iSharkFly-Docs/amazon-bedrock-agentcore-samples
1
0
Fork 0
mirror of https://github.com/awslabs/amazon-bedrock-agentcore-samples.git synced 2025-09-08 20:50:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
amazon-bedrock-agentcore-sa.../02-use-cases/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template-zip.yaml

217 lines
7.5 KiB
YAML
Raw Permalink Normal View History

Configuration Management Fixes (#223) * feat: Add AWS Operations Agent with AgentCore Runtime - Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore - Added comprehensive deployment scripts for DIY and SDK runtime modes - Implemented OAuth2/PKCE authentication with Okta integration - Added MCP (Model Context Protocol) tool support for AWS service operations - Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders - Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker - Includes chatbot client, gateway management scripts, and comprehensive testing - Ready for public GitHub with security-cleared configuration files Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders * Update AWS Operations Agent architecture diagram * feat: Enhance AWS Operations Agent with improved testing and deployment - Update README with new local container testing approach using run-*-local-container.sh scripts - Replace deprecated SAM-based MCP Lambda deployment with ZIP-based deployment - Add no-cache flag to Docker builds to ensure clean builds - Update deployment scripts to use consolidated configuration files - Add comprehensive cleanup scripts for all deployment components - Improve error handling and credential validation in deployment scripts - Add new MCP tool deployment using ZIP packaging instead of Docker containers - Update configuration management to use dynamic-config.yaml structure - Add local testing capabilities with containerized agents - Remove outdated test scripts and replace with interactive chat client approach * fix: Update IAM policy configurations - Update bac-permissions-policy.json with enhanced permissions - Update bac-trust-policy.json for improved trust relationships * fix: Update Docker configurations for agent runtimes - Update Dockerfile.diy with improved container configuration - Update Dockerfile.sdk with enhanced build settings * fix: Update OAuth iframe flow configuration - Update iframe-oauth-flow.html with improved OAuth handling * feat: Update AWS Operations Agent configuration and cleanup - Update IAM permissions policy with enhanced access controls - Update IAM trust policy with improved security conditions - Enhance OAuth iframe flow with better UX and error handling - Improve chatbot client with enhanced local testing capabilities - Remove cache files and duplicate code for cleaner repository * docs: Add architecture diagrams and update README - Add architecture-2.jpg and flow.jpg diagrams for better visualization - Update README.md with enhanced documentation and diagrams * Save current work before resolving merge conflicts * Keep AWS-operations-agent changes (local version takes precedence) * Fix: Remove merge conflict markers from AWS-operations-agent files - restore clean version * Fix deployment and cleanup script issues Major improvements and fixes: Configuration Management: - Fix role assignment in gateway creation (use bac-execution-role instead of Lambda role) - Add missing role_arn cleanup in MCP tool deletion script - Fix OAuth provider deletion script configuration clearing - Improve memory deletion script to preserve quote consistency - Add Lambda invoke permissions to bac-permissions-policy.json Script Improvements: - Reorganize deletion scripts: 11-delete-oauth-provider.sh, 12-delete-memory.sh, 13-cleanup-everything.sh - Fix interactive prompt handling in cleanup scripts (echo -e format) - Add yq support with sed fallbacks for better YAML manipulation - Remove obsolete 04-deploy-mcp-tool-lambda-zip.sh script Architecture Fixes: - Correct gateway role assignment to use runtime.role_arn (bac-execution-role) - Ensure proper role separation between gateway and Lambda execution - Fix configuration cleanup to clear all dynamic config fields consistently Documentation: - Update README with clear configuration instructions - Maintain security best practices with placeholder values - Add comprehensive deployment and cleanup guidance These changes address systematic issues with cleanup scripts, role assignments, and configuration management while maintaining security best practices. * Update README.md with comprehensive documentation Enhanced documentation includes: - Complete project structure with 75 files - Step-by-step deployment guide with all 13 scripts - Clear configuration instructions with security best practices - Dual agent architecture documentation (DIY + SDK) - Authentication flow and security implementation details - Troubleshooting guide and operational procedures - Local testing and container development guidance - Tool integration and MCP protocol documentation The README now provides complete guidance for deploying and operating the AWS Support Agent with Amazon Bedrock AgentCore system. --------- Co-authored-by: name <alias@amazon.com>
