- 최신
- 최다 투표
- 가장 많은 댓글
Yes, the X-Amzn-Bedrock-AgentCore-Runtime-User-Id header is related to the OAuth authentication flow and works in conjunction with the @requires_access_token decorator in AgentCore.
When you make requests to an AgentCore Runtime agent, you can include this header to specify the user identity for whom the agent should retrieve or use OAuth tokens. This header plays a crucial role in the identity binding process that AgentCore uses for secure token management.
Here's how it works:
-
When you include the X-Amzn-Bedrock-AgentCore-Runtime-User-Id header in your request to the agent, it associates that request with a specific user context.
-
Behind the scenes, when your agent code uses the @requires_access_token decorator, the SDK makes API calls including CreateWorkloadIdentity, GetWorkloadAccessToken, and GetResourceOauth2Token.
-
For agents running in AgentCore Runtime, the SDK uses the agent identity ID assigned to your agent and the user ID passed in via the X-Amzn-Bedrock-AgentCore-Runtime-User-Id header.
-
AgentCore Identity service then creates a binding among the agent identity, user identity, and any OAuth tokens (like Google access tokens) in the Token Vault.
This binding ensures that tokens for one user can never be accessed when processing requests for another user, maintaining security isolation between different users' credentials.
Alternatively, you can also pass a JWT token instead of a user ID, which is the recommended approach when a JWT is available. In this case, you would use:
Authorization: Bearer <user-access-token>
AgentCore Runtime will automatically exchange validated user tokens for workload access tokens through the bedrock-agentcore:GetWorkloadAccessTokenForJWT API, providing secure outbound access to external services.
Sources
Authenticate and authorize with Inbound Auth and Outbound Auth - Amazon Bedrock AgentCore
Step 3: Obtain an OAuth 2.0 access token - Amazon Bedrock AgentCore
Securely launch and scale your agents and tools on Amazon Bedrock AgentCore Runtime | Artificial Intelligence
Get workload access token - Amazon Bedrock AgentCore
Hello,
I understand you want to know how the user ID header relates to OAuth token handling in your Agent code.
The X-Amzn-Bedrock-AgentCore-Runtime-User-Id header is relevant when your hosted agent needs to retrieve OAuth tokens on behalf of end users using the Authorization Code Grant flow. This header allows you to associate requests with a specific user identity, so the service knows which end user’s token to work with.
On the agent side, you typically won’t need to manually handle this header in your code. Instead, when you use the @requires_access_token annotation in your agent code, the Bedrock Agent SDK takes care of the heavy lifting for you. Behind the scenes, the SDK calls the necessary APIs—such as GetResourceOauth2Token—using the workload identity and access tokens that are tied to that user ID.
In other words, you don’t need to directly manage the X-Amzn-Bedrock-AgentCore-Runtime-User-Id header within your business logic. The SDK and runtime handle it for you, so you can focus on your agent logic while ensuring the correct user’s tokens are retrieved securely.
If you have any further questions, please reach out to AWS Support [5] and we would be happy to assist you further.
References:
[1] https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html [2] https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity-getting-started-step3.html [3] https://aws.amazon.com/blogs/machine-learning/securely-launch-and-scale-your-agents-and-tools-on-amazon-bedrock-agentcore-runtime/ [4] https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/get-workload-access-token.html [5] https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-casehttps://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case
