iSharkFly-Docs/amazon-bedrock-agentcore-samples
1
0
Fork 0
mirror of https://github.com/awslabs/amazon-bedrock-agentcore-samples.git synced 2025-09-08 20:50:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
amazon-bedrock-agentcore-sa.../02-use-cases/AWS-operations-agent/okta-auth/OKTA-OPENID-PKCE-SETUP.md
rohillasandeep 01246a98b2
Configuration Management Fixes (#223) 
* feat: Add AWS Operations Agent with AgentCore Runtime

- Complete rewrite of AWS Operations Agent using Amazon Bedrock AgentCore
- Added comprehensive deployment scripts for DIY and SDK runtime modes
- Implemented OAuth2/PKCE authentication with Okta integration
- Added MCP (Model Context Protocol) tool support for AWS service operations
- Sanitized all sensitive information (account IDs, domains, client IDs) with placeholders
- Added support for 17 AWS services: EC2, S3, Lambda, CloudFormation, IAM, RDS, CloudWatch, Cost Explorer, ECS, EKS, SNS, SQS, DynamoDB, Route53, API Gateway, SES, Bedrock, SageMaker
- Includes chatbot client, gateway management scripts, and comprehensive testing
- Ready for public GitHub with security-cleared configuration files

Security: All sensitive values replaced with <YOUR_AWS_ACCOUNT_ID>, <YOUR_OKTA_DOMAIN>, <YOUR_OKTA_CLIENT_ID> placeholders

* Update AWS Operations Agent architecture diagram

* feat: Enhance AWS Operations Agent with improved testing and deployment

- Update README with new local container testing approach using run-*-local-container.sh scripts
- Replace deprecated SAM-based MCP Lambda deployment with ZIP-based deployment
- Add no-cache flag to Docker builds to ensure clean builds
- Update deployment scripts to use consolidated configuration files
- Add comprehensive cleanup scripts for all deployment components
- Improve error handling and credential validation in deployment scripts
- Add new MCP tool deployment using ZIP packaging instead of Docker containers
- Update configuration management to use dynamic-config.yaml structure
- Add local testing capabilities with containerized agents
- Remove outdated test scripts and replace with interactive chat client approach

* fix: Update IAM policy configurations

- Update bac-permissions-policy.json with enhanced permissions
- Update bac-trust-policy.json for improved trust relationships

* fix: Update Docker configurations for agent runtimes

- Update Dockerfile.diy with improved container configuration
- Update Dockerfile.sdk with enhanced build settings

* fix: Update OAuth iframe flow configuration

- Update iframe-oauth-flow.html with improved OAuth handling

* feat: Update AWS Operations Agent configuration and cleanup

- Update IAM permissions policy with enhanced access controls
- Update IAM trust policy with improved security conditions
- Enhance OAuth iframe flow with better UX and error handling
- Improve chatbot client with enhanced local testing capabilities
- Remove cache files and duplicate code for cleaner repository

* docs: Add architecture diagrams and update README

- Add architecture-2.jpg and flow.jpg diagrams for better visualization
- Update README.md with enhanced documentation and diagrams

* Save current work before resolving merge conflicts

* Keep AWS-operations-agent changes (local version takes precedence)

* Fix: Remove merge conflict markers from AWS-operations-agent files - restore clean version

* Fix deployment and cleanup script issues

Major improvements and fixes:

Configuration Management:
- Fix role assignment in gateway creation (use bac-execution-role instead of Lambda role)
- Add missing role_arn cleanup in MCP tool deletion script
- Fix OAuth provider deletion script configuration clearing
- Improve memory deletion script to preserve quote consistency
- Add Lambda invoke permissions to bac-permissions-policy.json

Script Improvements:
- Reorganize deletion scripts: 11-delete-oauth-provider.sh, 12-delete-memory.sh, 13-cleanup-everything.sh
- Fix interactive prompt handling in cleanup scripts (echo -e format)
- Add yq support with sed fallbacks for better YAML manipulation
- Remove obsolete 04-deploy-mcp-tool-lambda-zip.sh script

Architecture Fixes:
- Correct gateway role assignment to use runtime.role_arn (bac-execution-role)
- Ensure proper role separation between gateway and Lambda execution
- Fix configuration cleanup to clear all dynamic config fields consistently

Documentation:
- Update README with clear configuration instructions
- Maintain security best practices with placeholder values
- Add comprehensive deployment and cleanup guidance

These changes address systematic issues with cleanup scripts, role assignments,
and configuration management while maintaining security best practices.

* Update README.md with comprehensive documentation

Enhanced documentation includes:
- Complete project structure with 75 files
- Step-by-step deployment guide with all 13 scripts
- Clear configuration instructions with security best practices
- Dual agent architecture documentation (DIY + SDK)
- Authentication flow and security implementation details
- Troubleshooting guide and operational procedures
- Local testing and container development guidance
- Tool integration and MCP protocol documentation

The README now provides complete guidance for deploying and operating
the AWS Support Agent with Amazon Bedrock AgentCore system.

