Setting up identity providers for Inbound Auth

Setting up inbound Auth

Before creating your Gateway, you need to set up inbound authorization to validate callers attempting to access targets through your Amazon Bedrock AgentCore Gateway.

Note

If you're using the AgentCore SDK, the Cognito EZ Auth can configure this automatically for you, so you can skip the manual inbound Auth setup.

Inbound authorization works with OAuth authorization, where the client application must authenticate with the OAuth authorizer before using the Gateway. Your client would receive an access token which is used at runtime.

You need to specify an OAuth discovery server and client IDs/audiences when you create the gateway. You can specify the following:

Discovery Url — String that must match the pattern ^.+/\.well-known/openid-configuration$ for OpenID Connect discovery URLs
At least one of the below options depending on the chosen identity provider.
- Allowed audiences — List of allowed audiences for JWT tokens
- Allowed clients — List of allowed client identifiers

Setting up identity providers for Inbound Auth

For general information about setting up different identity providers, see Identity provider setup and configuration.

Important

Using inbound authorization based on JWT tokens will result in logging of some claims of the JWT token in CloudTrail. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.

Choose your preferred identity provider from the options below:

Amazon Cognito EZ Auth with AgentCore SDK

You can also set up Cognito EZ Auth with the AgentCore Python SDK. This eliminates the complexity of OAuth setup. You only need to run the following command:


# Import SDK and set up client
from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient
client = GatewayClient()

# Retrieve the authorization configuration from the create response. When you create the gateway, specify it in the authorizer_config field
cognito_result = client.create_oauth_authorizer_with_cognito("my-gateway")
authorizer_configuration = cognito_result["authorizer_config"]

Amazon Cognito

Amazon Cognito provides a fully managed user directory service that can be used to authenticate users for your Gateway.

To create a Cognito user pool for machine-to-machine authentication

Create a user pool:



aws cognito-idp create-user-pool \
  --region us-west-2 \
  --pool-name "gateway-user-pool"

Note the user pool ID from the response or retrieve it using:



aws cognito-idp list-user-pools \
  --region us-west-2 \
  --max-results 60

Create a resource server for the user pool:



aws cognito-idp create-resource-server \
  --region us-west-2 \
  --user-pool-id <UserPoolId> \
  --identifier "gateway-resource-server" \
  --name "GatewayResourceServer" \
  --scopes '[{"ScopeName":"read","ScopeDescription":"Read access"}, {"ScopeName":"write","ScopeDescription":"Write access"}]'

Create a client for the user pool:



aws cognito-idp create-user-pool-client \
  --region us-west-2 \
  --user-pool-id <UserPoolId> \
  --client-name "gateway-client" \
  --generate-secret \
  --allowed-o-auth-flows client_credentials \
  --allowed-o-auth-scopes "gateway-resource-server/read" "gateway-resource-server/write" \
  --allowed-o-auth-flows-user-pool-client \
  --supported-identity-providers "COGNITO"

Note the client ID and client secret from the response.

Create a domain for your user pool (if one is not already created by default):



aws cognito-idp create-user-pool-domain \
  --domain <UserPoolIdWithoutUnderscore> \
  --user-pool-id <UserPoolId> \
  --region us-west-2

Construct the discovery URL for your Cognito user pool:



https://cognito-idp.us-west-2.amazonaws.com/<UserPoolId>/.well-known/openid-configuration

Configure the Gateway Inbound authorization with the following values:

Discovery URL: The URL constructed in the previous step
Allowed clients: The client ID obtained when creating the user pool client



authorizerConfiguration= {
  "customJWTAuthorizer": {  
    "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/user-pool-id/.well-known/openid-configuration",
    "allowedClients": ["client-id"]
  }
}

To obtain a bearer token for use with the Data Plane API:



curl --http1.1 -X POST https://<UserPoolIdWithoutUnderscore>.auth.us-west-2.amazoncognito.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=<ClientId>&client_secret=<ClientSecret>"

The response will include an access token that can be used as a bearer token when making requests to the Gateway.

Auth0

Auth0 can be used as an identity provider for Gateway Inbound Auth. Follow these steps to set up Auth0 and obtain the necessary configuration values:

To set up Auth0 for Gateway authentication

Create an API in Auth0:
1. Log in to your Auth0 dashboard.
2. Navigate to "APIs" and click "Create API".
3. Provide a name and identifier for your API (e.g., "gateway-api").
4. Select the signing algorithm (RS256 recommended).
5. Click "Create".
Configure API scopes:
1. In the API settings, go to the "Scopes" tab.
2. Add scopes such as "invoke:gateway" and "read:gateway".
Create an application:
1. Navigate to "Applications" and click "Create Application".
2. Select "Machine to Machine Application".
3. Select the API you created in step 1.
4. Authorize the application for the scopes you created.
5. Click "Create".
Note the client ID and client secret from the application settings.
Construct the discovery URL for your Auth0 tenant:
```
https://<your-domain>/.well-known/openid-configuration
                
```
Where <your-domain> is your Auth0 tenant domain (e.g., "dev-example.us.auth0.com").
Configure the Gateway Inbound authorization with the following values:
- Discovery URL: The URL constructed in the previous step
- Allowed audiences: The API identifier you created in step 1
```
authorizerConfiguration= {
  "customJWTAuthorizer": { 
    "discoveryUrl": "https://dev-example.us.auth0.com/.well-known/openid-configuration",
    "allowedAudience": ["gateway123"]
  }
}
            
```

To obtain a bearer token for use with the Data Plane API:



curl --request POST \
  --url https://<your-domain>/oauth/token \
  --header 'content-type: application/json' \
  --data '{
    "client_id":"<ClientId>",
    "client_secret":"<ClientSecret>",
    "audience":"<ApiIdentifier>",
    "grant_type":"client_credentials",
    "scope": "invoke:gateway"
  }'

The response will include an access token that can be used as a bearer token when making requests to the Gateway.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating gateways

Creating your Gateway