget_status, forecast_budget_overrun, calculate_burn_rate from cost_optimization_agent.py
- Remove unused json import from test_local.py
- Remove unused Optional import from budget_tools.py
- Fix f-strings without placeholders in test_agentcore_runtime.py
Resolves python-lint check failures.
* Address security review feedback and fix build issues
- Fixed LICENSE reference from MIT to Apache License 2.0
- Replaced all 'AWS Bedrock' with 'Amazon Bedrock' service name standardization
- Added AI/GenAI Usage Disclosure section explaining Claude 3.5 Sonnet usage
- Added Bias and Fairness Considerations section
- Enhanced Data Privacy section with classification and retention policies
- Added Data Encryption and Key Management section to ARCHITECTURE.md
- Fixed import issues by removing references to missing optimization_tools.py and memory_tools.py
- Updated tools/__init__.py to only import existing modules
- Fixed deploy.py required files list
- Aligned dependency versions between requirements.txt and pyproject.toml
- All Python files now compile and import successfully
Ready for aws-samples publication with proper security documentation and compliance measures.
* Fix Python code formatting with ruff format
- Applied ruff format to all Python files to fix CI linting failures
- Standardized quote usage (single to double quotes)
- Improved line length and multiline formatting
- Added proper whitespace and blank lines between functions
- Fixed docstring formatting and trailing spaces
- No functional changes - purely cosmetic formatting improvements
Resolves Python Code Quality check failures in CI pipeline.
* docs: restructure cost optimization agent documentation
- Remove images/README.md (not present in other projects)
- Restructure main README.md to be concise and focused on getting started
- Add comprehensive AI agent introduction and overview
- Include architecture diagram on main page
- Move detailed deployment instructions to DEPLOYMENT.md
- Maintain required sections: AI/GenAI usage disclosure, bias considerations, contributing guidelines
- Update license section to follow repository standards
- Improve natural flow and readability
* Fix dependency versions and update documentation
* Enhance cost optimization agent cleanup and deployment
* Fix ruff linting issues and format code
* added sample-spec folder and adobe spec in the folder
* changed overiew architecture to white bg instead of transparent
* changed architecture flow diagram and added sample spec into read.me
* added demo vid
* added demo gif and rm vid
---------
Co-authored-by: Shanicus Yee (yeeshani) <your.email@example.com>
* Update the notebook to accomoodate the latest starter kit change
* Update error handling and package import error
* Changed lambda function format
* modified requirement file on uvicorn package
Bharathi Srinivasan