fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
# Static Configuration - Manual edits only
# This file contains all configuration values that are manually set and do not change during deployment
# AWS Settings (used by ALL deployment scripts and agents)
aws :
region : "us-east-1"
account_id : "<YOUR_AWS_ACCOUNT_ID>"
# Model Settings (used by agents via get_model_settings())
agents :
modelid : "us.anthropic.claude-3-7-sonnet-20250219-v1:0"
max_concurrent : 2
payload_formats :
diy : "direct"
sdk : "direct"
streaming : true
# Okta OAuth2 Configuration (used by deployment scripts and gateway creation)
okta :
domain : "<YOUR_OKTA_DOMAIN>"
2025-08-11 07:03:46 -07:00
# OAuth2 authorization server configuration (recommended to keep default authorization server. otherwise change the configuration urls accordingly)
fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
authorization_server : "default"
# Client configuration for client credentials flow (app-to-app)
Configuration Management Fixes (#223)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
* feat: Enhance AWS Operations Agent with improved testing and deployment
- Update README with new local container testing approach using run-*-local-container.sh scripts
- Replace deprecated SAM-based MCP Lambda deployment with ZIP-based deployment
- Add no-cache flag to Docker builds to ensure clean builds
- Update deployment scripts to use consolidated configuration files
- Add comprehensive cleanup scripts for all deployment components
- Improve error handling and credential validation in deployment scripts
- Add new MCP tool deployment using ZIP packaging instead of Docker containers
- Update configuration management to use dynamic-config.yaml structure
- Add local testing capabilities with containerized agents
- Remove outdated test scripts and replace with interactive chat client approach
* fix: Update IAM policy configurations
- Update bac-permissions-policy.json with enhanced permissions
- Update bac-trust-policy.json for improved trust relationships
* fix: Update Docker configurations for agent runtimes
- Update Dockerfile.diy with improved container configuration
- Update Dockerfile.sdk with enhanced build settings
* fix: Update OAuth iframe flow configuration
- Update iframe-oauth-flow.html with improved OAuth handling
* feat: Update AWS Operations Agent configuration and cleanup
- Update IAM permissions policy with enhanced access controls
- Update IAM trust policy with improved security conditions
- Enhance OAuth iframe flow with better UX and error handling
- Improve chatbot client with enhanced local testing capabilities
- Remove cache files and duplicate code for cleaner repository
* docs: Add architecture diagrams and update README
- Add architecture-2.jpg and flow.jpg diagrams for better visualization
- Update README.md with enhanced documentation and diagrams
* Save current work before resolving merge conflicts
* Keep AWS-operations-agent changes (local version takes precedence)
* Fix: Remove merge conflict markers from AWS-operations-agent files - restore clean version
* Fix deployment and cleanup script issues
Major improvements and fixes:
Configuration Management:
- Fix role assignment in gateway creation (use bac-execution-role instead of Lambda role)
- Add missing role_arn cleanup in MCP tool deletion script
- Fix OAuth provider deletion script configuration clearing
- Improve memory deletion script to preserve quote consistency
- Add Lambda invoke permissions to bac-permissions-policy.json
Script Improvements:
- Reorganize deletion scripts: 11-delete-oauth-provider.sh, 12-delete-memory.sh, 13-cleanup-everything.sh
- Fix interactive prompt handling in cleanup scripts (echo -e format)
- Add yq support with sed fallbacks for better YAML manipulation
- Remove obsolete 04-deploy-mcp-tool-lambda-zip.sh script
Architecture Fixes:
- Correct gateway role assignment to use runtime.role_arn (bac-execution-role)
- Ensure proper role separation between gateway and Lambda execution
- Fix configuration cleanup to clear all dynamic config fields consistently
Documentation:
- Update README with clear configuration instructions
- Maintain security best practices with placeholder values
- Add comprehensive deployment and cleanup guidance
These changes address systematic issues with cleanup scripts, role assignments,
and configuration management while maintaining security best practices.