2025-08-09 13:51:24 -07:00
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing (ZIP-based deployment)
Parameters:
Environment:
Type: String
Default: prod
Description: Environment name for CloudFormation tags only
Globals:
Function:
Timeout: 900 # 15 minutes
MemorySize: 3008 # Maximum memory for performance
Runtime: python3.12
Architectures: [x86_64]
Resources:
# Bedrock AgentCore Gateway Execution Role - Role that Bedrock AgentCore Gateway assumes to invoke Lambda functions
BedrockAgentCoreGatewayExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: bac-gateway-execution-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
# Production Bedrock AgentCore Gateway - Bedrock AgentCore service principal with required conditions
- Effect: Allow
Principal:
Service: bedrock-agentcore.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
aws:SourceAccount: !Ref AWS::AccountId
ArnLike:
aws:SourceArn: !Sub "arn:aws:bedrock-agentcore:${AWS::Region}:${AWS::AccountId}:gateway/bac-gtw-*"
Policies:
- PolicyName: BedrockAgentCoreGatewayExecutionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: InvokeLambdaFunctions
Effect: Allow
Action:
- lambda:InvokeFunction
Resource: '*'
- Sid: BedrockAgentCorePermissions
Effect: Allow
Action:
- bedrock-agentcore:*
Resource: '*'
- Sid: CloudWatchLogsPermissions
Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogGroups
- logs:DescribeLogStreams
Resource: '*'
Tags:
- Key: Project
Value: lambda-adaptor-bedrock-agentcore
- Key: Component
Value: bedrock-agentcore-gateway-execution
- Key: Environment
Value: !Ref Environment
- Key: ManagedBy
Value: SAM
# Custom Lambda Execution Role with Bedrock AgentCore Trust and AWS Service Permissions
MCPToolFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
# Allow Lambda service to assume this role
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
# Allow Bedrock AgentCore service to assume this role
- Effect: Allow
Principal:
Service: bedrock-agentcore.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/ReadOnlyAccess
Policies:
- PolicyName: BedrockInvokePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: '*'
- PolicyName: CostExplorerPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ce:GetCostAndUsage
- ce:GetUsageReport
- ce:GetReservationCoverage
- ce:GetReservationPurchaseRecommendation
- ce:GetReservationUtilization
- ce:GetDimensionValues
- ce:GetMetricValues
- ce:ListCostCategoryDefinitions
- ce:GetCostCategories
- ce:GetRightsizingRecommendation
- ce:GetSavingsPlansUtilization
- ce:GetSavingsPlansUtilizationDetails
- ce:GetSavingsPlansCoverage
- ce:GetSavingsPlansUsage
- ce:GetUsageForecast
- ce:GetCostForecast
Resource: '*'
- PolicyName: BudgetsPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- budgets:ViewBudget
- budgets:DescribeBudgets
- budgets:DescribeBudget
- budgets:DescribeBudgetAction
- budgets:DescribeBudgetActions
- budgets:DescribeBudgetActionsForAccount
- budgets:DescribeBudgetActionsForBudget
- budgets:DescribeBudgetNotificationsForAccount
- budgets:DescribeBudgetPerformanceHistory
- budgets:DescribeNotificationsForBudget
- budgets:DescribeSubscribersForNotification
Resource: '*'
- PolicyName: CloudWatchLogsPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bac-mcp-tool:*"
Tags:
- Key: Project
Value: lambda-adaptor-bedrock-agentcore
- Key: Component
Value: mcp-tool-lambda
- Key: Environment
Value: !Ref Environment
# CloudWatch Log Group
MCPToolLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/lambda/bac-mcp-tool
RetentionInDays: 14
# MCP Tool Lambda Function (ZIP-based)
MCPToolFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: "bac-mcp-tool"
PackageType: Zip
CodeUri: packaging/mcp-tool-lambda.zip
Handler: mcp-tool-handler.lambda_handler
Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing (ZIP-based)
Role: !GetAtt MCPToolFunctionRole.Arn
# Environment variables
Environment:
Variables:
ENVIRONMENT: !Ref Environment
LOG_LEVEL: INFO
# Tracing
Tracing: Active
Outputs:
MCPToolFunctionName:
Description: MCP Tool Lambda Function Name
Value: !Ref MCPToolFunction
Export:
Name: !Sub "${AWS::StackName}-MCPToolFunctionName"
MCPToolFunctionArn:
Description: MCP Tool Lambda Function ARN
Value: !GetAtt MCPToolFunction.Arn
Export:
Name: !Sub "${AWS::StackName}-MCPToolFunctionArn"
MCPToolFunctionRoleArn:
Description: MCP Tool Lambda Function Role ARN
Value: !GetAtt MCPToolFunctionRole.Arn
Export:
Name: !Sub "${AWS::StackName}-MCPToolFunctionRoleArn"
BedrockAgentCoreGatewayExecutionRoleName:
Description: Bedrock AgentCore Gateway Execution Role Name
Value: !Ref BedrockAgentCoreGatewayExecutionRole
Export:
Name: !Sub "${AWS::StackName}-BedrockAgentCoreGatewayExecutionRoleName"
BedrockAgentCoreGatewayExecutionRoleArn:
Description: Bedrock AgentCore Gateway Execution Role ARN - Use this role when creating Bedrock AgentCore Gateway targets
Value: !GetAtt BedrockAgentCoreGatewayExecutionRole.Arn
Export:
Name: !Sub "${AWS::StackName}-BedrockAgentCoreGatewayExecutionRoleArn"
Reference in New Issue Copy Permalink