d4b3f6389a4cc21d970e2a4d927e79ebda45490a
519 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Uriel Ramirez
|
d4b3f6389a |
feat(02-use-cases): Long-term AgentCore Memory Facts (#1254)
* Long-term AgentCore Memory Facts * Lib folder updated to utils * Lib folder updated to utils * User name included --------- Co-authored-by: Uriel Ramirez <beralfon@amazon.com> |
||
|
Bharathi Srinivasan
|
49b49bae60 |
Policy Notebook fallback for NL2cedar (#1324)
* add IGNORE_ALL_FINDINGS fallback and fix NB03 execution issues * add fallback to policy creation cells * fallback to all NL2Cedar usages |
||
|
Ganesh Thiyagarajan
|
cea7e355b0 |
Update: Fix the import and add runtime permission instruction (#1321)
* fix(notebooks): minor changes in the instructions
* Adding browser new features (profile, extensions and proxy) (#966)
* adding browser profile and firewall examples
* Fix browser samples and add domain filtering notebook
- Rename test_firewall.py to verify_domain_filtering.py
- Add verify_domain_filtering.ipynb notebook version
- Fix hhtp typo in SigV4 signing (both samples)
- Remove debug prints and unused imports
- Add BROWSER_ID env var validation with CFN export hint
- Replace httpbin.org with github.com (matches CFN AllowedDomains)
- Fix hardcoded S3 bucket name, add LocationConstraint
- Translate Portuguese comments/strings to English
- Remove unused strands-agents-tools from requirements.txt
- Remove commented-out code
- Add samples 09/10 to parent README
* Add sample 11: Browser with Squid proxy and S3 logging
- CFN template: VPC, Squid EC2 with basic auth, AgentCore Browser (VPC mode)
- Proxy credentials auto-generated in Secrets Manager
- Squid access logs synced to S3 every 5 minutes
- Browser security group locked to Squid:3128 only (no NAT)
- verify_proxy.py and .ipynb: start proxied session, verify IP matches Squid
- Parent README updated with sample 11 link
* adding / fixing features
* Fix browser execution role trust policy for CFN deployment
Add SourceAccount and SourceArn conditions to the browser execution
role trust policy in both CFN templates. Without these conditions,
the BrowserCustom CFN handler fails with HandlerInternalFailure.
Uses AWS::AccountId and wildcard region so it works in any account.
* adding extension / refactoring
* adding extension / refactoring
* finishing samples
* Clean up browser tool samples: remove local playwright install, fix lint and docs
- Remove 'playwright install chromium' from READMEs (remote browser, not local)
- Remove unnecessary f-string prefix in verify_domain_filtering.py
- Fix ASCII diagram alignment in proxy README
- Remove secret ARN from verify_proxy.py stdout
- Replace 'jupyter notebook' command with IDE-agnostic guidance
* fix: proxy auth bug + ruff lint/format across browser tutorials
11-browser-with-proxy:
- Fix htpasswd parsing passwords starting with '-' as flags (use stdin)
- Use ExcludePunctuation for secret generation instead of partial char list
- Use session.client() consistently, remove secret ARN printing
- Clear notebook outputs
09/10/12 + helpers:
- Fix ruff lint errors (unused import re, f-string without placeholders)
- Apply ruff formatting (line wrapping, quote consistency)
- Clear notebook outputs (12 had leaked AWS credentials)
- Update kernel metadata
* fix: install cronie on AL2023 for squid log sync cron job
* fix: browser tutorials cross-region bucket naming, deploy.sh region, and boto3 version pin
- Profiles & Extensions notebooks: bucket name now includes region to prevent
cross-region S3 collisions when running demos in different regions
- deploy.sh: use AWS_DEFAULT_REGION/aws configure instead of hardcoded us-east-1
- Proxy requirements.txt: pin boto3>=1.42.47 (proxyConfiguration support)
---------
Co-authored-by: Joshua Samuel <sauhsoj@amazon.com>
* chore(deps): bump jsonpath (#972)
Bumps [jsonpath](https://github.com/dchester/jsonpath) from 1.1.1 to 1.2.1.
- [Commits](https://github.com/dchester/jsonpath/commits/1.2.1)
---
updated-dependencies:
- dependency-name: jsonpath
dependency-version: 1.2.1
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Adding tutorial example for Gateway integration with IDE and tool - VS Code - Agentcore Gateway - Confluence (#790)
* Updating Policy tutorial for FGAC
* Updating Policy tutorial for FGAC
* Updating Policy tutorial for FGAC
* Updating Policy turorial for FGAC
* Adding IDE Gateway integration example
* Fixing python-lint issues
* Fixing python-lint issues
* Fixing python-lint issues
* Adjusting proxy Lambda with commented lines
* Updated readme
* Updating README
* fix: include account ID in Cognito domain prefix to ensure global uniqueness (#979)
The Cognito domain prefix previously used only appName and region,
which could cause collisions across AWS accounts deploying the same
stack. Adding the account ID guarantees uniqueness.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* feat: add auto-register Bedrock Knowledge Bases on AgentCore Gateway tutorial (#980)
* added full example of enterprise mcp platform with policy engine mcp … (#982)
* added full example of enterprise mcp platform with policy engine mcp server filtering based on user_tag, guardrail for PII data
* fixed linting
* fixed linting
* fixing lint
* fixing lint
* fixinf ruff
* FIXING RUFF
* fixing ruff
---------
Co-authored-by: brnaba-aws <brnaba@amazon.com>
* update evals package name (#985)
* update evals package name
* update evals package name
* Fix/add missing infrastructure files due to .gitignore (#942)
* feat: add missing CDK infrastructure files for knowledge-base-rag-agent
- Add all CDK stack files (api, cognito, storage, web-console, etc.)
- Add CDK constructs and utilities
- Fix web console S3 content-type bug with single BucketDeployment
- Add @aws-lambda-powertools/logger dependency for Lambda bundling
- Enable esbuild-based Lambda bundling (no Docker required)
This completes the knowledge-base-rag-agent infrastructure that was missing from the original PR.
* fix: add missing infrastructure files for knowledge-base-rag-agent
- Add exception to root .gitignore for knowledge-base-rag-agent/infrastructure/lib/
- This allows the critical CDK stack definitions and constructs to be tracked
- Without these files, developers cannot deploy the infrastructure
- Fixes the incomplete PR #923 that was missing the entire lib/ directory
The missing files include:
- 6 CDK constructs (API proxy, CORS config, Lambda utilities, etc.)
- 12 CDK stacks (API, Cognito, Database, Memory, Runtime, etc.)
- 1 utility file (NAG suppressions)
These are essential TypeScript source files, not build artifacts.
---------
Co-authored-by: Jerad Engebreth <awsjerad@amazon.com>
* AgentCore gateway - SQL injection prevention (#989)
* Add prompt injection prevention tutorial
* Updated Lambda
* SQL changes
* Lambda changes
* SQL naming changes
* fixes
* Added read me and minor changes
* Update service names
* fixes
* remove outputs
* fixes-1
* lambda lint
---------
Co-authored-by: jsbeardaws <jsbeard@amazon.com>
* docs: improve prerequisites for customer-support-agent-with-agentcore (#1008)
Expand the Prerequisites section with inline guidance for AWS CLI version
requirements, IAM permissions, and Bedrock model access — addressing
common first-time setup failures.
README.md:
- Add tip that deploy.sh runs pre-flight checks for all prerequisites
- Specify AWS CLI v2.32.0+ requirement (needed for `aws login`)
- Add step-by-step AWS credentials and permissions guidance
- Recommend AdministratorAccess + SignInLocalDevelopmentAccess policies
- Add Anthropic model access section (one-time usage form, not the
retired Model Access page — Bedrock auto-enables since Oct 2025)
- Note CDK and AgentCore CLI are auto-installed by deploy.sh
- Add troubleshooting entry for `aws login` version error
scripts/deploy.sh:
- Add AWS CLI version check (warns if below v2.32.0)
- Add Bedrock model access check for Claude Sonnet 4.5
- Improve credential error message to reference `aws login`
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* adding session lifecycle info (#1014)
* fix: add npm cache preflight check and fix agentcore CLI commands in deploy.sh and README (#1015)
- Add npm cache ownership check to deploy.sh pre-flight section. A previous
`sudo npm install` leaves root-owned files that cause EACCES errors.
- Fix deploy.sh and README.md to use `uv run agentcore` instead of bare
`agentcore`, since the CLI is installed in the project venv via uv sync.
- Update troubleshooting table with `uv run` guidance.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* fix: add botocore[crt] dependency for aws login credential provider (#1016)
The README instructs users to authenticate via `aws login`, which uses
the CRT-based credential provider. Without `awscrt` in the project venv,
any boto3 call (e.g., cognito-user.py) fails with MissingDependencyException.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* fix: improve cognito-user.py UX for email and password handling (#1018)
* fix: improve cognito-user.py UX for email selection and password errors
- Replace free-text email input with numbered menu (1/2) to prevent
users from entering emails that don't match backend mock data
- Show password requirements upfront before the password prompt
- Catch InvalidPasswordException and display friendly error message
instead of a raw stacktrace
* style: apply ruff formatting
* fix: detect port 3000 collision before starting OAuth callback server
Check if port 3000 is available before attempting to bind. If in use,
exit with a clear error message and the command to free the port.
* fix: check port availability before opening browser in login flow
Move the port check to the start of do_login so it exits before
opening the browser or starting the callback server.
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* docs: simplify console navigation for Policy Engine setup (#1020)
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* Replace Anthropic Claude references with Amazon Nova 2 Lite model (#1023)
* Replace Anthropic Claude references with Amazon Nova 2 Lite model
---------
Co-authored-by: nehatb <nehatb@amazon.com>
* Lifecycle Session Demos for Bedrock Agentcore runtime (#1026)
* feat(tutorials): Add inline session lifecycle demos to MCP server tutorials
Add inline session stop demonstrations and best practices sections to both
MCP server hosting tutorials. Updates include:
- Add inline session lifecycle demo after runtime launch
- Add Session Lifecycle Best Practices section before cleanup
- Update cleanup with security-validated ordering (credentials first)
- Make cleanup code active with proper try/except error handling
hosting_mcp_server.ipynb (OAuth):
- Inline demo is commented (OAuth doesn't support boto3 invoke)
- Cleanup order: Secrets → SSM → Runtime → ECR
hosting_mcp_server_iam_auth.ipynb (IAM):
- Inline demo is ACTIVE (IAM supports boto3 invoke)
- Demonstrates capturing runtimeSessionId and calling stop_runtime_session
- Cleanup order: SSM → Runtime → ECR
All changes follow security best practices to minimize credential exposure
windows during cleanup.
Requirements: 9.1, 9.2, 9.3, 9.4, 9.5, 6.2
* feat(tutorials): Add inline session lifecycle demos to MCP server tutorials
Add strategic session stop demonstrations throughout both MCP server tutorials
to teach proper session lifecycle management in context.
Changes:
- Add stop_runtime_session_oauth() helper function for OAuth bearer token auth
- Add Demo 1: Session stop immediately after runtime deployment
- Add Demo 2: Session stop between different test approaches
- Add Demo 3: Session stop after Boto3 testing (IAM notebook only)
- Update invoke_mcp_tools.py to include session stop with HTTP 200 response
- Add explanatory notes about expected 404 warning from MCP client cleanup
- Demonstrate mcpSessionId can be passed as header and used with stop_runtime_session
- Print HTTP status codes and Request IDs for all session stops
Verified:
- IAM auth: All session stops return HTTP 200 with Request IDs
- OAuth auth: Session stops work with bearer token via HTTP POST
- Single runtime successfully handles multiple sessions
- Runtime remains alive after stopping individual sessions
Requirements: 9.1, 9.2, 9.3, 9.4, 9.5
* feat(tutorials): Add inline session lifecycle demos to hosting-agent tutorials
Add strategic session stop demonstrations and lifecycle configuration to all
hosting-agent tutorials to teach proper session management in context.
Changes:
- Update billing language from 'GBHours' to 'vCPU and Memory based' costs
- Add inline session stop demos after agent invocations
- Add active lifecycle configuration demo with second runtime (300s timeout)
- Demonstrate stop_runtime_session with captured runtimeSessionId
- Update cleanup sections with try/except error handling
- Add Session Lifecycle Best Practices sections
Tutorials updated:
- 01-strands-with-bedrock-model/runtime_with_strands_and_bedrock_models.ipynb
- 02-langgraph-with-bedrock-model/runtime_with_langgraph_and_bedrock_models.ipynb
- 03-strands-with-openai-model/runtime_with_strands_and_openai_models.ipynb
- 04-crewai-with-bedrock-model/runtime-with-crewai-and-bedrock-models.ipynb
Verified:
- All notebooks demonstrate session stopping with boto3 invoke_agent_runtime
- Lifecycle configuration demos show shorter idle timeout (300s)
- Cleanup sections properly handle multiple runtimes
- Error-safe cleanup with individual try/except blocks
Requirements: 1.2, 6.1, 9.1, 9.2, 9.3, 9.4, 9.5
* refactor(tutorials): Simplify session lifecycle sections per reviewer feedback
Address reviewer feedback to remove confusing lifecycle configuration
references and simplify Best Practices sections.
