mirror of
https://github.com/awslabs/amazon-bedrock-agentcore-samples.git
synced 2025-09-08 20:50:46 +00:00
01246a98b2
* feat: Add AWS Operations Agent with AgentCore Runtime - Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore - Added comprehensive deployment scripts for DIY and SDK runtime modes - Implemented OAuth2/PKCE authentication with Okta integration - Added MCP (Model Context Protocol) tool support for AWS service operations - Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders - Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker - Includes chatbot client, gateway management scripts, and comprehensive testing - Ready for public GitHub with security-cleared configuration files Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders * Update AWS Operations Agent architecture diagram * feat: Enhance AWS Operations Agent with improved testing and deployment - Update README with new local container testing approach using run-*-local-container.sh scripts - Replace deprecated SAM-based MCP Lambda deployment with ZIP-based deployment - Add no-cache flag to Docker builds to ensure clean builds - Update deployment scripts to use consolidated configuration files - Add comprehensive cleanup scripts for all deployment components - Improve error handling and credential validation in deployment scripts - Add new MCP tool deployment using ZIP packaging instead of Docker containers - Update configuration management to use dynamic-config.yaml structure - Add local testing capabilities with containerized agents - Remove outdated test scripts and replace with interactive chat client approach * fix: Update IAM policy configurations - Update bac-permissions-policy.json with enhanced permissions - Update bac-trust-policy.json for improved trust relationships * fix: Update Docker configurations for agent runtimes - Update Dockerfile.diy with improved container configuration - Update Dockerfile.sdk with enhanced build settings * fix: Update OAuth iframe flow configuration - Update iframe-oauth-flow.html with improved OAuth handling * feat: Update AWS Operations Agent configuration and cleanup - Update IAM permissions policy with enhanced access controls - Update IAM trust policy with improved security conditions - Enhance OAuth iframe flow with better UX and error handling - Improve chatbot client with enhanced local testing capabilities - Remove cache files and duplicate code for cleaner repository * docs: Add architecture diagrams and update README - Add architecture-2.jpg and flow.jpg diagrams for better visualization - Update README.md with enhanced documentation and diagrams * Save current work before resolving merge conflicts * Keep AWS-operations-agent changes (local version takes precedence) * Fix: Remove merge conflict markers from AWS-operations-agent files - restore clean version * Fix deployment and cleanup script issues Major improvements and fixes: Configuration Management: - Fix role assignment in gateway creation (use bac-execution-role instead of Lambda role) - Add missing role_arn cleanup in MCP tool deletion script - Fix OAuth provider deletion script configuration clearing - Improve memory deletion script to preserve quote consistency - Add Lambda invoke permissions to bac-permissions-policy.json Script Improvements: - Reorganize deletion scripts: 11-delete-oauth-provider.sh, 12-delete-memory.sh, 13-cleanup-everything.sh - Fix interactive prompt handling in cleanup scripts (echo -e format) - Add yq support with sed fallbacks for better YAML manipulation - Remove obsolete 04-deploy-mcp-tool-lambda-zip.sh script Architecture Fixes: - Correct gateway role assignment to use runtime.role_arn (bac-execution-role) - Ensure proper role separation between