* Update README.md with comprehensive documentation
Enhanced documentation includes:
- Complete project structure with 75 files
- Step-by-step deployment guide with all 13 scripts
- Clear configuration instructions with security best practices
- Dual agent architecture documentation (DIY + SDK)
- Authentication flow and security implementation details
- Troubleshooting guide and operational procedures
- Local testing and container development guidance
- Tool integration and MCP protocol documentation
The README now provides complete guidance for deploying and operating
the AWS Support Agent with Amazon Bedrock AgentCore system.
---------
Co-authored-by: name <alias@amazon.com>
2025-08-09 13:51:24 -07:00
#client_credentials:
# client_id: "<YOUR_OKTA_CLIENT_ID>"
# client_secret: "${OKTA_CLIENT_SECRET}"
# scope: "api"
fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
# Client configuration for user authentication (PKCE flow)
user_auth :
client_id : "<YOUR_OKTA_CLIENT_ID>"
Configuration Management Fixes (#223)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
* feat: Enhance AWS Operations Agent with improved testing and deployment
- Update README with new local container testing approach using run-*-local-container.sh scripts
- Replace deprecated SAM-based MCP Lambda deployment with ZIP-based deployment
- Add no-cache flag to Docker builds to ensure clean builds
- Update deployment scripts to use consolidated configuration files
- Add comprehensive cleanup scripts for all deployment components
- Improve error handling and credential validation in deployment scripts
- Add new MCP tool deployment using ZIP packaging instead of Docker containers
- Update configuration management to use dynamic-config.yaml structure
- Add local testing capabilities with containerized agents
- Remove outdated test scripts and replace with interactive chat client approach
* fix: Update IAM policy configurations
- Update bac-permissions-policy.json with enhanced permissions
- Update bac-trust-policy.json for improved trust relationships
* fix: Update Docker configurations for agent runtimes
- Update Dockerfile.diy with improved container configuration
- Update Dockerfile.sdk with enhanced build settings
* fix: Update OAuth iframe flow configuration
- Update iframe-oauth-flow.html with improved OAuth handling
* feat: Update AWS Operations Agent configuration and cleanup
- Update IAM permissions policy with enhanced access controls
- Update IAM trust policy with improved security conditions
- Enhance OAuth iframe flow with better UX and error handling
- Improve chatbot client with enhanced local testing capabilities
- Remove cache files and duplicate code for cleaner repository
* docs: Add architecture diagrams and update README
- Add architecture-2.jpg and flow.jpg diagrams for better visualization
- Update README.md with enhanced documentation and diagrams
* Save current work before resolving merge conflicts
* Keep AWS-operations-agent changes (local version takes precedence)
* Fix: Remove merge conflict markers from AWS-operations-agent files - restore clean version
* Fix deployment and cleanup script issues
Major improvements and fixes:
Configuration Management:
- Fix role assignment in gateway creation (use bac-execution-role instead of Lambda role)
- Add missing role_arn cleanup in MCP tool deletion script
- Fix OAuth provider deletion script configuration clearing
- Improve memory deletion script to preserve quote consistency
- Add Lambda invoke permissions to bac-permissions-policy.json
Script Improvements:
- Reorganize deletion scripts: 11-delete-oauth-provider.sh, 12-delete-memory.sh, 13-cleanup-everything.sh
- Fix interactive prompt handling in cleanup scripts (echo -e format)
- Add yq support with sed fallbacks for better YAML manipulation
- Remove obsolete 04-deploy-mcp-tool-lambda-zip.sh script
Architecture Fixes:
- Correct gateway role assignment to use runtime.role_arn (bac-execution-role)
- Ensure proper role separation between gateway and Lambda execution
- Fix configuration cleanup to clear all dynamic config fields consistently
Documentation:
- Update README with clear configuration instructions
- Maintain security best practices with placeholder values
- Add comprehensive deployment and cleanup guidance
These changes address systematic issues with cleanup scripts, role assignments,
and configuration management while maintaining security best practices.
