iSharkFly-Docs/amazon-bedrock-agentcore-samples
1
0
Fork 0
mirror of https://github.com/awslabs/amazon-bedrock-agentcore-samples.git synced 2025-09-08 20:50:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
amazon-bedrock-agentcore-sa.../02-use-cases/SRE-agent/deployment/setup_cognito.sh

221 lines
6.7 KiB
Bash
Raw Permalink Normal View History

fix(02-use-cases): SRE-Agent Deployment (#179) * Add missing credential_provider_name parameter to config.yaml.example * Fix get_config function to properly parse YAML values with inline comments * Enhanced get_config to prevent copy-paste whitespace errors in AWS identifiers * Improve LLM provider configuration and error handling with bedrock as default * Add OpenAPI templating system and fix hardcoded regions * Add backend template build to Readme * delete old yaml files * Fix Cognito setup with automation script and missing domain creation steps * docs: Add EC2 instance port configuration documentation - Document required inbound ports (443, 8011-8014) - Include SSL/TLS security requirements - Add AWS security group best practices - Provide port usage summary table * docs: Add hyperlinks to prerequisites in README - Link EC2 port configuration documentation - Link IAM role authentication setup - Improve navigation to detailed setup instructions * docs: Add BACKEND_API_KEY to configuration documentation - Document gateway environment variables section - Add BACKEND_API_KEY requirement for credential provider - Include example .env file format for gateway directory - Explain usage in create_gateway.sh script * docs: Add BACKEND_API_KEY to deployment guide environment variables - Include BACKEND_API_KEY in environment variables reference table - Mark as required for gateway setup - Provide quick reference alongside other required variables * docs: Add BedrockAgentCoreFullAccess policy and trust policy documentation - Document AWS managed policy BedrockAgentCoreFullAccess - Add trust policy requirements for bedrock-agentcore.amazonaws.com - Reorganize IAM permissions for better clarity - Remove duplicate trust policy section - Add IAM role requirement to deployment prerequisites * docs: Document role_name field in gateway config example - Explain that role_name is used to create and manage the gateway - Specify BedrockAgentCoreFullAccess policy requirement - Note trust policy requirement for bedrock-agentcore.amazonaws.com - Improve clarity for gateway configuration setup * docs: Add AWS IP address ranges for production security enhancement - Document AWS IP ranges JSON download for restricting access - Reference official AWS documentation for IP address ranges - Provide security alternatives to 0.0.0.0/0 for production - Include examples of restricted security group configurations - Enable egress filtering and region-specific access control * style: Format Python code with black - Reformat 14 Python files for consistent code style - Apply PEP 8 formatting standards - Improve code readability and maintainability * docs: Update SRE agent prerequisites and setup documentation - Convert prerequisites section to markdown table format - Add SSL certificate provider examples (no-ip.com, letsencrypt.org) - Add Identity Provider (IDP) requirement with setup_cognito.sh reference - Clarify that all prerequisites must be completed before setup - Add reference to domain name and cert paths needed for BACKEND_DOMAIN - Remove Managing OpenAPI Specifications section (covered in use-case setup) - Add Deployment Guide link to Development to Production section Addresses issues #171 and #174 * fix: Replace 'AWS Bedrock' with 'Amazon Bedrock' in SRE agent files - Updated error messages in llm_utils.py - Updated comments in both .env.example files - Ensures consistent naming convention across SRE agent codebase --------- Co-authored-by: dheerajoruganty <dheo@amazon.com> Co-authored-by: Amit Arora <aroraai@amazon.com>
2025-08-01 13:24:58 -04:00
#!/bin/bash
# Cognito Setup Automation Script for SRE Agent
# Creates complete Cognito infrastructure for AgentCore Gateway authentication
set -e
# Configuration defaults (can be overridden by environment variables)
REGION="${AWS_REGION:-us-east-1}"
POOL_NAME="${COGNITO_POOL_NAME:-sre-agent-user-pool}"
DOMAIN_PREFIX="${COGNITO_DOMAIN_PREFIX:-sre-agent-$(date +%s)}"
RESOURCE_SERVER_ID="${COGNITO_RESOURCE_SERVER_ID:-sre-agent-api}"
CLIENT_NAME="${COGNITO_CLIENT_NAME:-sre-agent-client}"
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Logging functions
log_info() { echo -e "${BLUE} $1${NC}"; }
log_success() { echo -e "${GREEN}$1${NC}"; }
log_warning() { echo -e "${YELLOW}⚠️ $1${NC}"; }
log_error() { echo -e "${RED}$1${NC}"; }
# Check if AWS CLI is installed and configured
check_prerequisites() {
log_info "Checking prerequisites..."
if ! command -v aws &> /dev/null; then
log_error "AWS CLI is not installed. Please install it first."
exit 1
fi
if ! aws sts get-caller-identity &> /dev/null; then
log_error "AWS CLI is not configured. Please run 'aws configure' first."
exit 1
fi
log_success "Prerequisites check passed"
}
# Create User Pool
create_user_pool() {
log_info "Creating Cognito User Pool: $POOL_NAME..."
USER_POOL_ID=$(aws cognito-idp create-user-pool \
--region "$REGION" \
--pool-name "$POOL_NAME" \
--query 'UserPool.Id' \
--output text)
if [ $? -eq 0 ] && [ -n "$USER_POOL_ID" ]; then
log_success "User Pool created: $USER_POOL_ID"
echo "USER_POOL_ID=$USER_POOL_ID" >> .cognito_config
else
log_error "Failed to create User Pool"
exit 1
fi
}
# Create User Pool Domain
create_user_pool_domain() {
log_info "Creating User Pool Domain: $DOMAIN_PREFIX..."