Changes:
- Remove 'and show how to use a smaller lifecycle configuration' from inline demos
- Remove lifecycle configuration demo cells from hosting-agent notebooks
- Simplify Best Practices section to only 2 bullets (configure timeout, stop sessions)
- Remove confusing bullets about cleanup, deletion order, and minimum timeout
Updated notebooks:
- All 4 hosting-agent notebooks (strands-bedrock, langgraph, strands-openai, crewai)
- Both MCP server notebooks (OAuth and IAM)
- understanding-runtime-context notebook
Reviewer: @evandrofranco
PR: awslabs/amazon-bedrock-agentcore-samples#1026
* fix(tutorials): Restore lifecycle config demos with cleaned comments
Restore lifecycle configuration demo cells that were incorrectly removed.
The reviewer only asked to remove confusing comments, not the entire demo.
Changes:
- Restore lifecycle-config-demo markdown and code cells
- Keep the demo functionality (second runtime with 300s timeout)
- Remove only the confusing comments:
- 'Using a shorter idle timeout for demonstration purposes'
- 'A shorter idle timeout helps avoid undesired costs...'
- Keep all the actual demo code
This preserves the SPECIAL CASE requirement from tasks.md that these
notebooks should demonstrate active lifecycle configuration.
Updated: 4 hosting-agent notebooks
* fix(tutorials): Restore lifecycle demos and update Best Practices per reviewer
Complete implementation of reviewer feedback:
1. Removed confusing sentence from inline demo titles:
- Changed 'Below we demonstrate stop_runtime_session and show how to use
a smaller lifecycle configuration'
- To: 'Below we demonstrate stop_runtime_session'
2. Removed confusing comments from lifecycle config demo code:
- Removed 'Using a shorter idle timeout for demonstration purposes'
- Removed 'A shorter idle timeout helps avoid undesired costs...'
- Kept all actual demo code (second runtime with 300s timeout)
3. Simplified Best Practices section (all notebooks):
- Reduced to 2 bullets: Configure idle timeout, Stop sessions when done
- Removed 3 bullets about cleanup, deletion order, minimum timeout
Updated 6 notebooks:
- 4 hosting-agent notebooks (with lifecycle demos restored)
- 2 MCP server notebooks (Best Practices simplified)
Reviewer: @evandrofranco
PR: awslabs/amazon-bedrock-agentcore-samples#1026
* 03-integrations - Add Claude Agent SDK agentic patterns: subagents and hooks (#994)
* feat: add Claude Agent SDK orchestrator-workers pattern with subagents
Add new example demonstrating the Orchestrator-Workers agentic pattern
using Claude Agent SDK's native subagent support (AgentDefinition + Task tool)
deployed on Bedrock AgentCore Runtime.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add Claude Agent SDK hooks pattern for tool governance and audit
Add new example demonstrating PreToolUse and PostToolUse hooks for
blocking dangerous operations and audit logging. README covers
defense-in-depth story with AgentCore Policy for external tools.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs: add contributor name
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: upgrade to Sonnet 4.6 and fix cognito-user.py commands (#1027)
* fix: use uv run instead of python in cognito-user.py
The project uses uv for dependency management, so the script
should reference uv run consistently in its docstring and
user-facing output.
* feat: upgrade to Claude Sonnet 4.6 and improve deploy model check
- Update model ID from Sonnet 4.5 to Sonnet 4.6 global inference profile
- Replace passive model lifecycle check with actual invoke-model test in deploy.sh
- Show both possible failure reasons: Anthropic FTU form and IAM permissions
* fix: harden deploy.sh model check for edge cases
- Add timeout (10s) to prevent hanging on network issues
- Add cli-connect-timeout and cli-read-timeout for AWS CLI
- Chain mktemp into the if-condition to handle failures gracefully
- Clarify that the check tests deployer credentials, not the agent's
execution role — a failure here may not affect the deployed agent
- Safe cleanup of temp file in all code paths
* fix: remove timeout command for macOS compatibility
timeout is a GNU coreutils command not available on macOS by default.
The AWS CLI's --cli-connect-timeout and --cli-read-timeout flags
provide sufficient timeout protection.
* docs: restructure prerequisites for clarity
- Move Clone the Repository to first step with git install instructions
- Separate auto-installed tools (CDK, AgentCore CLI) from manual prereqs
- Move IAM policies to a note after verify credentials
- Move aws login version requirement to AWS Credentials section
- Move deploy.sh tip to after tools table
* docs: add guidance on changing the model ID
* docs: remove redundant API form note
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* docs: improve prerequisites clarity and deploy.sh error messages (#1029)
* docs: improve prerequisites clarity and deploy.sh error messages
- Restructure Clone the Repository into numbered steps
- Clarify Node.js install: install nvm first, then run command
- Improve deploy.sh node error message with nvm install link
- Remove auto-installed tools section (CDK, AgentCore CLI)
- Specify Sonnet 4.6 in model access steps
- Simplify tools table and credentials section
* docs: revert to Sonnet 4.5 default, add alternative model table
- Revert default model to Claude Sonnet 4.5 in load.py and deploy.sh
- Add alternative models table (Haiku 4.5, Sonnet 4.6) to README
- Update all Sonnet 4.6 references back to 4.5
* docs: soften git install wording
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* updated notebook to reflect header propagation feature instead of interceptor (#971)
* updated notebook to reflect header propagation feature instead of interceptor
* Add README.md documentation
* docs: add Transaction Search prerequisite to observability section (#1031)
The observability section implied traces work out of the box, but
CloudWatch Transaction Search must be enabled first for span ingestion.
Add the one-time setup step before the trace inspection instructions.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* feat(02-usecase): A2A Agent usecase (#1025)
* Add A2A Real Estate Multi-Agent Use Case
This contribution adds a complete A2A (Agent-to-Agent) real estate multi-agent system demonstrating:
- Multi-agent coordination using A2A protocol with OAuth authentication
- Property Search Agent (Strands-based) for searching properties
- Property Booking Agent (Strands-based) for managing bookings
- Coordinator Agent that orchestrates sub-agents via A2A protocol
- Automated Cognito setup for OAuth 2.0 authentication
- React-based UI with direct AgentCore integration
- Comprehensive deployment automation scripts
- End-to-end testing utilities
Key Features:
- OAuth bearer token management with Cognito
- Request header allowlist configuration for Authorization
- Automated agent deployment with agentcore CLI
- Token generation and refresh utilities
- Real-time chat interface for property search and booking
Architecture:
- Coordinator generates OAuth tokens from Cognito to call sub-agents
- Sub-agents validate tokens independently
- All agents deployed on Amazon Bedrock AgentCore Runtime
- UI connects directly to coordinator via A2A protocol
Documentation includes:
- Deployment guide with step-by-step instructions
- Project structure overview
- Demo instructions
- Quickstart guide
- Contributing guidelines
* Security improvements and bug fixes
- Added comprehensive .gitignore for sensitive files and scan results
- Fixed security issues from GitHub Advanced Security scan
- Implemented short-term memory (STM_ONLY) for conversation context
- Fixed session ID bug in UI for persistent conversations
- Removed unused fix_iam_permissions.py with hardcoded ARNs
- Deleted sensitive files (bearer_token.json, cognito_config.json)
- Updated welcome message to 'Amazon Bedrock AgentCore'
- Fixed ESLint warnings in directApi.ts
- Improved security in deployment and server scripts
- All security scan findings addressed or documented as false positives
* Update documentation to sample application
* review comment fixes, cleanup unused files, update documentation
* Delete unused test_a2a_simple.py
* Fix ruff lint errors
* Remove clear-text logging of env vars and working directory
* ASH fixes
* Fix TypeScript hast type error from npm overrides
* Replace ASCII architecture diagram with architecture.png
* Migrate UI from CRA to Vite, redesign with light theme
---------
Co-authored-by: ramprasaths <rampsee@amazon.com>
* Added Tagging and CMK examples for PolicyEngine (#1039)
* Updated to include CMK and Tags
* Fixed issues
* Added required packages
* Added and fully tested ability to add tags and CMK to PolicyEngine
---------
Co-authored-by: Andy Hall <hllaah@amazon.com>
* fix(02-usecases): memory role and dependency changes (#1040)
* A2a (#1041)
* code changes
* changes
* fix(02-usecases): monitor agent fix (#1042)
* code changes
* changes
* error
* Fixing cdk stack with missing cdk lib folder and interceptor's lambda (#1036)
* added full example of enterprise mcp platform with policy engine mcp server filtering based on user_tag, guardrail for PII data
* fixed linting
* fixed linting
* fixing lint
* fixing lint
* fixinf ruff
* FIXING RUFF
* fixing ruff
* fixed stack
added missing lib files
* fixing ruff
* fixing ruff
---------
Co-authored-by: brnaba-aws <brnaba@amazon.com>
* Bump starter toolkit to 0.3.2 in customer support agent (#1048)
* Bump starter toolkit to 0.3.2 in customer support agent blueprint
Picks up improved error messages for auth failures during agent
invocation (friendly re-login guidance instead of raw tracebacks).
* Update uv.lock after uv sync with starter toolkit 0.3.2
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* feat: Add AgentCore Gateway with EntraID 3LO authentication example (#1044)
* feat: Add AgentCore Gateway with EntraID 3LO authentication example
CDK-based example demonstrating AgentCore MCP Gateway with:
- EntraID inbound JWT authentication (CIAM and standard tenants)
- Outbound 3LO (three-legged OAuth) for user-delegated API access
- Browser-based auth onboarding SPA for pre-authorizing access
- Response interceptor for VS Code MCP client compatibility
- Automated setup script for EntraID app registrations + AWS deployment
* fix: Address security scanner findings from PR #1044
- Fix ruff F541: remove extraneous f-prefix from strings without placeholders
- Fix bandit B310 / semgrep dynamic-urllib: validate URL scheme is https://
before calling urlopen, add nosec comments for audited calls
- Fix detect-secrets: add pragma allowlist comments for false positives on
password generation and secret extraction (no actual secrets in code)
- Fix checkov CKV_OPENAPI_4: add global security field to OpenAPI spec
---------
Co-authored-by: Robert Hoffmann <rho@amazon.de>
* Async agent tutorial (#1009)
* adding async example
* uploading to s3 properly
* fixed chart formatting
* adding Dockerfile to gitignore and cleaning up ECR delete
* adding name to contributors list
* addressing git comments
* addressing comments
* moving files to folder
---------
Signed-off-by: Nadhya Polanco <65464569+nadhya-p@users.noreply.github.com>
Co-authored-by: nadhyap <nadhyap@amazon.com>
* fix(02-usecases): The MCP server must bind to 0.0.0.0 to allow the gateway to connect (#1022)
The MCP server must bind to 0.0.0.0 to allow the gateway to connect
Signed-off-by: Joachim Aumann <aumannjoachim@gmail.com>
* fix(02-usecases): Update FastMCP host address to 0.0.0.0 (#1024)
* Update FastMCP host address to 0.0.0.0
Change the host address for FastMCP from 127.0.0.1 to 0.0.0.0 to allow external connections.