* Update README.md with comprehensive documentation
Enhanced documentation includes:
- Complete project structure with 75 files
- Step-by-step deployment guide with all 13 scripts
- Clear configuration instructions with security best practices
- Dual agent architecture documentation (DIY + SDK)
- Authentication flow and security implementation details
- Troubleshooting guide and operational procedures
- Local testing and container development guidance
- Tool integration and MCP protocol documentation
The README now provides complete guidance for deploying and operating
the AWS Support Agent with Amazon Bedrock AgentCore system.
---------
Co-authored-by: name <alias@amazon.com>
2025-08-09 13:51:24 -07:00
audience : "<YOUR_OKTA_AUTHORIZATION_SERVER_AUDIENCE>"
fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
redirect_uri : "http://localhost:8080/callback"
scope : "openid profile email"
2025-08-11 07:03:46 -07:00
# JWT token configuration for M2M flow
fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
jwt :
Configuration Management Fixes (#223)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
* feat: Enhance AWS Operations Agent with improved testing and deployment
- Update README with new local container testing approach using run-*-local-container.sh scripts
- Replace deprecated SAM-based MCP Lambda deployment with ZIP-based deployment
- Add no-cache flag to Docker builds to ensure clean builds
- Update deployment scripts to use consolidated configuration files
- Add comprehensive cleanup scripts for all deployment components
- Improve error handling and credential validation in deployment scripts
- Add new MCP tool deployment using ZIP packaging instead of Docker containers
- Update configuration management to use dynamic-config.yaml structure
- Add local testing capabilities with containerized agents
- Remove outdated test scripts and replace with interactive chat client approach
* fix: Update IAM policy configurations
- Update bac-permissions-policy.json with enhanced permissions
- Update bac-trust-policy.json for improved trust relationships
* fix: Update Docker configurations for agent runtimes
- Update Dockerfile.diy with improved container configuration
- Update Dockerfile.sdk with enhanced build settings
* fix: Update OAuth iframe flow configuration
- Update iframe-oauth-flow.html with improved OAuth handling
* feat: Update AWS Operations Agent configuration and cleanup
- Update IAM permissions policy with enhanced access controls
- Update IAM trust policy with improved security conditions
- Enhance OAuth iframe flow with better UX and error handling
- Improve chatbot client with enhanced local testing capabilities
- Remove cache files and duplicate code for cleaner repository
* docs: Add architecture diagrams and update README
- Add architecture-2.jpg and flow.jpg diagrams for better visualization
- Update README.md with enhanced documentation and diagrams
* Save current work before resolving merge conflicts
* Keep AWS-operations-agent changes (local version takes precedence)
* Fix: Remove merge conflict markers from AWS-operations-agent files - restore clean version
* Fix deployment and cleanup script issues
Major improvements and fixes:
Configuration Management:
- Fix role assignment in gateway creation (use bac-execution-role instead of Lambda role)
- Add missing role_arn cleanup in MCP tool deletion script
- Fix OAuth provider deletion script configuration clearing
- Improve memory deletion script to preserve quote consistency
- Add Lambda invoke permissions to bac-permissions-policy.json
Script Improvements:
- Reorganize deletion scripts: 11-delete-oauth-provider.sh, 12-delete-memory.sh, 13-cleanup-everything.sh
- Fix interactive prompt handling in cleanup scripts (echo -e format)
- Add yq support with sed fallbacks for better YAML manipulation
- Remove obsolete 04-deploy-mcp-tool-lambda-zip.sh script
Architecture Fixes:
- Correct gateway role assignment to use runtime.role_arn (bac-execution-role)
- Ensure proper role separation between gateway and Lambda execution
- Fix configuration cleanup to clear all dynamic config fields consistently
Documentation:
- Update README with clear configuration instructions
- Maintain security best practices with placeholder values
- Add comprehensive deployment and cleanup guidance
These changes address systematic issues with cleanup scripts, role assignments,
and configuration management while maintaining security best practices.
