End-to-End Walkthrough: How AgentCore Identity Secures AI Agent Interactions

Amazon Bedrock AgentCore provides a modular set of services for building and running AI agents at scale. AgentCore Identity, powered by Amazon Cognito, adds enterprise‑grade identity and credential management, offering centralized agent identity, a secure token vault, native integration with Amazon Secrets Manager, and full OAuth 2.0 support.

Key capabilities

Centralized Agent Identity – each agent receives a unique ARN‑based identifier that works across hosted, self‑hosted, or hybrid deployments.

Token Vault – OAuth 2.0 access and refresh tokens, API keys, and client secrets are encrypted with customer‑managed KMS keys and can be retrieved only by the owning agent.

OAuth 2.0 support – both client‑credentials (2LO) and authorization‑code (3LO) flows are built‑in, with a simple API that abstracts the underlying protocol.

Identity‑aware authorization – the user’s context is passed to the agent, verified, and can be used to call OIDC user‑info endpoints when needed.

AgentCore SDK – declarative annotations automatically fetch and inject credentials, handling token expiry and error cases.

End‑to‑end example

1. User authentication : The user logs into a web app via Amazon Cognito (or another IdP). An authorization code is exchanged for Cognito ID, access, and refresh tokens, referred to as the “human access token”.

2. AI Agent interaction : The web app sends the user prompt together with the human access token to the backend. The agent calls GetWorkloadAccessTokenForJWT to obtain an “AI Agent access token” that is bound to the user’s identity.

3. OAuth 2.0 resource access : Using the AI Agent access token, the agent invokes GetResourceOauth2Token to start a 3LO flow with Google Calendar. Google’s authorization URL is generated, sent to the client, and the user authenticates with Google.

4. Token storage : The resulting Google access token is stored in the token vault, linked to the agent ID and user ID, allowing the agent to retrieve it for subsequent calendar API calls without re‑prompting the user.

5. Agent performs the action : The agent calls the Google Calendar API with the stored token (scope https://www.googleapis.com/auth/calendar.events) to create an event, then returns the result to the front‑end.

The flow demonstrates three distinct tokens – the human access token from Cognito, the AI Agent access token issued by AgentCore Identity, and the third‑party Google access token – and shows how strict access control and token encryption protect credentials while enabling seamless user‑driven automation.

By integrating AgentCore Identity, enterprises can protect user credentials, enforce least‑privilege access, and scale AI‑agent‑driven workflows without redesigning existing identity systems.