Signed-off-by: Joachim Aumann <aumannjoachim@gmail.com>
* fixed deployment bug of hello world containter
---------
Signed-off-by: Joachim Aumann <aumannjoachim@gmail.com>
* fix(05-blueprints): Pin chardet < 6.0.0 in customer support agent (#1051)
chardet 6.x introduced breaking changes. Pin to >= 3.0.2, < 6.0.0
to ensure compatibility. Also adds missing src/__init__.py.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* Multitenant platform demo (#859)
* Multitenant platform demo
* linting fixes
* fix(multitenant-agentic-platform): Improve security and configuration flexibility
- Fix typo in README ("cusotm" → "custom")
- Replace hardcoded AWS region with environment variable support in main.py
- Refactor calculator tool to use AST-based safe evaluation instead of regex validation
- Add support for unary operators and improve operator/function/constant whitelisting
- Update database-query tool to use environment variables for RDS configuration
- Add AWS_REGION environment variable support to email-sender tool
- Update deploy.sh with improved deployment configuration handling
- Enhance frontend index.html with better error handling and user feedback
- Improves security posture by eliminating eval() usage and hardcoded credentials
- Enables flexible multi-region deployments through environment configuration
* fix(multitenant-agentic-platform): Remove redundant agent runtime ID validation
- Remove unnecessary validation check for agent_runtime_id in delete_agent handler
- Simplify error handling flow by eliminating duplicate validation logic
- Agent runtime ID is already validated in prior steps, making this check redundant
* docs(multitenant-agentic-platform): Add security considerations and warnings
- Add comprehensive Security Considerations section to README documenting API key exposure risks
- Document suitable use cases (demos, development, internal tools) and production recommendations
- Add security warnings to config_injector Lambda handler with alternative authentication approaches
- Update deployment documentation with security notes about client-side API key embedding
- Pass account_id and region parameters to DatabaseConstruct and MessagingConstruct for improved configuration
- Add security reminders in frontend development section referencing production deployment guidance
- Clarify that current implementation is suitable for demos and internal use only, not production
* fix(multitenant-agentic-platform): Add API key headers to frontend requests and improve security documentation
- Add 'x-api-key' header to all axios requests in frontend (delete, post, get operations)
- Update README security note to emphasize not embedding long-lived credentials in public files
- Recommend authenticated callers (Cognito/IAM/JWT) or backend proxy/BFF for production
- Clarify config.js generation to exclude API Gateway keys from public configuration
- Fix deploy.sh region comment from us-west-2 to us-east-1
- Remove emoji from deploy.sh output for better compatibility
- Refactor query parameter and body parsing in async_deploy_agent handler for clarity
- Add environment variable definitions for DynamoDB table names in build_deploy_agent handler
- Ensure consistent API authentication across all frontend API calls for improved security
* docs(multitenant-agentic-platform): Remove security limitations section from README
- Remove detailed API key exposure warnings and limitations documentation
- Remove suitable use cases section for demonstration deployments
- Remove production recommendations for authentication mechanisms
- Simplify README by consolidating security guidance into main documentation
* fix(multitenant-agentic-platform): Enforce required environment variables and optimize DynamoDB queries
- Replace optional environment variable defaults with required configuration in build_deploy_agent handler
- Add validation to fail fast if AGENT_CONFIG_TABLE_NAME or AGENT_DETAILS_TABLE_NAME are not set
- Add AGGREGATION_TABLE_NAME validation in infrastructure_costs handler with clear error messaging
- Optimize DynamoDB scan operations to use server-side FilterExpression instead of client-side filtering
- Add ProjectionExpression to reduce data transfer and improve query performance in token_usage handler
- Use ExpressionAttributeNames to handle reserved words (timestamp) in DynamoDB queries
- Improve configuration reliability by ensuring all Lambda functions have required environment variables set before execution
* fix(multitenant-agentic-platform): Remove unused import from token usage handler
- Remove unused boto3.dynamodb.conditions Attr import
- Simplify handler.py by eliminating unnecessary dependency
- Reduce code clutter and improve maintainability
* fix(multitenant-agentic-platform): Update agent template naming and enhance token limit validation
- Rename base-agent.py to main.py in agent-tools-repo templates for consistency
- Update documentation references to reflect new template filename
- Add Attr import from boto3.dynamodb.conditions for improved query filtering
- Enhance check_token_limit function with configurable fail-closed behavior via FAIL_CLOSED environment variable
- Add get_tenant_id_from_agent function to look up tenant ID from agent details table, preventing token limit bypass
- Improve error handling in token limit checks with detailed logging for fail-closed vs fail-open modes
- Add documentation notes explaining fail-open default behavior and fail-closed option
* Update guardrails memory sample notebook (#995)
* feat: Update guardrails memory sample notebook
* chore: Clear execution counts and outputs from notebook
* sample update(memory): Simplify memory integration using AgentCoreMemorySessionManager
Replace custom MemoryHookProvider implementation with built-in
AgentCoreMemorySessionManager. Key changes:
- Use AgentCoreMemoryConfig with AgentCoreMemorySessionManager
- Remove custom hook implementation (on_agent_initialized, on_message_added)
- Update documentation based on model usage in code from Claude 3.7 Sonnet to Claude Haiku 4.5
- Simplify session handling with automatic reinitialization
- Update documentation to reflect recommended approach
* fix(notebook): Configure memory mode and inject memory_id to prevent runtime failures
configure() defaults to memory_mode="NO_MEMORY", so the auto-created
execution role has no memory IAM permissions — causing ListMemoryEvents
failures at runtime. Additionally, the toolkit doesn't know about the
manually-created memory resource, so it provisions a duplicate on launch.
Fix: Set memory_mode="STM_ONLY" in configure() and inject the existing
memory_id into .bedrock_agentcore.yaml before launch(). Both issues only
exist because the tutorial manually creates resources that the toolkit
normally manages end-to-end.
* cleaned execution count
* Cleared cell outputs
---------
Co-authored-by: subhakl <subhakl@amazon.com>
* Correct role and content retrieval in message processing (#499)
Signed-off-by: fllaneza <44783676+fllaneza@users.noreply.github.com>
* Add Episodic Memory Strategy Tutorial (#855)
* feat: add episodic memory tutorial README
* feat: add code debugging assistant implementation
* feat: add architecture diagram
* docs: add episodic strategy to overview
* docs: add contributor
* fix: update episodic memory API for reflectionConfiguration
- Change reflectionNamespaces to reflectionConfiguration.namespaces
(API structure changed in bedrock-agentcore SDK)
- Fix namespace validation: reflection namespace must be same as
or prefix of episodic namespace
- Update get_namespaces() to read from new nested structure
- Add code-assistant.py standalone script version
* fix: move imports to top of file for linting compliance
- Consolidate all imports at module top (E402 fix)
- Remove unused List import from typing (F401 fix)
- Maintain alphabetical ordering of imports
* style: apply ruff formatting
* feat: Replace debugging use case with Meeting Notes Assistant
Changes based on reviewer feedback that debugging examples already exist
in the repository (debugging-agent and healthcare-assistant).
New implementation:
- Meeting Notes Assistant with episodic memory
- Tools: capture_action_item, identify_decision, summarize_discussion, track_followup
- Tracks decisions, action items, and participant preferences across meetings
- 6 test scenarios demonstrating meeting management patterns
- End-to-end tested with AWS Bedrock (all tools working)
- Security audit passed, linting verified
Files changed:
- Renamed: code-assistant.py → meeting-notes-assistant.py
- Renamed: code-assistant.ipynb → meeting-notes-assistant.ipynb
- Updated: README.md with meeting-specific documentation
This use case is unique and not duplicated in existing samples.
Addresses feedback from @akshseh in PR comment.
* refactor: move episodic tutorial to long-term-memory/strands-hooks folder
Address reviewer feedback:
- Move from 06-episodic-strategy/ to 02-long-term-memory/01-single-agent/using-strands-agent-hooks/meeting-notes-assistant-using-episodic/
- Update architecture diagram to match repo template style
- Update parent README table reference
* fix: update architecture diagram
* fix: address reviewer feedback from @akshseh
- Remove .gitignore (*.pptx entry not needed)
- Pin versions in requirements.txt (bedrock-agentcore>1.4, strands-agents>=0.1.0, boto3>=1.42.1)
- Convert cell_0 from code cell with docstring to markdown cell
- Add blank line after H2 heading in cell_5 to fix bullet formatting
- Fix event_expiry_days comment: clarify it is STM TTL, not for long-term episodic strategy
- Add reflection extraction timing note (~10-15 mins) in seed cell
- Format meeting-notes-assistant.py with black
* Update AgentCore Memory tutorials with new SDK patterns (#1003)
* feat(memory-tutorials): Enhance AgentCore Memory tutorials with SDK migration and advanced features
- Migrate from MemoryClient to MemorySessionManager and MemorySession
- Update from tuple-based messages to ConversationalMessage objects
- Add session-based operations eliminating repetitive parameters
- Implement conversation branching with fork_conversation()
- Add metadata tracking with StringValue and EventMetadataFilter
- Update all three notebooks: math-assistant, customer-support, customer-support-memory-manager
- Add comprehensive ENHANCEMENT_SUMMARY.md documenting all changes
This update showcases the full capabilities of AgentCore Memory including:
- Session management with MemorySessionManager
- Memory hooks for automatic storage/retrieval
- Conversation branching for alternative paths
- Metadata tagging for analytics and filtering
- Practical use cases for math tutoring and customer support
All notebooks tested and validated with syntax checks and feature verification.
* docs: Add arunskum to CONTRIBUTORS.md
* docs: Remove ENHANCEMENT_SUMMARY.md file
* feat(memory): Update AgentCore Memory tutorials with latest SDK patterns
- Migrate from MemoryClient to MemorySessionManager and MemorySession
- Replace tuple-based messages with ConversationalMessage objects
- Implement session-based operations (add_turns, search_long_term_memories)
- Add conversation branching with fork_conversation and list_branches
- Add metadata tracking with StringValue and EventMetadataFilter
- Update all three notebooks: math-assistant, customer-support, customer-support-memory-manager
- Fix imports: StringValue and EventMetadataFilter now from bedrock_agentcore.memory.models
These changes showcase the enhanced AgentCore Memory capabilities including:
- Session-based memory management for cleaner API
- Advanced retrieval with RetrievalConfig
- Conversation branching for alternative paths
- Metadata tagging and filtering for event tracking
* refactor(memory): Split customer support tutorial into built-in vs custom strategies
Deleted legacy MemoryClient notebook, renamed memory-manager to override-strategy, created new inbuilt-strategy notebook, added comparison sections to both
* fix(memory): Correct StringValue and Event attribute usage in notebooks
Fixed 3 issues identified by reviewer:
1. Changed StringValue() to StringValue.build() (30 occurrences)
- Correct usage: StringValue.build('value')
- Fixed in all metadata creation sections
2. Changed .event_id to .eventId (3 occurrences)
- Correct attribute: event.eventId
- Fixed in all branching sections
3. Validated changes with syntactic tests
Changes span 3 notebooks:
- customer-support-inbuilt-strategy.ipynb
- customer-support-override-strategy.ipynb
- math-assistant.ipynb
All fixes follow the pattern demonstrated in reviewer's successful test output.
* fix: Fix metadata_filter bug, migrate math-assistant to MemoryManager, remove test scripts
- Fix list_events() calls to use eventMetadata parameter instead of
invalid metadata_filter in all 3 notebooks
- Migrate math-assistant from legacy MemoryClient to MemoryManager
- Switch math-assistant from CustomSemanticStrategy to built-in
SemanticStrategy (no IAM execution role required)
- Remove CUSTOM_PROMPT cell and ROLE_ARN placeholder from math-assistant
- Remove test scripts, migration scripts, and cleanup utilities
* fix: Update config and runtime MCP agent code for SRE workshop lab 04 (#1055)
* Update config and runtime MCP agent code for SRE workshop lab 04
* Fix ruff lint errors: remove unused imports and f-string prefixes
---------
Co-authored-by: name <alias@amazon.com>
* Feat/databricks per user delegation (#1058)
* feat: Agent & Gateway Registry blueprint
A platform for managing AI agents and MCP tools across an organization.
- Registry: CRUD for agents (A2A, MCP, Agent-as-Tool protocols)
- Gateway management: overview, tools, clients & access, Cedar policies
- Tool composition via Cedar permit-only policies
- Agent discovery API for agent-to-agent communication
- Multi-IdP support (Cognito/EntraID auto-detected)
- AgentCore Identity for agent workload auth
- One-click deploy: CloudFormation + App Runner + DynamoDB
* feat: Databricks per-user delegation via Gateway interceptor + RFC 8693
* feat(memory): add memory streaming tutorial (#1064)
* Add ECS Fargate 3LO tutorial (#1005)
* Add ECS Fargate 3LO tutorial
Fixes #<issue-number>
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
Co-authored-by: satveerkhurpa <satveerkhurpa@users.noreply.github.com>
* fix: scanning results
* feat: WAF integration
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
* docs: inbound & outbound auth
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
---------
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
Co-authored-by: satveerkhurpa <satveerkhurpa@users.noreply.github.com>
* Add async data analysis agent tutorial (#1059)
- Move async data analysis files to 02_async_data_analysis subfolder
- Fix semgrep issue: add __name__ guard to app.run()
- Add contributors from original PR #857
Co-authored-by: Gan Luan <ganluannj@users.noreply.github.com>
* feat: add Auth0 multi-agent RFC 8693 token exchange sample (#1071)
Adds a production-grade reference implementation demonstrating RFC 8693
Token Exchange in a multi-agent system on AWS Bedrock AgentCore Runtime.
The coordinator agent exchanges the user's Auth0 JWT for attenuated,
least-privilege tokens before invoking each sub-agent — implementing
scope attenuation across a 3-agent financial services system.