* Update README.md with comprehensive documentation
Enhanced documentation includes:
- Complete project structure with 75 files
- Step-by-step deployment guide with all 13 scripts
- Clear configuration instructions with security best practices
- Dual agent architecture documentation (DIY + SDK)
- Authentication flow and security implementation details
- Troubleshooting guide and operational procedures
- Local testing and container development guidance
- Tool integration and MCP protocol documentation
The README now provides complete guidance for deploying and operating
the AWS Support Agent with Amazon Bedrock AgentCore system.
---------
Co-authored-by: name <alias@amazon.com>
2025-08-09 13:51:24 -07:00
audience : "<YOUR_OKTA_AUTHORIZATION_SERVER_AUDIENCE>"
fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
issuer : "https://<YOUR_OKTA_DOMAIN>/oauth2/default"
discovery_url : "https://<YOUR_OKTA_DOMAIN>/oauth2/default/.well-known/openid-configuration"
cache_duration : 300
refresh_threshold : 60
2025-08-11 07:03:46 -07:00
# AgentCore JWT Authorizer Configuration for Runtime
fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
agentcore :
jwt_authorizer :
discovery_url : "https://<YOUR_OKTA_DOMAIN>/oauth2/default/.well-known/openid-configuration"
allowed_audience :
2025-08-11 07:03:46 -07:00
- "<YOUR_OKTA_AUTHORIZATION_SERVER_AUDIENCE>"
fix (02-use-cases): AWS Operations Agent updated with AgentCore Runtime (#177)
* feat: Add AWS Operations Agent with AgentCore Runtime
- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files
Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders
* Update AWS Operations Agent architecture diagram
---------
Co-authored-by: name <alias@amazon.com>
2025-07-31 11:59:30 -07:00
# Client Settings (used by chatbot client)
client :
default_agent : "sdk"
interface : "cli"
log_level : "INFO"
session_timeout : 480
# Container Settings (used by deployment scripts)
container :
health_path : "/ping"
memory_size : 3008
platform : "linux/arm64"
port : 8080
timeout : 900
# Runtime Base Settings (used by deployment scripts)
runtime :
name_prefix : "bac-runtime"
role_arn : "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/bac-execution-role"
diy_agent :
name : "bac_runtime_diy"
sdk_agent :
name : "bac_runtime_sdk"
# Gateway Base Settings
gateway :
name : "bac-gtw"
protocol : "MCP"
# MCP Lambda Settings (used by deployment scripts)
mcp_lambda :
ecr_repository_name : "bac-mcp-tool-repo"
stack_name : "bac-mcp-stack"
# Memory Settings (used by deployment scripts and agents)
memory :
name : "bac_agent_memory"
description : "BAC Agent conversation memory storage"
event_expiry_days : 90
# Deployment Settings (used by deployment scripts)
deployment :
aws_profile : "" # Leave empty to use default AWS credentials
# Development settings
development :
local_callback_port : 8080
debug_token_validation : true
log_token_claims : false
mock_auth : false
mock_token : ""
# Production settings
production :
require_https : true
validate_token_expiry : true
strict_audience_validation : true
token_request_rate_limit : 10
log_auth_events : true
metrics_enabled : true
# Bedrock agent tools schema for gateway target creation
tools_schema :
- name : "hello_world"
description : "Returns a friendly hello world message"
inputSchema :
type : "object"
properties :
name :
type : "string"
description : "Name to greet (optional)"
required : [ ]
- name : "get_time"
description : "Returns current server time"
inputSchema :
type : "object"
properties : {}
required : [ ]
- name : "ec2_read_operations"
description : "Perform read-only operations on EC2 resources. Accepts natural language queries about EC2 instances, security groups, VPCs, subnets, and key pairs."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about EC2 resources (e.g., 'list running instances', 'show security groups', 'count instances by region')"
required : [ "query" ]
- name : "s3_read_operations"
description : "Perform read-only operations on S3 resources. Accepts natural language queries about S3 buckets, policies, and configurations."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about S3 resources (e.g., 'list all buckets', 'show bucket policies', 'find large buckets')"
required : [ "query" ]
- name : "lambda_read_operations"
description : "Perform read-only operations on Lambda resources. Accepts natural language queries about Lambda functions, layers, and configurations."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about Lambda resources (e.g., 'list all functions', 'show function runtimes', 'find functions with high memory')"
required : [ "query" ]
- name : "cloudformation_read_operations"
description : "Perform read-only operations on CloudFormation resources. Accepts natural language queries about stacks, resources, and templates."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about CloudFormation resources (e.g., 'list all stacks', 'show failed stacks', 'find stack resources')"
