Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Bedrock AgentCore inbound JWT authorizer - private openID Discovery URL

0

I am trying to set up the inbound JWT Authorizer option for my AgentCore runtime using a private OpenID Discovery URL. This endpoint is not publicly available on the internet, but is reachable inside the VPC to which I am attaching my AgentCore runtime. It fails during creation because AgentCore can't reach the discovery URL.

I suspect this is not a valid configuration, and that the AgentCore control plane needs a public endpoint, but I find the documentation a bit unclear whether this should be possible or not. It would be nice with some official confirmation on this, as it is not an unreasonable to think that, if I connect the AgentCore runtime to a VPC, it should be able to use a private discovery endpoint available inside the VPC itself.

For reference, the documentation in question: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/inbound-jwt-authorizer.html

Topics
Machine Learning & AIGenerative AI on AWS
Tags
Amazon Bedrock AgentCore
Language
English
asked 2 months ago47 views
1 Answer
7
Accepted Answer

My understanding is, indeed the Bedrock AgentCore Control Plane requires a publicly reachable endpoint for the OIDC Discovery URL during the creation and validation phase, even if the Runtime itself is attached to your VPC. The issue stems from the distinction between the Control Plane (the AWS-managed service that validates your configuration) and the Data Plane/Runtime (the actual agent execution environment):

  • Validation (Control Plane): When you submit the configuration, an AWS service (outside your VPC) attempts an HTTPS GET request to your Discovery URL to verify the OIDC metadata and fetch the JWKS. Since this service originates from the AWS management network, it cannot resolve private DNS names or route into your private VPC subnets.
  • Execution (Runtime): While the AgentCore runtime is "VPC-aware," the validation of the Authorizer happens before the runtime environment is fully established or utilized for that specific check.
  • VPC Endpoints (PrivateLink): I think it's a misconception is that an Interface VPC Endpoint for Bedrock would solve this. Because, PrivateLink only allows your VPC to talk to AWS services privately. It does not grant the AWS Control Plane a "backdoor" to reach private resources inside your VPC.

Why do I think it is like I stated: This behavior is consistent with other AWS managed services like API Gateway or App Runner. For instance, the API Gateway documentation explicitly states that the issuer URL must be publicly reachable for validation to succeed, as the control plane initiates the discovery request from outside your VPC network -> https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html

EXPERT
answered 2 months ago
AWS
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content