Prerequisites to set up a gateway - Amazon Bedrock AgentCore
Gateway Management PermissionsGateway Access Permissions or Inbound Auth ConfigurationGateway Execution Permissions or Outbound Authorization configurationBest practices for Gateway permissions

Amazon Bedrock AgentCore is in preview release and is subject to change.

Prerequisites to set up a gateway

Amazon Bedrock AgentCore Gateway can connect to both AWS resources and external services. This means that along with the standard AWS Identity and Access Management (IAM) for managing permissions in Amazon Bedrock AgentCore Gateway, the permissions model supports additional external authentication mechanisms.

When working with Gateways, there are three main categories of permissions to consider:

  1. Gateway Management Permissions - Permissions needed to create and manage Gateways

  2. Gateway Access Permissions or Inbound Auth Configuration - Who can invoke what via the MCP protocol

  3. Gateway Execution Permissions or Outbound Authorization configuration - Permissions that a Gateway needs to perform actions on other resources and services

You'll configure Gateway Access Permissions when Creating gateways in the next section, and Gateway Execution Permissions when Adding targets.

Gateway Management Permissions

These permissions allow you to create and manage Gateways. You can create a gateway specific policy (example name BedrockAgentCoreGatewayFullAccess) which could look like:

JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {   
      "Effect": "Allow",
      "Action": [
        "bedrock-agentcore:*Gateway*",
        "bedrock-agentcore:*WorkloadIdentity",
        "bedrock-agentcore:*CredentialProvider",
        "bedrock-agentcore:*Token*",
        "bedrock-agentcore:*Access*"
      ],
      "Resource": "arn:aws:bedrock-agentcore:*:*:*gateway*"
    }
  ]
}

You may also need additional permissions for related services:

  • s3:GetObject and s3:PutObject for storing and retrieving schemas when you configure targets based on S3

  • kms:Encrypt, kms:Decrypt, kms:GenerateDataKey* for encryption operations

  • Other service-specific permissions based on your Gateway's functionality or configuration

For more comprehensive permissions across all AgentCore services, consider using the BedrockAgentCoreFullAccess managed policy, especially when working with multiple AgentCore products.

If you prefer to follow the principle of least privilege, you can create a custom policy that grants only specific permissions. Here's an example of a ReadOnly Gateway permission policy:

JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock-agentcore:ListGateways",
        "bedrock-agentcore:GetGateway",
        "bedrock-agentcore:ListGatewayTargets",
        "bedrock-agentcore:GetGatewayTarget"
      ],
      "Resource": "arn:aws:bedrock-agentcore:*:*:*gateway*"
    }
  ]
}

Gateway Access Permissions or Inbound Auth Configuration

Unlike other AWS services, which use standard AWS IAM mechanisms for access control, Amazon Bedrock AgentCore Gateway uses JWT token-based authentication as specified in the Model Context Protocol (MCP). These configurations have to be specified as a property of the gateway.

You'll configure these permissions when Creating gateways in the next section.

Gateway Execution Permissions or Outbound Authorization configuration

When creating a Gateway, you need to provide an execution role that will be used by the Gateway to access AWS resources or external services. This role defines the permissions that the Gateway has when making requests to other services. Based on the type of target, the role would either have permissions to access the AWS resources configured for the target, or for external resources, the role would have permissions to acquire the needed authorization to invoke the external resources. You will configure these after you have setup your gateway while Adding targets.

At the very least, whatever type of target is being configured, the execution role must have a trust policy that allows the Amazon Bedrock AgentCore service to assume the role:

JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GatewayAssumeRolePolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "bedrock-agentcore.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "111122223333"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:bedrock-agentcore:{{region}}:111122223333:gateway/{{gatewayName}}-*"
        }
      }
    }
  ]
}

For AWS resources as targets like Lambda functions, don't forget to give the Gateway permissions to access it in that resource's (ex. Lambda's) policy as well.

Best practices for Gateway permissions

Follow the principle of least privilege

  • Grant only the permissions necessary for your Gateway to function

  • Use specific resource ARNs rather than wildcards when possible

  • Regularly review and audit permissions

Separate roles by function

  • Use different roles for management and execution

  • Create separate roles for different Gateways with different purposes

Secure credential storage

  • Store API keys and OAuth credentials in AWS Secrets Manager

  • Rotate credentials regularly

Monitor and audit

  • Enable CloudTrail logging for Gateway operations

  • Regularly review access patterns and permissions usage

Use conditions in policies

  • Add conditions to limit when and how permissions can be used

  • Consider using source IP restrictions for management operations