Key features:
- OAuth 2.0 PKCE login flow via Auth0
- RFC 8693 Token Exchange with per-agent scope policies
- 3 agents: coordinator, customer_profile, accounts
- Streamlit web UI with JWT viewer and API call log
- AWS Secrets Manager integration
- OpenTelemetry observability
- Shell script and CDK deployment options
- Unit test suite
* Add AgentCore Policy integration for healthcare appointment agent (#1028)
* Updated reference code to match Policy for AgentCore blog sample
* fix: address scan findings, lint, and security improvements
Scan findings (HIGH):
- README.md: Add Introduction, Prerequisites, Cost Warning, Conclusion,
Complete Cleanup sections; fix multi-action step; use full AWS service names
- setup_cognito_claims.py: Use full AWS service names; remove possessive form
- setup_policy.py: Fix incorrect docstring hours (8-17 → 9 AM-9 PM UTC)
- test_policy.py: Replace forbidden term 'execute' with 'run'
- patient.json: Rename 'Richard Doe' to approved fictitious name 'Jane Doe'
Security:
- Use HTTP Basic Auth for OAuth token requests (RFC 6749)
- Implement AWS Secrets Manager for client secret retrieval with
auto-caching fallback to Amazon Cognito API
- Validate subprocess script path before execution
Code quality:
- Remove fragile DENIAL_PHRASES list; use deterministic tool visibility
checks and gateway policy denial detection instead
- Fix all ruff check errors (F401, F541, F841)
- Apply ruff format to all changed Python files
- Updated test_output.txt with clean end-to-end run
---------
Co-authored-by: Anil Nadiminti <anilnadi@amazon.com>
* Usecase/lakehouse agent enhance (#1006)
* temp
* Token exchange
* README.md
* Adding column-level access control
* Fixed S3 bucket creation outside us-east-1
* After dry-run testing
* Cleanup
* Rollback unnecessary change
* Rollback unnecessary change
* Rollback unnecessary change
* Added Architecture diagram and tested / fixed notebooks 01-03
* Fix aws path and invalid notebook for 06
* Securing the code
* Fixed the error - Error executing secure Athena query: Query failed: COLUMN_NOT_FOUND: Column 'adjuster_user_id' cannot be resolved or requester is not authorized
* Added scenarios, updated README and enhanced Architecture diagram to show latest changes
* Clarify deletion of Dynamodb table in the cleanup step
* Updated readme with scenario screenshots, added masking for PII for adjuster with wildcard exclude list
* Completed end to end testing for all scenarios
* Updated README and added Dockerfile to gitignore
* Updated README to remove Production Ready clause
* Fixed Pylint issues - f-string with no placeholders and empty except
---------
Co-authored-by: Gi Kim <giryoong@amazon.com>
Co-authored-by: Sunita Koppar <skoppar@amazon.com>
* fix(02-usecases): delete site reliability workshop (#1081)
* fix(tutorials): Fix missing imports, update_agent_runtime params, and asyncio.run in notebooks (#1086)
- Fix UpdateAgentRuntime calls to include required params (agentRuntimeArtifact,
roleArn, networkConfiguration) using get_agent_runtime read-modify-write pattern
- Fix wrong entrypoint filenames in lifecycle demo cells (langgraph, openai, crewai)
- Fix wrong requirements_file path in crewai lifecycle demo cell
- Add missing imports (Session, os, Runtime, json, Markdown) in notebook cells
- Replace asyncio.run() with await in notebook cells (Jupyter compatibility)
- Add missing setup_cognito_user_pool import in hosting_mcp_server notebook
- Add ResourceNotFoundException comment in cleanup cells
- Add Test-Downloads/ to .gitignore
* chore: remove agent-gateway-registry blueprint (#1092)
* Add WebRTC voice agent sample with KVS TURN servers (#1096)
Minimal example demonstrating WebRTC audio streaming with AWS Nova Sonic
via KVS TURN servers, deployable to AgentCore Runtime.
- FastAPI agent with aiortc for WebRTC peer connections
- Nova Sonic bidirectional streaming for speech-to-speech
- Browser client supporting both local and AgentCore Runtime modes
- KVS signaling channel for TURN/STUN server credentials
- Audio resampling (16kHz input, 24kHz output) via PyAV
* Consolidating IDP examples under tutorials for better organization (#1112)
* Fix wording typo in notebook about user consent flow
cosmetic update
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add pyyaml to requirements.txt
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add HardikThakkar94 to CONTRIBUTORS.md
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Updates to fix the Streamlit app access when running in sagemaker
Modified
- Requirements.txt (added dependencies)
- chatbot_app_cognito.py (added get_streamlit_url, for sagemaker access)
- runtime_with_strands_and_egress_3lo.ipynb (streamlit piece for access url, cosmetic updates)
* Fixing Ruff errors reported by python-lint
* removing Ruff errors from python-lint
* passing 3.7 as the model for workshop
* Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook
* Revert "Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook"
This reverts commit
|
||
|
SI
|
9cdd52bc5a |
Add aws agent registry MCP to Kiro using DCR (#1316)
* Add kiro-registry-dcr-auth0 advanced tutorial * fix ruff errrors * fix: make registry_id a required param, remove unused REGISTRY_ID global * ruff format done --------- Co-authored-by: sanaiqbalw <sanaiqbalw@users.noreply.github.com> |
||
|
Vinod Singh
|
b02858b247 |
Registry synchronize mcpserver new update 04/10 PM time (#1314)
* registry-synchronize-mcpserver done ! * updated image size and added Registry Admin permissions * updated formating of json * one more formatting correction * reduce image size, added README and requirement.txt * removed outputs * rendered image to 80% in notebook and looks better now --------- Co-authored-by: Vinod Singh <singwvin@amazon.com> |
||
|
AnantMurarka
|
6044993e5c |
Feature/kiro publisher workflow (#1319)
* Kiro power for AWS Agent Registry Publisher Workflow * Added sample prompts and updated contributors list * Added hyperlink for kiro power on Github * Added kiro powers doc link in the overview section --------- Co-authored-by: Anant Murarka <anantmu@amazon.com> |
||
|
Sindhura Palakodety
|
3d88343bc6 |
Pushing the AWS Agent Registry Getting Started step-by-step notebooks (#1315)
* Pushing the getting started step-by-step notebooks * Adding contributors to CONTRIBUTORS.md * fixed the issues highlighted by the code scanner * more minor fixes --------- Co-authored-by: name <alias@amazon.com> |
||
|
Vinod Singh
|
46492241f5 |
registry-synchronize-mcpserver (#1304)
* registry-synchronize-mcpserver * updated image size and added Registry Admin permissions * updated formating of json * one more formatting correction --------- Co-authored-by: Vinod Singh <singwvin@amazon.com> |
||
|
goku
|
65664ffad5 | Add city parameter to weather tool (#1303) | ||
|
Kamal Manchanda
|
fddfadbd58 | Checking in Admin Approval Workflow (#1301) | ||
|
sg-nitd
|
7e6287ca4a |
Add Agent Registry tutorial: Discovery and invocation at runtime (#1298)
* Add Agent Registry tutorial: Discovery and invocation at runtime * Add contributors: Shubham Gupta and Vibhu Pareek * Fix lint failures and update icons --------- Co-authored-by: Your Name <you@example.com> |
||
|
Hardik Thakkar
|
3be0a2b748 |
Add CLI Samples (#1265)
* Fix wording typo in notebook about user consent flow
cosmetic update
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add pyyaml to requirements.txt
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add HardikThakkar94 to CONTRIBUTORS.md
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Updates to fix the Streamlit app access when running in sagemaker
Modified
- Requirements.txt (added dependencies)
- chatbot_app_cognito.py (added get_streamlit_url, for sagemaker access)
- runtime_with_strands_and_egress_3lo.ipynb (streamlit piece for access url, cosmetic updates)
* Fixing Ruff errors reported by python-lint
* removing Ruff errors from python-lint
* passing 3.7 as the model for workshop
* Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook
* Revert "Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook"
This reverts commit
|
||
|
Eashan Kaushik
|
ff2d5664b9 |
feat(01-tutorials): VPC egress AgentCore Gateway samples (#1261)
* egress * coming soon labs * coming soon labs * cleanup * advanced * changes * end to end * ecs eks fix |
||
|
Ganesh Thiyagarajan
|
24a657b73b |
3 Registry notebooks with IAM role changes (#1299)
* fix(notebooks): minor changes in the instructions
* Adding browser new features (profile, extensions and proxy) (#966)
* adding browser profile and firewall examples
* Fix browser samples and add domain filtering notebook
- Rename test_firewall.py to verify_domain_filtering.py
- Add verify_domain_filtering.ipynb notebook version
- Fix hhtp typo in SigV4 signing (both samples)
- Remove debug prints and unused imports
- Add BROWSER_ID env var validation with CFN export hint
- Replace httpbin.org with github.com (matches CFN AllowedDomains)
- Fix hardcoded S3 bucket name, add LocationConstraint
- Translate Portuguese comments/strings to English
- Remove unused strands-agents-tools from requirements.txt
- Remove commented-out code
- Add samples 09/10 to parent README
* Add sample 11: Browser with Squid proxy and S3 logging
- CFN template: VPC, Squid EC2 with basic auth, AgentCore Browser (VPC mode)
- Proxy credentials auto-generated in Secrets Manager
- Squid access logs synced to S3 every 5 minutes
- Browser security group locked to Squid:3128 only (no NAT)
- verify_proxy.py and .ipynb: start proxied session, verify IP matches Squid
- Parent README updated with sample 11 link
* adding / fixing features
* Fix browser execution role trust policy for CFN deployment
Add SourceAccount and SourceArn conditions to the browser execution
role trust policy in both CFN templates. Without these conditions,
the BrowserCustom CFN handler fails with HandlerInternalFailure.
Uses AWS::AccountId and wildcard region so it works in any account.
* adding extension / refactoring
* adding extension / refactoring
* finishing samples
* Clean up browser tool samples: remove local playwright install, fix lint and docs
- Remove 'playwright install chromium' from READMEs (remote browser, not local)
- Remove unnecessary f-string prefix in verify_domain_filtering.py
- Fix ASCII diagram alignment in proxy README
- Remove secret ARN from verify_proxy.py stdout
- Replace 'jupyter notebook' command with IDE-agnostic guidance
* fix: proxy auth bug + ruff lint/format across browser tutorials
11-browser-with-proxy:
- Fix htpasswd parsing passwords starting with '-' as flags (use stdin)
- Use ExcludePunctuation for secret generation instead of partial char list
- Use session.client() consistently, remove secret ARN printing
- Clear notebook outputs
09/10/12 + helpers:
- Fix ruff lint errors (unused import re, f-string without placeholders)
- Apply ruff formatting (line wrapping, quote consistency)
- Clear notebook outputs (12 had leaked AWS credentials)
- Update kernel metadata
* fix: install cronie on AL2023 for squid log sync cron job
* fix: browser tutorials cross-region bucket naming, deploy.sh region, and boto3 version pin
- Profiles & Extensions notebooks: bucket name now includes region to prevent
cross-region S3 collisions when running demos in different regions
- deploy.sh: use AWS_DEFAULT_REGION/aws configure instead of hardcoded us-east-1
- Proxy requirements.txt: pin boto3>=1.42.47 (proxyConfiguration support)
---------
Co-authored-by: Joshua Samuel <sauhsoj@amazon.com>
* chore(deps): bump jsonpath (#972)
Bumps [jsonpath](https://github.com/dchester/jsonpath) from 1.1.1 to 1.2.1.
- [Commits](https://github.com/dchester/jsonpath/commits/1.2.1)
---
updated-dependencies:
- dependency-name: jsonpath
dependency-version: 1.2.1
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Adding tutorial example for Gateway integration with IDE and tool - VS Code - Agentcore Gateway - Confluence (#790)
* Updating Policy tutorial for FGAC
* Updating Policy tutorial for FGAC
* Updating Policy tutorial for FGAC
* Updating Policy turorial for FGAC
* Adding IDE Gateway integration example
* Fixing python-lint issues
* Fixing python-lint issues
* Fixing python-lint issues
* Adjusting proxy Lambda with commented lines
* Updated readme
* Updating README
* fix: include account ID in Cognito domain prefix to ensure global uniqueness (#979)
The Cognito domain prefix previously used only appName and region,
which could cause collisions across AWS accounts deploying the same
stack. Adding the account ID guarantees uniqueness.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* feat: add auto-register Bedrock Knowledge Bases on AgentCore Gateway tutorial (#980)
* added full example of enterprise mcp platform with policy engine mcp … (#982)
* added full example of enterprise mcp platform with policy engine mcp server filtering based on user_tag, guardrail for PII data
* fixed linting
* fixed linting
* fixing lint
* fixing lint
* fixinf ruff
* FIXING RUFF
* fixing ruff
---------
Co-authored-by: brnaba-aws <brnaba@amazon.com>
* update evals package name (#985)
* update evals package name
* update evals package name
* Fix/add missing infrastructure files due to .gitignore (#942)
* feat: add missing CDK infrastructure files for knowledge-base-rag-agent
- Add all CDK stack files (api, cognito, storage, web-console, etc.)
- Add CDK constructs and utilities
- Fix web console S3 content-type bug with single BucketDeployment
- Add @aws-lambda-powertools/logger dependency for Lambda bundling
- Enable esbuild-based Lambda bundling (no Docker required)
This completes the knowledge-base-rag-agent infrastructure that was missing from the original PR.
* fix: add missing infrastructure files for knowledge-base-rag-agent
- Add exception to root .gitignore for knowledge-base-rag-agent/infrastructure/lib/
- This allows the critical CDK stack definitions and constructs to be tracked
- Without these files, developers cannot deploy the infrastructure
- Fixes the incomplete PR #923 that was missing the entire lib/ directory
The missing files include:
- 6 CDK constructs (API proxy, CORS config, Lambda utilities, etc.)
- 12 CDK stacks (API, Cognito, Database, Memory, Runtime, etc.)
- 1 utility file (NAG suppressions)
These are essential TypeScript source files, not build artifacts.
---------
Co-authored-by: Jerad Engebreth <awsjerad@amazon.com>
* AgentCore gateway - SQL injection prevention (#989)
* Add prompt injection prevention tutorial
* Updated Lambda
* SQL changes
* Lambda changes
* SQL naming changes
* fixes
* Added read me and minor changes
* Update service names
* fixes
* remove outputs
* fixes-1
* lambda lint
---------
Co-authored-by: jsbeardaws <jsbeard@amazon.com>
* docs: improve prerequisites for customer-support-agent-with-agentcore (#1008)
Expand the Prerequisites section with inline guidance for AWS CLI version
requirements, IAM permissions, and Bedrock model access — addressing
common first-time setup failures.