---------

Co-authored-by: name <alias@amazon.com>
2025-08-09 13:51:24 -07:00

11 KiB
Raw Permalink Blame History

Okta OpenID Connect PKCE Setup Guide

Complete guide for setting up Okta OAuth2 authentication with the AWS Support Agent AgentCore system.

Overview

This guide configures Okta OAuth2 authentication for the AgentCore system, supporting both user authentication (PKCE flow) and machine-to-machine authentication (client credentials flow).

Prerequisites

  • Okta Developer Account (free at developer.okta.com)
  • AWS Account with Bedrock AgentCore access
  • nginx installed locally (for testing)
  • Python 3.11+ for running the system

Okta Application Setup

OKTA Documentation for PKCE APP Setup:

https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce

https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/

1. Create OIDC Application

  1. Log in to Okta Developer Console
  2. Navigate to: Applications → Applications → Create App Integration
  3. Select: OIDC - OpenID Connect → Single-Page Application (SPA)
  4. Configure Application: 
    App name: aws-support-agent-client
Grant types: ✅ Authorization Code, ✅ Refresh Token
Sign-in redirect URIs: 
  - http://localhost:8080/callback
  - http://localhost:8080/okta-auth/
  - http://localhost:8080/okta-auth/iframe-oauth-flow.html
Sign-out redirect URIs: http://localhost:8080/
Controlled access: Allow everyone in your organization to access
uncheck “Immediate app access with Federation Broker Mode“
  5. Save the application and note the Client ID
Confirm you are added under Assignment

2. Configure API Scopes

  1. Navigate to: Security → API → Authorization Servers → default
  2. Verify scopes exist:
    • openid - Required for OpenID Connect
    • profile - User profile information
    • email - User email address
  3. Add custom scope:
    • Name: api
    • Description: API access for AgentCore
    • Include in public metadata: 
Under Security → API → Trusted Origins, enable CORS for http://localhost:8080
Origin: http://localhost:8080
 ✅ Cross-Origin Resource Sharing (CORS)
 ✅ Redirect
 ✅ iFrame embed
 ✅ Allows iFrame embedding of Okta End User Dashboard

3. Create Machine-to-Machine Application

For AgentCore workload authentication:

  1. Create a new app integration: API Services
  2. Configure: 
    App name: aws-support-agent-m2m
Grant types: ✅ Client Credentials
Client authentication: ✅ Client secret
Enable : Token Exchange
Disable : Require Demonstrating Proof of Possession (DPoP)
  3. Save and note the Client ID and Client Secret

Project Configuration

1. Update Static Configuration

Edit config/static-config.yaml:

# Okta OAuth2 Configuration
okta:
  domain: "your-domain.okta.com"  # Replace with your Okta domain
  
  # OAuth2 authorization server configuration
  authorization_server: "default"
  
  # Client configuration for client credentials flow (app-to-app)
  client_credentials:
    client_id: "YOUR_M2M_CLIENT_ID"      # From M2M app
    client_secret: "${OKTA_CLIENT_SECRET}"  # Set via environment variable
    scope: "api"
  
  # Client configuration for user authentication (PKCE flow)
  user_auth:
    client_id: "YOUR_SPA_CLIENT_ID"      # From SPA app
    audience: "YOUR_SPA_CLIENT_ID"       # Same as client_id
    redirect_uri: "http://localhost:8080/callback"
    scope: "openid profile email"
  
  # JWT token configuration
  jwt:
    audience: "YOUR_SPA_CLIENT_ID"       # Your SPA client ID
    issuer: "https://your-domain.okta.com/oauth2/default"
    discovery_url: "https://your-domain.okta.com/oauth2/default/.well-known/openid-configuration"
    cache_duration: 300
    refresh_threshold: 60

# AgentCore JWT Authorizer Configuration
agentcore:
  jwt_authorizer:
    discovery_url: "https://your-domain.okta.com/oauth2/default/.well-known/openid-configuration"
    allowed_audience: 
      - "YOUR_SPA_CLIENT_ID"

2. Set Environment Variables

# Optional: Set AWS profile if different from default
export AWS_PROFILE="your-aws-profile"

Local Testing Setup

1. Configure nginx (Optional)

For local PKCE testing, you need to add the server block to your nginx configuration:

# Navigate to your project directory
cd /path/to/your/AgentCore/project

# Step 1: Update paths in the nginx config file
# Replace placeholder paths with your actual project path
sed -i '' "s|/path/to/your/AgentCore|$(pwd)|g" okta-auth/nginx/okta-local.conf

# Verify the paths were updated correctly
cat okta-auth/nginx/okta-local.conf | grep "root\|alias"

# Step 2: IMPORTANT - okta-local.conf contains only a server block, not a complete nginx.conf
# You must integrate this server block into your existing nginx configuration.