gateway and Lambda execution - Fix configuration cleanup to clear all dynamic config fields consistently Documentation: - Update README with clear configuration instructions - Maintain security best practices with placeholder values - Add comprehensive deployment and cleanup guidance These changes address systematic issues with cleanup scripts, role assignments, and configuration management while maintaining security best practices. * Update README.md with comprehensive documentation Enhanced documentation includes: - Complete project structure with 75 files - Step-by-step deployment guide with all 13 scripts - Clear configuration instructions with security best practices - Dual agent architecture documentation (DIY + SDK) - Authentication flow and security implementation details - Troubleshooting guide and operational procedures - Local testing and container development guidance - Tool integration and MCP protocol documentation The README now provides complete guidance for deploying and operating the AWS Support Agent with Amazon Bedrock AgentCore system. --------- Co-authored-by: name <alias@amazon.com>
217 lines
7.5 KiB
YAML
217 lines
7.5 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Transform: AWS::Serverless-2016-10-31
|
|
Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing (ZIP-based deployment)
|
|
|
|
Parameters:
|
|
Environment:
|
|
Type: String
|
|
Default: prod
|
|
Description: Environment name for CloudFormation tags only
|
|
|
|
Globals:
|
|
Function:
|
|
Timeout: 900 # 15 minutes
|
|
MemorySize: 3008 # Maximum memory for performance
|
|
Runtime: python3.12
|
|
Architectures: [x86_64]
|
|
|
|
Resources:
|
|
# Bedrock AgentCore Gateway Execution Role - Role that Bedrock AgentCore Gateway assumes to invoke Lambda functions
|
|
BedrockAgentCoreGatewayExecutionRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: bac-gateway-execution-role
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
# Production Bedrock AgentCore Gateway - Bedrock AgentCore service principal with required conditions
|
|
- Effect: Allow
|
|
Principal:
|
|
Service: bedrock-agentcore.amazonaws.com
|
|
Action: sts:AssumeRole
|
|
Condition:
|
|
StringEquals:
|
|
aws:SourceAccount: !Ref AWS::AccountId
|
|
ArnLike:
|
|
aws:SourceArn: !Sub "arn:aws:bedrock-agentcore:${AWS::Region}:${AWS::AccountId}:gateway/bac-gtw-*"
|
|
Policies:
|
|
- PolicyName: BedrockAgentCoreGatewayExecutionPolicy
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Sid: InvokeLambdaFunctions
|
|
Effect: Allow
|
|
Action:
|
|
- lambda:InvokeFunction
|
|
Resource: '*'
|
|
- Sid: BedrockAgentCorePermissions
|
|
Effect: Allow
|
|
Action:
|
|
- bedrock-agentcore:*
|
|
Resource: '*'
|
|
- Sid: CloudWatchLogsPermissions
|
|
Effect: Allow
|
|
Action:
|
|
- logs:CreateLogGroup
|
|
- logs:CreateLogStream
|
|
- logs:PutLogEvents
|
|
- logs:DescribeLogGroups
|
|
- logs:DescribeLogStreams
|
|
Resource: '*'
|
|
Tags:
|
|
- Key: Project
|
|
Value: lambda-adaptor-bedrock-agentcore
|
|
- Key: Component
|
|
Value: bedrock-agentcore-gateway-execution
|
|
- Key: Environment
|
|
Value: !Ref Environment
|
|
- Key: ManagedBy
|
|
Value: SAM
|
|
|
|
# Custom Lambda Execution Role with Bedrock AgentCore Trust and AWS Service Permissions
|
|
MCPToolFunctionRole:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
AssumeRolePolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
# Allow Lambda service to assume this role
|
|
- Effect: Allow
|
|
Principal:
|
|
Service: lambda.amazonaws.com
|
|
Action: sts:AssumeRole
|
|
# Allow Bedrock AgentCore service to assume this role
|
|
- Effect: Allow
|
|
Principal:
|
|
Service: bedrock-agentcore.amazonaws.com
|
|
Action: sts:AssumeRole
|
|
ManagedPolicyArns:
|
|
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