README.md:
- Add tip that deploy.sh runs pre-flight checks for all prerequisites
- Specify AWS CLI v2.32.0+ requirement (needed for `aws login`)
- Add step-by-step AWS credentials and permissions guidance
- Recommend AdministratorAccess + SignInLocalDevelopmentAccess policies
- Add Anthropic model access section (one-time usage form, not the
retired Model Access page — Bedrock auto-enables since Oct 2025)
- Note CDK and AgentCore CLI are auto-installed by deploy.sh
- Add troubleshooting entry for `aws login` version error
scripts/deploy.sh:
- Add AWS CLI version check (warns if below v2.32.0)
- Add Bedrock model access check for Claude Sonnet 4.5
- Improve credential error message to reference `aws login`
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* adding session lifecycle info (#1014)
* fix: add npm cache preflight check and fix agentcore CLI commands in deploy.sh and README (#1015)
- Add npm cache ownership check to deploy.sh pre-flight section. A previous
`sudo npm install` leaves root-owned files that cause EACCES errors.
- Fix deploy.sh and README.md to use `uv run agentcore` instead of bare
`agentcore`, since the CLI is installed in the project venv via uv sync.
- Update troubleshooting table with `uv run` guidance.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* fix: add botocore[crt] dependency for aws login credential provider (#1016)
The README instructs users to authenticate via `aws login`, which uses
the CRT-based credential provider. Without `awscrt` in the project venv,
any boto3 call (e.g., cognito-user.py) fails with MissingDependencyException.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* fix: improve cognito-user.py UX for email and password handling (#1018)
* fix: improve cognito-user.py UX for email selection and password errors
- Replace free-text email input with numbered menu (1/2) to prevent
users from entering emails that don't match backend mock data
- Show password requirements upfront before the password prompt
- Catch InvalidPasswordException and display friendly error message
instead of a raw stacktrace
* style: apply ruff formatting
* fix: detect port 3000 collision before starting OAuth callback server
Check if port 3000 is available before attempting to bind. If in use,
exit with a clear error message and the command to free the port.
* fix: check port availability before opening browser in login flow
Move the port check to the start of do_login so it exits before
opening the browser or starting the callback server.
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* docs: simplify console navigation for Policy Engine setup (#1020)
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* Replace Anthropic Claude references with Amazon Nova 2 Lite model (#1023)
* Replace Anthropic Claude references with Amazon Nova 2 Lite model
---------
Co-authored-by: nehatb <nehatb@amazon.com>
* Lifecycle Session Demos for Bedrock Agentcore runtime (#1026)
* feat(tutorials): Add inline session lifecycle demos to MCP server tutorials
Add inline session stop demonstrations and best practices sections to both
MCP server hosting tutorials. Updates include:
- Add inline session lifecycle demo after runtime launch
- Add Session Lifecycle Best Practices section before cleanup
- Update cleanup with security-validated ordering (credentials first)
- Make cleanup code active with proper try/except error handling
hosting_mcp_server.ipynb (OAuth):
- Inline demo is commented (OAuth doesn't support boto3 invoke)
- Cleanup order: Secrets → SSM → Runtime → ECR
hosting_mcp_server_iam_auth.ipynb (IAM):
- Inline demo is ACTIVE (IAM supports boto3 invoke)
- Demonstrates capturing runtimeSessionId and calling stop_runtime_session
- Cleanup order: SSM → Runtime → ECR
All changes follow security best practices to minimize credential exposure
windows during cleanup.
Requirements: 9.1, 9.2, 9.3, 9.4, 9.5, 6.2
* feat(tutorials): Add inline session lifecycle demos to MCP server tutorials
Add strategic session stop demonstrations throughout both MCP server tutorials
to teach proper session lifecycle management in context.
Changes:
- Add stop_runtime_session_oauth() helper function for OAuth bearer token auth
- Add Demo 1: Session stop immediately after runtime deployment
- Add Demo 2: Session stop between different test approaches
- Add Demo 3: Session stop after Boto3 testing (IAM notebook only)
- Update invoke_mcp_tools.py to include session stop with HTTP 200 response
- Add explanatory notes about expected 404 warning from MCP client cleanup
- Demonstrate mcpSessionId can be passed as header and used with stop_runtime_session
- Print HTTP status codes and Request IDs for all session stops
Verified:
- IAM auth: All session stops return HTTP 200 with Request IDs
- OAuth auth: Session stops work with bearer token via HTTP POST
- Single runtime successfully handles multiple sessions
- Runtime remains alive after stopping individual sessions
Requirements: 9.1, 9.2, 9.3, 9.4, 9.5
* feat(tutorials): Add inline session lifecycle demos to hosting-agent tutorials
Add strategic session stop demonstrations and lifecycle configuration to all
hosting-agent tutorials to teach proper session management in context.
Changes:
- Update billing language from 'GBHours' to 'vCPU and Memory based' costs
- Add inline session stop demos after agent invocations
- Add active lifecycle configuration demo with second runtime (300s timeout)
- Demonstrate stop_runtime_session with captured runtimeSessionId
- Update cleanup sections with try/except error handling
- Add Session Lifecycle Best Practices sections
Tutorials updated:
- 01-strands-with-bedrock-model/runtime_with_strands_and_bedrock_models.ipynb
- 02-langgraph-with-bedrock-model/runtime_with_langgraph_and_bedrock_models.ipynb
- 03-strands-with-openai-model/runtime_with_strands_and_openai_models.ipynb
- 04-crewai-with-bedrock-model/runtime-with-crewai-and-bedrock-models.ipynb
Verified:
- All notebooks demonstrate session stopping with boto3 invoke_agent_runtime
- Lifecycle configuration demos show shorter idle timeout (300s)
- Cleanup sections properly handle multiple runtimes
- Error-safe cleanup with individual try/except blocks
Requirements: 1.2, 6.1, 9.1, 9.2, 9.3, 9.4, 9.5
* refactor(tutorials): Simplify session lifecycle sections per reviewer feedback
Address reviewer feedback to remove confusing lifecycle configuration
references and simplify Best Practices sections.
Changes:
- Remove 'and show how to use a smaller lifecycle configuration' from inline demos
- Remove lifecycle configuration demo cells from hosting-agent notebooks
- Simplify Best Practices section to only 2 bullets (configure timeout, stop sessions)
- Remove confusing bullets about cleanup, deletion order, and minimum timeout
Updated notebooks:
- All 4 hosting-agent notebooks (strands-bedrock, langgraph, strands-openai, crewai)
- Both MCP server notebooks (OAuth and IAM)
- understanding-runtime-context notebook
Reviewer: @evandrofranco
PR: awslabs/amazon-bedrock-agentcore-samples#1026
* fix(tutorials): Restore lifecycle config demos with cleaned comments
Restore lifecycle configuration demo cells that were incorrectly removed.
The reviewer only asked to remove confusing comments, not the entire demo.
Changes:
- Restore lifecycle-config-demo markdown and code cells
- Keep the demo functionality (second runtime with 300s timeout)
- Remove only the confusing comments:
- 'Using a shorter idle timeout for demonstration purposes'
- 'A shorter idle timeout helps avoid undesired costs...'
- Keep all the actual demo code
This preserves the SPECIAL CASE requirement from tasks.md that these
notebooks should demonstrate active lifecycle configuration.
Updated: 4 hosting-agent notebooks
* fix(tutorials): Restore lifecycle demos and update Best Practices per reviewer
Complete implementation of reviewer feedback:
1. Removed confusing sentence from inline demo titles:
- Changed 'Below we demonstrate stop_runtime_session and show how to use
a smaller lifecycle configuration'
- To: 'Below we demonstrate stop_runtime_session'
2. Removed confusing comments from lifecycle config demo code:
- Removed 'Using a shorter idle timeout for demonstration purposes'
- Removed 'A shorter idle timeout helps avoid undesired costs...'
- Kept all actual demo code (second runtime with 300s timeout)
3. Simplified Best Practices section (all notebooks):
- Reduced to 2 bullets: Configure idle timeout, Stop sessions when done
- Removed 3 bullets about cleanup, deletion order, minimum timeout
Updated 6 notebooks:
- 4 hosting-agent notebooks (with lifecycle demos restored)
- 2 MCP server notebooks (Best Practices simplified)
Reviewer: @evandrofranco
PR: awslabs/amazon-bedrock-agentcore-samples#1026
* 03-integrations - Add Claude Agent SDK agentic patterns: subagents and hooks (#994)
* feat: add Claude Agent SDK orchestrator-workers pattern with subagents
Add new example demonstrating the Orchestrator-Workers agentic pattern
using Claude Agent SDK's native subagent support (AgentDefinition + Task tool)
deployed on Bedrock AgentCore Runtime.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add Claude Agent SDK hooks pattern for tool governance and audit
Add new example demonstrating PreToolUse and PostToolUse hooks for
blocking dangerous operations and audit logging. README covers
defense-in-depth story with AgentCore Policy for external tools.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs: add contributor name
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: upgrade to Sonnet 4.6 and fix cognito-user.py commands (#1027)
* fix: use uv run instead of python in cognito-user.py
The project uses uv for dependency management, so the script
should reference uv run consistently in its docstring and
user-facing output.
* feat: upgrade to Claude Sonnet 4.6 and improve deploy model check
- Update model ID from Sonnet 4.5 to Sonnet 4.6 global inference profile
- Replace passive model lifecycle check with actual invoke-model test in deploy.sh
- Show both possible failure reasons: Anthropic FTU form and IAM permissions
* fix: harden deploy.sh model check for edge cases
- Add timeout (10s) to prevent hanging on network issues
- Add cli-connect-timeout and cli-read-timeout for AWS CLI
- Chain mktemp into the if-condition to handle failures gracefully
- Clarify that the check tests deployer credentials, not the agent's
execution role — a failure here may not affect the deployed agent
- Safe cleanup of temp file in all code paths
* fix: remove timeout command for macOS compatibility
timeout is a GNU coreutils command not available on macOS by default.
The AWS CLI's --cli-connect-timeout and --cli-read-timeout flags
provide sufficient timeout protection.
* docs: restructure prerequisites for clarity
- Move Clone the Repository to first step with git install instructions
- Separate auto-installed tools (CDK, AgentCore CLI) from manual prereqs
- Move IAM policies to a note after verify credentials
- Move aws login version requirement to AWS Credentials section
- Move deploy.sh tip to after tools table
* docs: add guidance on changing the model ID
* docs: remove redundant API form note
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* docs: improve prerequisites clarity and deploy.sh error messages (#1029)
* docs: improve prerequisites clarity and deploy.sh error messages
- Restructure Clone the Repository into numbered steps
- Clarify Node.js install: install nvm first, then run command
- Improve deploy.sh node error message with nvm install link
- Remove auto-installed tools section (CDK, AgentCore CLI)
- Specify Sonnet 4.6 in model access steps
- Simplify tools table and credentials section
* docs: revert to Sonnet 4.5 default, add alternative model table
- Revert default model to Claude Sonnet 4.5 in load.py and deploy.sh
- Add alternative models table (Haiku 4.5, Sonnet 4.6) to README
- Update all Sonnet 4.6 references back to 4.5
* docs: soften git install wording
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* updated notebook to reflect header propagation feature instead of interceptor (#971)
* updated notebook to reflect header propagation feature instead of interceptor
* Add README.md documentation
* docs: add Transaction Search prerequisite to observability section (#1031)
The observability section implied traces work out of the box, but
CloudWatch Transaction Search must be enabled first for span ingestion.
Add the one-time setup step before the trace inspection instructions.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* feat(02-usecase): A2A Agent usecase (#1025)
* Add A2A Real Estate Multi-Agent Use Case
This contribution adds a complete A2A (Agent-to-Agent) real estate multi-agent system demonstrating:
- Multi-agent coordination using A2A protocol with OAuth authentication
- Property Search Agent (Strands-based) for searching properties
- Property Booking Agent (Strands-based) for managing bookings
- Coordinator Agent that orchestrates sub-agents via A2A protocol
- Automated Cognito setup for OAuth 2.0 authentication
- React-based UI with direct AgentCore integration
- Comprehensive deployment automation scripts
- End-to-end testing utilities
Key Features:
- OAuth bearer token management with Cognito
- Request header allowlist configuration for Authorization
- Automated agent deployment with agentcore CLI
- Token generation and refresh utilities
- Real-time chat interface for property search and booking
Architecture:
- Coordinator generates OAuth tokens from Cognito to call sub-agents
- Sub-agents validate tokens independently
- All agents deployed on Amazon Bedrock AgentCore Runtime
- UI connects directly to coordinator via A2A protocol
Documentation includes:
- Deployment guide with step-by-step instructions
- Project structure overview
- Demo instructions
- Quickstart guide
- Contributing guidelines
* Security improvements and bug fixes
- Added comprehensive .gitignore for sensitive files and scan results
- Fixed security issues from GitHub Advanced Security scan
- Implemented short-term memory (STM_ONLY) for conversation context
- Fixed session ID bug in UI for persistent conversations
- Removed unused fix_iam_permissions.py with hardcoded ARNs
- Deleted sensitive files (bearer_token.json, cognito_config.json)
- Updated welcome message to 'Amazon Bedrock AgentCore'
- Fixed ESLint warnings in directApi.ts
- Improved security in deployment and server scripts
- All security scan findings addressed or documented as false positives
* Update documentation to sample application
* review comment fixes, cleanup unused files, update documentation
* Delete unused test_a2a_simple.py
* Fix ruff lint errors
* Remove clear-text logging of env vars and working directory
* ASH fixes
* Fix TypeScript hast type error from npm overrides
* Replace ASCII architecture diagram with architecture.png
* Migrate UI from CRA to Vite, redesign with light theme
---------
Co-authored-by: ramprasaths <rampsee@amazon.com>
* Added Tagging and CMK examples for PolicyEngine (#1039)
* Updated to include CMK and Tags
* Fixed issues
* Added required packages
* Added and fully tested ability to add tags and CMK to PolicyEngine
---------
Co-authored-by: Andy Hall <hllaah@amazon.com>
* fix(02-usecases): memory role and dependency changes (#1040)
* A2a (#1041)
* code changes
* changes
* fix(02-usecases): monitor agent fix (#1042)
* code changes
* changes
* error
* Fixing cdk stack with missing cdk lib folder and interceptor's lambda (#1036)
* added full example of enterprise mcp platform with policy engine mcp server filtering based on user_tag, guardrail for PII data
* fixed linting
* fixed linting
* fixing lint
* fixing lint
* fixinf ruff
* FIXING RUFF
* fixing ruff
* fixed stack
added missing lib files
* fixing ruff
* fixing ruff
---------
Co-authored-by: brnaba-aws <brnaba@amazon.com>
* Bump starter toolkit to 0.3.2 in customer support agent (#1048)
* Bump starter toolkit to 0.3.2 in customer support agent blueprint
Picks up improved error messages for auth failures during agent
invocation (friendly re-login guidance instead of raw tracebacks).