required : [ "query" ]
- name : "iam_read_operations"
description : "Perform read-only operations on IAM resources. Accepts natural language queries about users, roles, policies, and groups."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about IAM resources (e.g., 'list all users', 'show admin roles', 'find unused policies')"
required : [ "query" ]
- name : "rds_read_operations"
description : "Perform read-only operations on RDS resources. Accepts natural language queries about database instances, clusters, and configurations."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about RDS resources (e.g., 'list all databases', 'show database engines', 'find large instances')"
required : [ "query" ]
- name : "cloudwatch_read_operations"
description : "Perform read-only operations on CloudWatch resources. Accepts natural language queries about metrics, alarms, and logs."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about CloudWatch resources (e.g., 'show active alarms', 'list log groups', 'find high CPU metrics')"
required : [ "query" ]
- name : "cost_explorer_read_operations"
description : "Perform read-only operations on Cost Explorer. Accepts natural language queries about costs, billing, and usage."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about costs and billing (e.g., 'show monthly costs', 'find expensive services', 'compare last 3 months')"
required : [ "query" ]
- name : "ecs_read_operations"
description : "Perform read-only operations on ECS resources. Accepts natural language queries about clusters, services, and tasks."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about ECS resources (e.g., 'list all clusters', 'show running services', 'find failed tasks')"
required : [ "query" ]
- name : "eks_read_operations"
description : "Perform read-only operations on EKS resources. Accepts natural language queries about Kubernetes clusters and node groups."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about EKS resources (e.g., 'list all clusters', 'show node groups', 'find cluster versions')"
required : [ "query" ]
- name : "sns_read_operations"
description : "Perform read-only operations on SNS resources. Accepts natural language queries about topics and subscriptions."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about SNS resources (e.g., 'list all topics', 'show subscriptions', 'find topic policies')"
required : [ "query" ]
- name : "sqs_read_operations"
description : "Perform read-only operations on SQS resources. Accepts natural language queries about queues and messages."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about SQS resources (e.g., 'list all queues', 'show queue attributes', 'find queues with messages')"
required : [ "query" ]
- name : "dynamodb_read_operations"
description : "Perform read-only operations on DynamoDB resources. Accepts natural language queries about tables and indexes."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about DynamoDB resources (e.g., 'list all tables', 'show table indexes', 'find large tables')"
required : [ "query" ]
- name : "route53_read_operations"
description : "Perform read-only operations on Route53 resources. Accepts natural language queries about DNS zones and records."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about Route53 resources (e.g., 'list hosted zones', 'show DNS records', 'find domain configurations')"
required : [ "query" ]
- name : "apigateway_read_operations"
description : "Perform read-only operations on API Gateway resources. Accepts natural language queries about APIs and deployments."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about API Gateway resources (e.g., 'list all APIs', 'show API stages', 'find API methods')"
required : [ "query" ]
- name : "ses_read_operations"
description : "Perform read-only operations on SES resources. Accepts natural language queries about email identities and configurations."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about SES resources (e.g., 'list verified emails', 'show sending statistics', 'find configuration sets')"
required : [ "query" ]
- name : "bedrock_read_operations"
description : "Perform read-only operations on Bedrock resources. Accepts natural language queries about foundation models and jobs."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about Bedrock resources (e.g., 'list available models', 'show model capabilities', 'find customization jobs')"
required : [ "query" ]
- name : "sagemaker_read_operations"
description : "Perform read-only operations on SageMaker resources. Accepts natural language queries about ML endpoints and models."
inputSchema :
type : "object"
properties :
query :
type : "string"
description : "Natural language query about SageMaker resources (e.g., 'list all endpoints', 'show training jobs', 'find model artifacts')"
required : [ "query" ]