|
|
- arn:aws:iam::aws:policy/ReadOnlyAccess
|
|
Policies:
|
|
- PolicyName: BedrockInvokePolicy
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- bedrock:InvokeModel
|
|
- bedrock:InvokeModelWithResponseStream
|
|
Resource: '*'
|
|
- PolicyName: CostExplorerPolicy
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- ce:GetCostAndUsage
|
|
- ce:GetUsageReport
|
|
- ce:GetReservationCoverage
|
|
- ce:GetReservationPurchaseRecommendation
|
|
- ce:GetReservationUtilization
|
|
- ce:GetDimensionValues
|
|
- ce:GetMetricValues
|
|
- ce:ListCostCategoryDefinitions
|
|
- ce:GetCostCategories
|
|
- ce:GetRightsizingRecommendation
|
|
- ce:GetSavingsPlansUtilization
|
|
- ce:GetSavingsPlansUtilizationDetails
|
|
- ce:GetSavingsPlansCoverage
|
|
- ce:GetSavingsPlansUsage
|
|
- ce:GetUsageForecast
|
|
- ce:GetCostForecast
|
|
Resource: '*'
|
|
- PolicyName: BudgetsPolicy
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- budgets:ViewBudget
|
|
- budgets:DescribeBudgets
|
|
- budgets:DescribeBudget
|
|
- budgets:DescribeBudgetAction
|
|
- budgets:DescribeBudgetActions
|
|
- budgets:DescribeBudgetActionsForAccount
|
|
- budgets:DescribeBudgetActionsForBudget
|
|
- budgets:DescribeBudgetNotificationsForAccount
|
|
- budgets:DescribeBudgetPerformanceHistory
|
|
- budgets:DescribeNotificationsForBudget
|
|
- budgets:DescribeSubscribersForNotification
|
|
Resource: '*'
|
|
- PolicyName: CloudWatchLogsPolicy
|
|
PolicyDocument:
|
|
Version: '2012-10-17'
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- logs:CreateLogGroup
|
|
- logs:CreateLogStream
|
|
- logs:PutLogEvents
|
|
Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bac-mcp-tool:*"
|
|
Tags:
|
|
- Key: Project
|
|
Value: lambda-adaptor-bedrock-agentcore
|
|
- Key: Component
|
|
Value: mcp-tool-lambda
|
|
- Key: Environment
|
|
Value: !Ref Environment
|
|
|
|
# CloudWatch Log Group
|
|
MCPToolLogGroup:
|
|
Type: AWS::Logs::LogGroup
|
|
Properties:
|
|
LogGroupName: /aws/lambda/bac-mcp-tool
|
|
RetentionInDays: 14
|
|
|
|
# MCP Tool Lambda Function (ZIP-based)
|
|
MCPToolFunction:
|
|
Type: AWS::Serverless::Function
|
|
Properties:
|
|
FunctionName: "bac-mcp-tool"
|
|
PackageType: Zip
|
|
CodeUri: packaging/mcp-tool-lambda.zip
|
|
Handler: mcp-tool-handler.lambda_handler
|
|
Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing (ZIP-based)
|
|
Role: !GetAtt MCPToolFunctionRole.Arn
|
|
|
|
# Environment variables
|
|
Environment:
|
|
Variables:
|
|
ENVIRONMENT: !Ref Environment
|
|
LOG_LEVEL: INFO
|
|
|
|
# Tracing
|
|
Tracing: Active
|
|
|
|
Outputs:
|
|
MCPToolFunctionName:
|
|
Description: MCP Tool Lambda Function Name
|
|
Value: !Ref MCPToolFunction
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-MCPToolFunctionName"
|
|
|
|
MCPToolFunctionArn:
|
|
Description: MCP Tool Lambda Function ARN
|
|
Value: !GetAtt MCPToolFunction.Arn
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-MCPToolFunctionArn"
|
|
|
|
MCPToolFunctionRoleArn:
|
|
Description: MCP Tool Lambda Function Role ARN
|
|
Value: !GetAtt MCPToolFunctionRole.Arn
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-MCPToolFunctionRoleArn"
|
|
|
|
BedrockAgentCoreGatewayExecutionRoleName:
|
|
Description: Bedrock AgentCore Gateway Execution Role Name
|
|
Value: !Ref BedrockAgentCoreGatewayExecutionRole
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-BedrockAgentCoreGatewayExecutionRoleName"
|
|
|
|
BedrockAgentCoreGatewayExecutionRoleArn:
|
|
Description: Bedrock AgentCore Gateway Execution Role ARN - Use this role when creating Bedrock AgentCore Gateway targets
|
|
Value: !GetAtt BedrockAgentCoreGatewayExecutionRole.Arn
|
|
Export:
|
|
Name: !Sub "${AWS::StackName}-BedrockAgentCoreGatewayExecutionRoleArn"
|