* Update uv.lock after uv sync with starter toolkit 0.3.2
---------
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* feat: Add AgentCore Gateway with EntraID 3LO authentication example (#1044)
* feat: Add AgentCore Gateway with EntraID 3LO authentication example
CDK-based example demonstrating AgentCore MCP Gateway with:
- EntraID inbound JWT authentication (CIAM and standard tenants)
- Outbound 3LO (three-legged OAuth) for user-delegated API access
- Browser-based auth onboarding SPA for pre-authorizing access
- Response interceptor for VS Code MCP client compatibility
- Automated setup script for EntraID app registrations + AWS deployment
* fix: Address security scanner findings from PR #1044
- Fix ruff F541: remove extraneous f-prefix from strings without placeholders
- Fix bandit B310 / semgrep dynamic-urllib: validate URL scheme is https://
before calling urlopen, add nosec comments for audited calls
- Fix detect-secrets: add pragma allowlist comments for false positives on
password generation and secret extraction (no actual secrets in code)
- Fix checkov CKV_OPENAPI_4: add global security field to OpenAPI spec
---------
Co-authored-by: Robert Hoffmann <rho@amazon.de>
* Async agent tutorial (#1009)
* adding async example
* uploading to s3 properly
* fixed chart formatting
* adding Dockerfile to gitignore and cleaning up ECR delete
* adding name to contributors list
* addressing git comments
* addressing comments
* moving files to folder
---------
Signed-off-by: Nadhya Polanco <65464569+nadhya-p@users.noreply.github.com>
Co-authored-by: nadhyap <nadhyap@amazon.com>
* fix(02-usecases): The MCP server must bind to 0.0.0.0 to allow the gateway to connect (#1022)
The MCP server must bind to 0.0.0.0 to allow the gateway to connect
Signed-off-by: Joachim Aumann <aumannjoachim@gmail.com>
* fix(02-usecases): Update FastMCP host address to 0.0.0.0 (#1024)
* Update FastMCP host address to 0.0.0.0
Change the host address for FastMCP from 127.0.0.1 to 0.0.0.0 to allow external connections.
Signed-off-by: Joachim Aumann <aumannjoachim@gmail.com>
* fixed deployment bug of hello world containter
---------
Signed-off-by: Joachim Aumann <aumannjoachim@gmail.com>
* fix(05-blueprints): Pin chardet < 6.0.0 in customer support agent (#1051)
chardet 6.x introduced breaking changes. Pin to >= 3.0.2, < 6.0.0
to ensure compatibility. Also adds missing src/__init__.py.
Co-authored-by: Abhimanyu Siwach <siwabhi@amazon.com>
* Multitenant platform demo (#859)
* Multitenant platform demo
* linting fixes
* fix(multitenant-agentic-platform): Improve security and configuration flexibility
- Fix typo in README ("cusotm" → "custom")
- Replace hardcoded AWS region with environment variable support in main.py
- Refactor calculator tool to use AST-based safe evaluation instead of regex validation
- Add support for unary operators and improve operator/function/constant whitelisting
- Update database-query tool to use environment variables for RDS configuration
- Add AWS_REGION environment variable support to email-sender tool
- Update deploy.sh with improved deployment configuration handling
- Enhance frontend index.html with better error handling and user feedback
- Improves security posture by eliminating eval() usage and hardcoded credentials
- Enables flexible multi-region deployments through environment configuration
* fix(multitenant-agentic-platform): Remove redundant agent runtime ID validation
- Remove unnecessary validation check for agent_runtime_id in delete_agent handler
- Simplify error handling flow by eliminating duplicate validation logic
- Agent runtime ID is already validated in prior steps, making this check redundant
* docs(multitenant-agentic-platform): Add security considerations and warnings
- Add comprehensive Security Considerations section to README documenting API key exposure risks
- Document suitable use cases (demos, development, internal tools) and production recommendations
- Add security warnings to config_injector Lambda handler with alternative authentication approaches
- Update deployment documentation with security notes about client-side API key embedding
- Pass account_id and region parameters to DatabaseConstruct and MessagingConstruct for improved configuration
- Add security reminders in frontend development section referencing production deployment guidance
- Clarify that current implementation is suitable for demos and internal use only, not production
* fix(multitenant-agentic-platform): Add API key headers to frontend requests and improve security documentation
- Add 'x-api-key' header to all axios requests in frontend (delete, post, get operations)
- Update README security note to emphasize not embedding long-lived credentials in public files
- Recommend authenticated callers (Cognito/IAM/JWT) or backend proxy/BFF for production
- Clarify config.js generation to exclude API Gateway keys from public configuration
- Fix deploy.sh region comment from us-west-2 to us-east-1
- Remove emoji from deploy.sh output for better compatibility
- Refactor query parameter and body parsing in async_deploy_agent handler for clarity
- Add environment variable definitions for DynamoDB table names in build_deploy_agent handler
- Ensure consistent API authentication across all frontend API calls for improved security
* docs(multitenant-agentic-platform): Remove security limitations section from README
- Remove detailed API key exposure warnings and limitations documentation
- Remove suitable use cases section for demonstration deployments
- Remove production recommendations for authentication mechanisms
- Simplify README by consolidating security guidance into main documentation
* fix(multitenant-agentic-platform): Enforce required environment variables and optimize DynamoDB queries
- Replace optional environment variable defaults with required configuration in build_deploy_agent handler
- Add validation to fail fast if AGENT_CONFIG_TABLE_NAME or AGENT_DETAILS_TABLE_NAME are not set
- Add AGGREGATION_TABLE_NAME validation in infrastructure_costs handler with clear error messaging
- Optimize DynamoDB scan operations to use server-side FilterExpression instead of client-side filtering
- Add ProjectionExpression to reduce data transfer and improve query performance in token_usage handler
- Use ExpressionAttributeNames to handle reserved words (timestamp) in DynamoDB queries
- Improve configuration reliability by ensuring all Lambda functions have required environment variables set before execution
* fix(multitenant-agentic-platform): Remove unused import from token usage handler
- Remove unused boto3.dynamodb.conditions Attr import
- Simplify handler.py by eliminating unnecessary dependency
- Reduce code clutter and improve maintainability
* fix(multitenant-agentic-platform): Update agent template naming and enhance token limit validation
- Rename base-agent.py to main.py in agent-tools-repo templates for consistency
- Update documentation references to reflect new template filename
- Add Attr import from boto3.dynamodb.conditions for improved query filtering
- Enhance check_token_limit function with configurable fail-closed behavior via FAIL_CLOSED environment variable
- Add get_tenant_id_from_agent function to look up tenant ID from agent details table, preventing token limit bypass
- Improve error handling in token limit checks with detailed logging for fail-closed vs fail-open modes
- Add documentation notes explaining fail-open default behavior and fail-closed option
* Update guardrails memory sample notebook (#995)
* feat: Update guardrails memory sample notebook
* chore: Clear execution counts and outputs from notebook
* sample update(memory): Simplify memory integration using AgentCoreMemorySessionManager
Replace custom MemoryHookProvider implementation with built-in
AgentCoreMemorySessionManager. Key changes:
- Use AgentCoreMemoryConfig with AgentCoreMemorySessionManager
- Remove custom hook implementation (on_agent_initialized, on_message_added)
- Update documentation based on model usage in code from Claude 3.7 Sonnet to Claude Haiku 4.5
- Simplify session handling with automatic reinitialization
- Update documentation to reflect recommended approach
* fix(notebook): Configure memory mode and inject memory_id to prevent runtime failures
configure() defaults to memory_mode="NO_MEMORY", so the auto-created
execution role has no memory IAM permissions — causing ListMemoryEvents
failures at runtime. Additionally, the toolkit doesn't know about the
manually-created memory resource, so it provisions a duplicate on launch.
Fix: Set memory_mode="STM_ONLY" in configure() and inject the existing
memory_id into .bedrock_agentcore.yaml before launch(). Both issues only
exist because the tutorial manually creates resources that the toolkit
normally manages end-to-end.
* cleaned execution count
* Cleared cell outputs
---------
Co-authored-by: subhakl <subhakl@amazon.com>
* Correct role and content retrieval in message processing (#499)
Signed-off-by: fllaneza <44783676+fllaneza@users.noreply.github.com>
* Add Episodic Memory Strategy Tutorial (#855)
* feat: add episodic memory tutorial README
* feat: add code debugging assistant implementation
* feat: add architecture diagram
* docs: add episodic strategy to overview
* docs: add contributor
* fix: update episodic memory API for reflectionConfiguration
- Change reflectionNamespaces to reflectionConfiguration.namespaces
(API structure changed in bedrock-agentcore SDK)
- Fix namespace validation: reflection namespace must be same as
or prefix of episodic namespace
- Update get_namespaces() to read from new nested structure
- Add code-assistant.py standalone script version
* fix: move imports to top of file for linting compliance
- Consolidate all imports at module top (E402 fix)
- Remove unused List import from typing (F401 fix)
- Maintain alphabetical ordering of imports
* style: apply ruff formatting
* feat: Replace debugging use case with Meeting Notes Assistant
Changes based on reviewer feedback that debugging examples already exist
in the repository (debugging-agent and healthcare-assistant).
New implementation:
- Meeting Notes Assistant with episodic memory
- Tools: capture_action_item, identify_decision, summarize_discussion, track_followup
- Tracks decisions, action items, and participant preferences across meetings
- 6 test scenarios demonstrating meeting management patterns
- End-to-end tested with AWS Bedrock (all tools working)
- Security audit passed, linting verified
Files changed:
- Renamed: code-assistant.py → meeting-notes-assistant.py
- Renamed: code-assistant.ipynb → meeting-notes-assistant.ipynb
- Updated: README.md with meeting-specific documentation
This use case is unique and not duplicated in existing samples.
Addresses feedback from @akshseh in PR comment.
* refactor: move episodic tutorial to long-term-memory/strands-hooks folder
Address reviewer feedback:
- Move from 06-episodic-strategy/ to 02-long-term-memory/01-single-agent/using-strands-agent-hooks/meeting-notes-assistant-using-episodic/
- Update architecture diagram to match repo template style
- Update parent README table reference
* fix: update architecture diagram
* fix: address reviewer feedback from @akshseh
- Remove .gitignore (*.pptx entry not needed)
- Pin versions in requirements.txt (bedrock-agentcore>1.4, strands-agents>=0.1.0, boto3>=1.42.1)
- Convert cell_0 from code cell with docstring to markdown cell
- Add blank line after H2 heading in cell_5 to fix bullet formatting
- Fix event_expiry_days comment: clarify it is STM TTL, not for long-term episodic strategy
- Add reflection extraction timing note (~10-15 mins) in seed cell
- Format meeting-notes-assistant.py with black
* Update AgentCore Memory tutorials with new SDK patterns (#1003)
* feat(memory-tutorials): Enhance AgentCore Memory tutorials with SDK migration and advanced features
- Migrate from MemoryClient to MemorySessionManager and MemorySession
- Update from tuple-based messages to ConversationalMessage objects
- Add session-based operations eliminating repetitive parameters
- Implement conversation branching with fork_conversation()
- Add metadata tracking with StringValue and EventMetadataFilter
- Update all three notebooks: math-assistant, customer-support, customer-support-memory-manager
- Add comprehensive ENHANCEMENT_SUMMARY.md documenting all changes
This update showcases the full capabilities of AgentCore Memory including:
- Session management with MemorySessionManager
- Memory hooks for automatic storage/retrieval
- Conversation branching for alternative paths
- Metadata tagging for analytics and filtering
- Practical use cases for math tutoring and customer support
All notebooks tested and validated with syntax checks and feature verification.