# Check if domain is available
if aws cognito-idp describe-user-pool-domain --domain "$DOMAIN_PREFIX" --region "$REGION" &> /dev/null; then
log_warning "Domain $DOMAIN_PREFIX already exists. Generating new domain..."
DOMAIN_PREFIX="sre-agent-$(date +%s)-$(shuf -i 100-999 -n 1)"
log_info "Using new domain: $DOMAIN_PREFIX"
fi
aws cognito-idp create-user-pool-domain \
--region "$REGION" \
--domain "$DOMAIN_PREFIX" \
--user-pool-id "$USER_POOL_ID"
if [ $? -eq 0 ]; then
COGNITO_DOMAIN="https://$DOMAIN_PREFIX.auth.$REGION.amazoncognito.com"
log_success "User Pool Domain created: $COGNITO_DOMAIN"
echo "COGNITO_DOMAIN=$COGNITO_DOMAIN" >> .cognito_config
echo "DOMAIN_PREFIX=$DOMAIN_PREFIX" >> .cognito_config
else
log_error "Failed to create User Pool Domain"
exit 1
fi
}
# Create Resource Server
create_resource_server() {
log_info "Creating Resource Server: $RESOURCE_SERVER_ID..."
aws cognito-idp create-resource-server \
--region "$REGION" \
--user-pool-id "$USER_POOL_ID" \
--identifier "$RESOURCE_SERVER_ID" \
--name "SRE Agent API Resource Server" \
--scopes '[
{"ScopeName":"read","ScopeDescription":"Read access to SRE Agent APIs"},
{"ScopeName":"write","ScopeDescription":"Write access to SRE Agent APIs"}
]'
if [ $? -eq 0 ]; then
log_success "Resource Server created: $RESOURCE_SERVER_ID"
echo "RESOURCE_SERVER_ID=$RESOURCE_SERVER_ID" >> .cognito_config
else
log_error "Failed to create Resource Server"
exit 1
fi
}
# Create App Client
create_app_client() {
log_info "Creating App Client: $CLIENT_NAME..."
CLIENT_RESPONSE=$(aws cognito-idp create-user-pool-client \
--region "$REGION" \
--user-pool-id "$USER_POOL_ID" \
--client-name "$CLIENT_NAME" \
--generate-secret \
--allowed-o-auth-flows client_credentials \
--allowed-o-auth-scopes "$RESOURCE_SERVER_ID/read" "$RESOURCE_SERVER_ID/write" \
--allowed-o-auth-flows-user-pool-client \
--supported-identity-providers "COGNITO" \
--query 'UserPoolClient.{ClientId:ClientId,ClientSecret:ClientSecret}' \
--output json)
if [ $? -eq 0 ]; then
CLIENT_ID=$(echo "$CLIENT_RESPONSE" | jq -r '.ClientId')
CLIENT_SECRET=$(echo "$CLIENT_RESPONSE" | jq -r '.ClientSecret')
log_success "App Client created: $CLIENT_ID"
echo "COGNITO_CLIENT_ID=$CLIENT_ID" >> .cognito_config
echo "COGNITO_CLIENT_SECRET=$CLIENT_SECRET" >> .cognito_config
else
log_error "Failed to create App Client"
exit 1
fi
}
# Generate .env file
generate_env_file() {
log_info "Generating .env file..."
ENV_FILE="../gateway/.env"
cat > "$ENV_FILE" << EOF
# Cognito Configuration for SRE Agent
# Generated by deployment/setup_cognito.sh on $(date)
# Cognito Domain (for token generation)
COGNITO_DOMAIN=$COGNITO_DOMAIN
# Cognito Client Credentials
COGNITO_CLIENT_ID=$CLIENT_ID
COGNITO_CLIENT_SECRET=$CLIENT_SECRET
# Additional Configuration
USER_POOL_ID=$USER_POOL_ID
RESOURCE_SERVER_ID=$RESOURCE_SERVER_ID
REGION=$REGION
EOF
log_success "Environment file created: $ENV_FILE"
}
# Display summary
display_summary() {
log_info "🎉 Cognito Setup Complete! Here's your configuration:"
echo ""
echo "📋 Configuration Summary:"
echo " Region: $REGION"
echo " User Pool ID: $USER_POOL_ID"
echo " Domain: $COGNITO_DOMAIN"
echo " Client ID: $CLIENT_ID"
echo " Resource Server: $RESOURCE_SERVER_ID"
echo ""
echo "📁 Files Created:"
echo " ✓ .cognito_config (backup configuration)"
echo " ✓ ../gateway/.env (environment variables)"
echo ""
echo "🚀 Next Steps:"
echo " 1. Update gateway/config.yaml with your User Pool ID:"
echo " user_pool_id: \"$USER_POOL_ID\""
echo " client_id: \"$CLIENT_ID\""
echo ""
echo " 2. Test token generation:"
echo " cd ../gateway && python generate_token.py"
echo ""
echo " 3. Create your gateway:"
echo " cd ../gateway && ./create_gateway.sh"
echo ""
echo "🔗 Discovery URL for gateway configuration:"
echo " https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID/.well-known/openid-configuration"
}
# Main function
main() {
echo "🚀 Starting Cognito Setup for SRE Agent..."
echo ""
# Clean up any existing config
rm -f .cognito_config
check_prerequisites
create_user_pool
create_user_pool_domain
create_resource_server
create_app_client
generate_env_file
display_summary
log_success "Cognito setup completed successfully!"
}
# Script execution
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
main "$@"
fi
Reference in New Issue Copy Permalink