* docs: Add arunskum to CONTRIBUTORS.md
* docs: Remove ENHANCEMENT_SUMMARY.md file
* feat(memory): Update AgentCore Memory tutorials with latest SDK patterns
- Migrate from MemoryClient to MemorySessionManager and MemorySession
- Replace tuple-based messages with ConversationalMessage objects
- Implement session-based operations (add_turns, search_long_term_memories)
- Add conversation branching with fork_conversation and list_branches
- Add metadata tracking with StringValue and EventMetadataFilter
- Update all three notebooks: math-assistant, customer-support, customer-support-memory-manager
- Fix imports: StringValue and EventMetadataFilter now from bedrock_agentcore.memory.models
These changes showcase the enhanced AgentCore Memory capabilities including:
- Session-based memory management for cleaner API
- Advanced retrieval with RetrievalConfig
- Conversation branching for alternative paths
- Metadata tagging and filtering for event tracking
* refactor(memory): Split customer support tutorial into built-in vs custom strategies
Deleted legacy MemoryClient notebook, renamed memory-manager to override-strategy, created new inbuilt-strategy notebook, added comparison sections to both
* fix(memory): Correct StringValue and Event attribute usage in notebooks
Fixed 3 issues identified by reviewer:
1. Changed StringValue() to StringValue.build() (30 occurrences)
- Correct usage: StringValue.build('value')
- Fixed in all metadata creation sections
2. Changed .event_id to .eventId (3 occurrences)
- Correct attribute: event.eventId
- Fixed in all branching sections
3. Validated changes with syntactic tests
Changes span 3 notebooks:
- customer-support-inbuilt-strategy.ipynb
- customer-support-override-strategy.ipynb
- math-assistant.ipynb
All fixes follow the pattern demonstrated in reviewer's successful test output.
* fix: Fix metadata_filter bug, migrate math-assistant to MemoryManager, remove test scripts
- Fix list_events() calls to use eventMetadata parameter instead of
invalid metadata_filter in all 3 notebooks
- Migrate math-assistant from legacy MemoryClient to MemoryManager
- Switch math-assistant from CustomSemanticStrategy to built-in
SemanticStrategy (no IAM execution role required)
- Remove CUSTOM_PROMPT cell and ROLE_ARN placeholder from math-assistant
- Remove test scripts, migration scripts, and cleanup utilities
* fix: Update config and runtime MCP agent code for SRE workshop lab 04 (#1055)
* Update config and runtime MCP agent code for SRE workshop lab 04
* Fix ruff lint errors: remove unused imports and f-string prefixes
---------
Co-authored-by: name <alias@amazon.com>
* Feat/databricks per user delegation (#1058)
* feat: Agent & Gateway Registry blueprint
A platform for managing AI agents and MCP tools across an organization.
- Registry: CRUD for agents (A2A, MCP, Agent-as-Tool protocols)
- Gateway management: overview, tools, clients & access, Cedar policies
- Tool composition via Cedar permit-only policies
- Agent discovery API for agent-to-agent communication
- Multi-IdP support (Cognito/EntraID auto-detected)
- AgentCore Identity for agent workload auth
- One-click deploy: CloudFormation + App Runner + DynamoDB
* feat: Databricks per-user delegation via Gateway interceptor + RFC 8693
* feat(memory): add memory streaming tutorial (#1064)
* Add ECS Fargate 3LO tutorial (#1005)
* Add ECS Fargate 3LO tutorial
Fixes #<issue-number>
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
Co-authored-by: satveerkhurpa <satveerkhurpa@users.noreply.github.com>
* fix: scanning results
* feat: WAF integration
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
* docs: inbound & outbound auth
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
---------
Co-authored-by: tnickl <tnickl@users.noreply.github.com>
Co-authored-by: satveerkhurpa <satveerkhurpa@users.noreply.github.com>
* Add async data analysis agent tutorial (#1059)
- Move async data analysis files to 02_async_data_analysis subfolder
- Fix semgrep issue: add __name__ guard to app.run()
- Add contributors from original PR #857
Co-authored-by: Gan Luan <ganluannj@users.noreply.github.com>
* feat: add Auth0 multi-agent RFC 8693 token exchange sample (#1071)
Adds a production-grade reference implementation demonstrating RFC 8693
Token Exchange in a multi-agent system on AWS Bedrock AgentCore Runtime.
The coordinator agent exchanges the user's Auth0 JWT for attenuated,
least-privilege tokens before invoking each sub-agent — implementing
scope attenuation across a 3-agent financial services system.
Key features:
- OAuth 2.0 PKCE login flow via Auth0
- RFC 8693 Token Exchange with per-agent scope policies
- 3 agents: coordinator, customer_profile, accounts
- Streamlit web UI with JWT viewer and API call log
- AWS Secrets Manager integration
- OpenTelemetry observability
- Shell script and CDK deployment options
- Unit test suite
* Add AgentCore Policy integration for healthcare appointment agent (#1028)
* Updated reference code to match Policy for AgentCore blog sample
* fix: address scan findings, lint, and security improvements
Scan findings (HIGH):
- README.md: Add Introduction, Prerequisites, Cost Warning, Conclusion,
Complete Cleanup sections; fix multi-action step; use full AWS service names
- setup_cognito_claims.py: Use full AWS service names; remove possessive form
- setup_policy.py: Fix incorrect docstring hours (8-17 → 9 AM-9 PM UTC)
- test_policy.py: Replace forbidden term 'execute' with 'run'
- patient.json: Rename 'Richard Doe' to approved fictitious name 'Jane Doe'
Security:
- Use HTTP Basic Auth for OAuth token requests (RFC 6749)
- Implement AWS Secrets Manager for client secret retrieval with
auto-caching fallback to Amazon Cognito API
- Validate subprocess script path before execution
Code quality:
- Remove fragile DENIAL_PHRASES list; use deterministic tool visibility
checks and gateway policy denial detection instead
- Fix all ruff check errors (F401, F541, F841)
- Apply ruff format to all changed Python files
- Updated test_output.txt with clean end-to-end run
---------
Co-authored-by: Anil Nadiminti <anilnadi@amazon.com>
* Usecase/lakehouse agent enhance (#1006)
* temp
* Token exchange
* README.md
* Adding column-level access control
* Fixed S3 bucket creation outside us-east-1
* After dry-run testing
* Cleanup
* Rollback unnecessary change
* Rollback unnecessary change
* Rollback unnecessary change
* Added Architecture diagram and tested / fixed notebooks 01-03
* Fix aws path and invalid notebook for 06
* Securing the code
* Fixed the error - Error executing secure Athena query: Query failed: COLUMN_NOT_FOUND: Column 'adjuster_user_id' cannot be resolved or requester is not authorized
* Added scenarios, updated README and enhanced Architecture diagram to show latest changes
* Clarify deletion of Dynamodb table in the cleanup step
* Updated readme with scenario screenshots, added masking for PII for adjuster with wildcard exclude list
* Completed end to end testing for all scenarios
* Updated README and added Dockerfile to gitignore
* Updated README to remove Production Ready clause
* Fixed Pylint issues - f-string with no placeholders and empty except
---------
Co-authored-by: Gi Kim <giryoong@amazon.com>
Co-authored-by: Sunita Koppar <skoppar@amazon.com>
* fix(02-usecases): delete site reliability workshop (#1081)
* fix(tutorials): Fix missing imports, update_agent_runtime params, and asyncio.run in notebooks (#1086)
- Fix UpdateAgentRuntime calls to include required params (agentRuntimeArtifact,
roleArn, networkConfiguration) using get_agent_runtime read-modify-write pattern
- Fix wrong entrypoint filenames in lifecycle demo cells (langgraph, openai, crewai)
- Fix wrong requirements_file path in crewai lifecycle demo cell
- Add missing imports (Session, os, Runtime, json, Markdown) in notebook cells
- Replace asyncio.run() with await in notebook cells (Jupyter compatibility)
- Add missing setup_cognito_user_pool import in hosting_mcp_server notebook
- Add ResourceNotFoundException comment in cleanup cells
- Add Test-Downloads/ to .gitignore
* chore: remove agent-gateway-registry blueprint (#1092)
* Add WebRTC voice agent sample with KVS TURN servers (#1096)
Minimal example demonstrating WebRTC audio streaming with AWS Nova Sonic
via KVS TURN servers, deployable to AgentCore Runtime.
- FastAPI agent with aiortc for WebRTC peer connections
- Nova Sonic bidirectional streaming for speech-to-speech
- Browser client supporting both local and AgentCore Runtime modes
- KVS signaling channel for TURN/STUN server credentials
- Audio resampling (16kHz input, 24kHz output) via PyAV
* Consolidating IDP examples under tutorials for better organization (#1112)
* Fix wording typo in notebook about user consent flow
cosmetic update
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add pyyaml to requirements.txt
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Add HardikThakkar94 to CONTRIBUTORS.md
Signed-off-by: Hardik Thakkar <68253981+HardikThakkar94@users.noreply.github.com>
* Updates to fix the Streamlit app access when running in sagemaker
Modified
- Requirements.txt (added dependencies)
- chatbot_app_cognito.py (added get_streamlit_url, for sagemaker access)
- runtime_with_strands_and_egress_3lo.ipynb (streamlit piece for access url, cosmetic updates)
* Fixing Ruff errors reported by python-lint
* removing Ruff errors from python-lint
* passing 3.7 as the model for workshop
* Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook
* Revert "Docs: add prerequisites (OpenAI or Azure OpenAI) cell to Outbound Auth notebook"
This reverts commit
|
||
|
pjkulkar
|
f31baf0eee |
Add registry push sync Lambda tutorial (#1295)
* Add registry push sync Lambda tutorial with AgentCore Identity integration * Update registry push sync Lambda with registry creation, boto3 1.42.87, and requests library * Update registry push sync Lambda with registry creation, lint fixes, clear outputs * Format handler.py with ruff 0.15.10 |
||
|
Daniel Lopes
|
f02db45a7f | Update consumer discovery semantic search notebook (#1292) | ||
|
Daniel Lopes
|
5d4bc58382 | Add consumer discovery semantic search noteboook (#1289) | ||
|
kollura
|
9fcd7772b1 |
Add Registry end-to-end tutorial: Admin Setup & IAM Governance Guide (#1290)
* Add Registry end-to-end tutorial: Admin Setup & IAM Governance Guide - Getting started notebook with full registry lifecycle (create, IAM personas, records, governance tests, search, cleanup) - Covers MCP, A2A, and CUSTOM record types with manual approval workflow - Requires boto3 >= 1.42.87 - Includes architecture diagram * Update architecture diagram with latest version |
||
|
Amit Lulla
|
ef97a103b2 |
fix: correct actorId usage and namespace resolution in travel booking agent (#896)
* fix: address reviewer feedback from @akshseh on PR #896 - Replace create_memory_and_wait + exception handling with create_or_get_memory (SDK handles idempotency, no manual exception handling needed) - Remove 'Ask max two questions per turn' from flight, hotel, and orchestrator system prompts (not needed for demo use case) * fix: resolve notebook issues found during testing - Fix REGION -> region variable name in memory creation cell - Remove duplicate imports between cell_8 and cell_9 - Fix cell_11: use consistent user_actor_id='user-001' for both flight and hotel agents (core PR fix - actorId represents user, not agent) * fix: use separate sub-namespaces per agent while sharing actorId - flight agent: travel/{actorId}/flight/preferences/ - hotel agent: travel/{actorId}/hotel/preferences/ Same user_actor_id ensures memory persists across sessions. Separate sub-namespaces ensure flight and hotel preferences don't mix. * fix: use single shared namespace matching strategy pattern Both agents use travel/{actorId}/preferences/ - matches the memory strategy namespace so extracted preferences are actually retrievable. Semantic search differentiates flight vs hotel preferences. Tested: preferences (Iberia, economy, morning) correctly persisted and recalled by new agent instance in a fresh session. |
||
|
mchaitra
|
76d8028267 | Main folder for Agent Registry assets (#1288) | ||
|
Cristiano Scandura
|
1f1fac2593 |
feat: add Browser OS-level Actions tutorial (14-BROWSER-OS-ACTIONS) (#1259)
* feat: add Browser OS-level Actions tutorial (14-BROWSER-OS-ACTIONS) Signed-off-by: Cristiano Scandura <scandura@amazon.com> * fix: update sample notebookwith browser os actions using boto3 Signed-off-by: Cristiano Scandura <scandura@amazon.com> * fix: cleaned unused imports Signed-off-by: Cristiano Scandura <scandura@amazon.com> * fix: cleaned unused imports Signed-off-by: Cristiano Scandura <scandura@amazon.com> * fix: ruff clean Signed-off-by: Cristiano Scandura <scandura@amazon.com> --------- Signed-off-by: Cristiano Scandura <scandura@amazon.com> |
||
|
Swara Gandhi
|
40a9f0ec8d |
Using AgentCore Identity for OAuth token management for a self-hosted agent. (#1255)
* Adding a tutorial for self hosted agent oauth managed by Agentcore Identity Using AgentCore Identity for OAuth token management for a self-hosted agent. * updated contributors.md |
||
|
Uriel Ramirez
|
a3f8e7e02e |
feat(02-usecases): Add Database Read-Only User and Update to Next.js (#1206)
* Amazon Bedrock AgentCore Deployment with CDK * Amazon Bedrock AgentCore Deployment with CDK * Amazon Bedrock AgentCore Deployment with CDK * Amazon Bedrock AgentCore Deployment with CDK * Amazon Bedrock AgentCore Deployment with CDK * Amazon Bedrock AgentCore Deployment with CDK * Amazon Bedrock AgentCore Deployment with CDK * Amazon Bedrock AgentCore Deployment with CDK * Fix front-end model call IAM permissions for charts * Add Database Read-Only User and Update to Next.js * Add Database Read-Only User and Update to Next.js * Update pnpm * Update pnpm --------- Co-authored-by: Uriel Ramirez <beralfon@amazon.com> |
||
|
Mallik Panchumarthy
|
44df7faacf |
feat(02-usecases): Add Okta three-tier auth end-to-end demo with BedrockAgentCore Agent+AgentCore Gateway Interceptor+ Agent Runtime MCP Server (#1158)
* Add Okta three-tier auth end-to-end demo with Gateway + Agent Runtime * Add Authorization Code grant flow for user auth and group-based RBAC enforcement to MCP Server --------- Co-authored-by: Mallik Panchumarthy <mpanchum@amazon.com> Co-authored-by: Velamuri <kvelamu@amazon.com> |
||
|
Bharathi Srinivasan
|
0ec0cb1f12 |
removing hard coded regions - user prompted instead (#1251)
* removing hard coded regions - user prompted instead * unicode * ruff formating |
||
|
Eashan Kaushik
|
da81652f27 |
feat(01-tutorials): Adding Amazon Bedrock AgentCore Gateway - Amazon VPC Lattice egress samples (#1247)
* egress * coming soon labs * coming soon labs * cleanup * advanced * changes |
||
|
smathalikunnel
|
96fb5403b2 |
Add memory for process tracking and analytics advanced pattern (#1094)
* Add memory for process tracking and analytics advanced pattern * Update notebook: shows dynamic namespace querying, and dynamic code analysis * Update notebook: add architecture diagram * Move to 07-memory-for-hyper-personalisation, add cross-customer analytics notebook (Part 2) * Rename notebooks with 01/02 prefix, add arch diagram to NB2, clear outputs * Rename folder to 07-memory-for-personalisation-and-analytics --------- Signed-off-by: Akarsha Sehwag <akshseh@amazon.de> Co-authored-by: smathalikunnel <smathali@amazon.co.uk> Co-authored-by: Akarsha Sehwag <akshseh@amazon.de> |
||
|
Eashan Kaushik
|
388a220a35 | feat(01-tutorials): auth code flow examples agentcore gateway (#1250) | ||
|
kolaak
|
1714d2553c |
Feature/datadog llm observability tutorial (#1097)
* feat: Add Datadog observability integration for AgentCore Runtime Original Datadog partner observability integration by jasonmimick-aws. Includes notebook, requirements, .gitignore, and README updates. Co-authored-by: jasonmimick-aws <jasonmimick@users.noreply.github.com> * feat: Add Datadog LLM Observability notebook with OTLP export Replace initial notebook with LLM Observability-focused tutorial. Uses OpenTelemetry OTLP export directly to Datadog (no Agent required). Add llm-obs-example.png screenshot to shared images folder. * chore: Flatten Datadog structure, fix paths, add kolaak to CONTRIBUTORS - Remove llm-observability/ subfolder, move contents to Datadog/ root - Fix notebook image paths for flattened directory structure - Replace Datadog APM link with LLM Observability docs link - Add kolaak to CONTRIBUTORS.md --------- Signed-off-by: kolaak <kolaak@amazon.com> Co-authored-by: jasonmimick-aws <jasonmimick@users.noreply.github.com> |
||
|
Massimiliano Angelino
|
465d80eec5 | feat: token exchange example with real setup with different client ids to authenticate calls to AgentCore Gateway and API Gateway (#1234) | ||
|
Bharathi Srinivasan
|
0d7cf406c9 |
custom code based evaluators (#1231)
* custom code based evaluators |
||
|
Bharathi Srinivasan
|
a00a68b01f |
Groundtruth evaluations (#1229)
* Add groundtruth-based evaluations tutorial * updating README * drop .py script, agent script is created at notebook runtime |
||
|
Maira Ladeira Tanke
|
5ad508a26f |
Adding Getting Started sample (#1228)
* Adding getting started with AgentCore CLI example * Adding getting started with AgentCore CLI example * Adding getting started with AgentCore CLI example |
||
|
Eitan Sela
|
d34c58ece8 |
Add use case: Integrate Claude Code with AgentCore Gateway MCP Server (#1225)
* Initial push of claude-code-with-mcp-server sample code * Added tavily MCP Server * Update 01-claude-code-with-mcp-server.ipynb * Added details on how to list MCP Tools * Update 01-claude-code-with-mcp-server.ipynb * Semantic updates in wording * Cosmetic Fixes * Update 01-claude-code-with-mcp-server.ipynb * Added Calude Code screenshots to show AgentCore Gateway connection * Improved documentation of the notebook * Added Solution Architecture * Fixed post Gili code review * Fixes after Gili Code Review Comments * Code fixes after gili code Review Comments * Fixes after Gili code review comments * Update CONTRIBUTORS.md * Create README.md * Fixes in the code after ruff check run * Fixes in the notebook code after ruff check run * Fixed Security Scan Results bugs * Update README.md |
||
|
Sundar Raghavan
|
dbd3790397 |
feat: add Chrome enterprise policies and custom root CA tutorial for AgentCore Browser (#1220)
Add tutorial notebook demonstrating two new AgentCore Browser features: - Chrome enterprise policies (managed/recommended) for URL filtering, download restrictions, and browser feature controls - Custom root CA certificates via AWS Secrets Manager for connecting to internal services and SSL-intercepting proxies Includes badssl.com demo for root CA using Code Interpreter. Co-authored-by: Sundar Raghavan <sdraghav@amazon.com> |
||
|
Gitika
|
078fdbfdee | Replace Starter Toolkit with AgentCore CLI in README (#1196) | ||
|
Julian Grüber
|
8734a9d525 |
Fix/session binding url (#1190)
* fix: session binding url * fix: architecture * fix: remove oauth callback service * fix: docstrings * fix: remove requirements.txt * fix: remove cdk context * fix: flow outbound auth flow diagram * fix:session binding url * style: format python files with ruff |
||
|
Rajesh Sitaraman
|
bb7790e3d7 |
feat(tutorials): #1128 Add Strands agent with AgentSkills plugin tutorial (#1131)
* feat(tutorials): Add Strands agent with AgentSkills plugin tutorial * docs(contributors): Update contributors list * lint fix * docs(tutorials): Add architecture diagram to Strands agent skills tutorial * chore(tutorials): Reorganize strands-with-skills tutorial to 06-strands-with-skills --------- Signed-off-by: Rajesh Sitaraman <rajesh.sitaraman@outlook.com> Co-authored-by: Rajesh Sitaraman <rajeshrd@amazon.com> |
||
|
Jesse Turner
|
bc4bea9557 | docs: add migration guide from Starter Toolkit to AgentCore CLI (#1195) | ||
|
rajjainl
|
4586a80ae0 |
feat(runtime): Add AG-UI examples with SSE and WebSocket demos (#1139)
* feat(runtime): Add AG-UI examples with SSE and WebSocket demos Add tutorial 09-ag-ui-examples demonstrating the AG-UI protocol on AgentCore Runtime with both Cognito/JWT and IAM/SigV4 authentication. Includes: - Document co-authoring agent (FastAPI + Strands + ag-ui-strands) - Cognito notebook with SSE and WebSocket Bearer token demos - IAM notebook with SSE (SigV4 headers) and WebSocket (pre-signed URL) demos - Multi-turn interactive document co-authoring demo - Architecture diagrams for both auth flows and transports - README with AG-UI event reference and troubleshooting * feat(runtime): Add AG-UI protocol examples as tutorial 10 - Rename 09-ag-ui-examples to 10-ag-ui-examples (09 slot taken by execute-command) - Remove hardcoded region_name=us-west-2 from BedrockModel, inherit from env - Use DP variable for both SSE_URL and WS_URL consistently - Regenerate architecture diagrams: single agent with tool boxes, proper auth flow - Improved event flow as full flowchart with color-coded event categories * fix(runtime): Fix diagram edge labels overlapping with lines Use ortho splines and increased node spacing to prevent edges cutting through label text in architecture diagrams. * fix(runtime): Remove duplicate task label on Tool 2 edge to prevent overlap * fix(runtime): Place single 'tasks' label between tool boxes in diagrams * fix(runtime): Suppress bandit B104 for container bind to 0.0.0.0 * feat(runtime): Switch to direct_code_deploy, remove Docker/ECR dependency - Use deployment_type=direct_code_deploy with runtime_type=PYTHON_3_13 - Remove auto_create_ecr from configure() - Remove ECR cleanup from both notebooks - Remove Docker from prerequisites * refactor(runtime): Switch to direct_code_deploy, trim requirements, remove review cell - Use direct_code_deploy with PYTHON_3_13 runtime type - Trim requirements.txt to 5 essential packages - Remove Review Agent Code section from both notebooks - Install zip via sudo apt-get for SageMaker Studio compatibility - Renumber notebook sections * chore(runtime): Rename AG-UI examples from 10 to 11 * fix(ag-ui): Address PR #1139 review comments - Simplify status check block to single status query - Add markdown cell explaining utils.py helper (cognito notebook) - Remove authorizer print line from verify cells |
||
|
Diego Brasil
|
3a0d2ed7e1 |
Adding End-to-End Customer Support Agent with AgentCore using Google ADK (#1164)
* feat(e2e): Add Google ADK end-to-end tutorial with AgentCore Add 6-lab workshop covering agent creation, memory, gateway, runtime deployment, frontend, and cleanup using Google ADK with Amazon Bedrock AgentCore services. * docs(e2e): Update Google ADK README and remove duplicate Replace placeholder README with full tutorial content and remove the 'README copy.md' duplicate file. * docs(e2e): Add Google ADK to README title * style(e2e): Capitalize README title consistently * docs: Add Diego Brasil to CONTRIBUTORS * chore(e2e): Remove images-og_do_not_commit directory Remove original source images that were not intended for version control. * fix: Use importlib for dynamic import and clean up linting issues * feat(e2e): Set Cognito MFA to OPTIONAL and clean up inline comment --------- Signed-off-by: Akarsha Sehwag <akshseh@amazon.de> Co-authored-by: Akarsha Sehwag <akshseh@amazon.de> |
||
|
Evandro Franco
|
76047f890c |
adding managed session storage (#1169)
* adding managed session storage * adding managed session storage/ fix lynt |
||
|
Zihang Huang
|
402deab341 | fix:add missing agents/ directory and requirements.txt (#1165) | ||
|
Dumitru Pascu
|
b0f13cc8cd |
Spring ai agentcore samples (#1119)
Added sample Spring and Embabel based agents |
||
|
Lana Zhang
|
b69d8e92bd |
AgentCore runtime bidi agent sample update - refined folder structure and more samples (#1160)
* agentcore runtime bidi streaming add strands sample * agentcore runtime bidistream sample update for Nova Sonic 2 * agentcore bidi streaming sonic 2 update cleanup python file * update IMDS comments * reformat the python file using ruff * sonic sample update to use default port 8080 * agentcore runtime bidi streaming update to sonic2 with text input update * remove unused reference * remove spaces * update agentcore bid streaming UIs to include text input, event filter and barge-in * agentcore voice agent sample with more samples and refined folder structure * update diagram * update reference links * resolve github warnings * remove temp json * resolve github warnings * resolve github warnings * resolve github warnings * resolve github warnings --------- Signed-off-by: Lana Zhang <lanaz@amazon.com> |
||
|
Massimiliano Angelino
|
fdaad23993 |
feat: sample that shows how to deploy agentcore runtime in VPC (#683)
* feat(runtime_in_vpc): initial * fix: moved to advanced concepts |
||
|
Robert Hoffmann
|
bb283edadd |
fix(05-entraid-3lo-gateway): fix OpenAPI schema security validation for CDK deploy (#1141)
Co-authored-by: Robert Hoffmann <rho@amazon.de> |
||
|
Akarsha Sehwag
|
61db650351 |
chore: fix iam policy path (#1153)
* docs(01-tutorials): update readmes * docs: update readmes * docs: update readme links & resources * fix: fix the IAM policy path |
||
|
Manuwai Korber
|
5aa31bbb7a |
fix(e2e-workshop): make zip install portable and conditional in prereq.sh (#1144)
Replace hardcoded `sudo apt install zip` with cross-platform detection: - Check if zip is already installed before attempting install - Detect package manager (apt-get, yum, dnf, brew) - Use sudo only when not running as root - Fail with clear message if no supported package manager is found Closes #604 |
||
|
Manuwai Korber
|
3c2ec81358 |
fix(e2e-workshop): fix gateway race condition and model_id typo in lab-03 (#1146)
- Add time.sleep(3) after gateway creation in Step 5 to prevent Step 6 from failing with CREATING status when cells run in quick succession - Remove extra trailing quote from model_id that caused SyntaxError Fixes #1145 |