# Manual Integration Steps:
# 1. Find your nginx.conf location:
#    - macOS (Homebrew): /usr/local/etc/nginx/nginx.conf
#    - Linux: /etc/nginx/nginx.conf
#    - Docker: /etc/nginx/nginx.conf

# 2. Make a backup of your current nginx.conf
sudo cp /usr/local/etc/nginx/nginx.conf /usr/local/etc/nginx/nginx.conf.backup  # macOS
# sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup                    # Linux

# 3. Open your main nginx.conf file for editing:
sudo nano /usr/local/etc/nginx/nginx.conf  # macOS
# sudo nano /etc/nginx/nginx.conf          # Linux

# 4. Find the http {} block in nginx.conf
# 5. Copy the entire server block content from okta-auth/nginx/okta-local.conf
# 6. Paste it inside the existing http {} block (before the closing })
# 7. Save and close the file

# NOTE: The setup-local-nginx.sh script is not functional as it attempts to use
# okta-local.conf as a complete nginx configuration, which will fail.

# Step 3: Test and reload nginx
# Test nginx configuration for syntax errors
sudo nginx -t

# If test passes, reload nginx configuration
sudo nginx -s reload

# Verify nginx is running and listening on port 8080
curl http://localhost:8080/health
# Should return: healthy

2. Test OAuth Flow

Use the provided HTML test page:

  1. Update configuration in okta-auth/iframe-oauth-flow.html: 
    const config = {
  clientId: 'YOUR_SPA_CLIENT_ID',
  redirectUri: 'http://localhost:8080/okta-auth/',
  authorizationEndpoint: 'https://your-domain.okta.com/oauth2/default/v1/authorize',
  tokenEndpoint: 'https://your-domain.okta.com/oauth2/default/v1/token',
  scope: 'openid profile email',
};

Or you can enter the values in html page.

  1. Open browser: http://localhost:9090/okta-auth/iframe-oauth-flow.html
  2. Click "Login with Okta" and complete authentication
  3. Copy the access token for testing

Deploy and Test the System

1. Deploy Infrastructure - go back to README.md for instructions

# Deploy the AgentCore system
cd agentcore-runtime/deployment
./01-prerequisites.sh
./02-create-memory.sh
./03-setup-oauth-provider.sh  # This uses your Okta config
./04-deploy-mcp-tool-lambda.sh
./05-create-gateway-targets.sh
./06-deploy-diy.sh
./07-deploy-sdk.sh

2. Test Authentication

# Test OAuth provider setup
cd agentcore-runtime/runtime-ops-scripts
python oauth_test.py test-config

# Expected output:
# ✅ M2M token obtained successfully
# ✅ OAuth2 token obtained successfully

3. Test End-to-End

# Use the chat client
cd chatbot-client/src
python client.py --interactive

# Or test directly with curl (using token from step 2)
curl -X POST http://localhost:8080/invocations \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{
    "prompt": "List my S3 buckets",
    "session_id": "test-session",
    "actor_id": "user"
  }'

Authentication Flow

User Authentication (PKCE)

  1. User → Okta login → JWT token
  2. Chat Client → AgentCore Runtime (with JWT)
  3. Runtime validates JWT against Okta discovery endpoint
  4. Runtime processes user request

Machine-to-Machine (M2M)

  1. Runtime → AgentCore Identity → Workload token
  2. Workload token → OAuth provider → M2M token
  3. M2M token → AgentCore Gateway → Tools access
  4. Tools → AWS services → Results

Troubleshooting

Common Issues

1. Invalid Client Error

# Check your client IDs in static-config.yaml
grep -A 10 "client_credentials:" config/static-config.yaml
grep -A 10 "user_auth:" config/static-config.yaml

2. Token Validation Failures

# Verify Okta discovery endpoint
curl https://your-domain.okta.com/oauth2/default/.well-known/openid-configuration

# Test token validation
python agentcore-runtime/runtime-ops-scripts/oauth_test.py test-config

3. M2M Authentication Fails

# Check environment variable
echo $OKTA_CLIENT_SECRET

# Test M2M flow specifically
python agentcore-runtime/runtime-ops-scripts/oauth_test.py workload-token bac-diy

4. Gateway Connection Issues

# Check if gateway and targets are deployed
cd agentcore-runtime/gateway-ops-scripts
python list-gateways.py
python list-targets.py

Debug Commands

# Check deployed OAuth provider
cd agentcore-runtime/runtime-ops-scripts
python credentials_manager.py list

# View runtime logs
cd agentcore-runtime/runtime-ops-scripts  
python runtime_manager.py list
python logs_manager.py get <runtime-id>

# Test configuration validation
cd /path/to/your/AgentCore/project
python -c "from shared.config_manager import AgentCoreConfigManager; AgentCoreConfigManager().validate()"

Log Analysis

AgentCore Runtime logs (look for):

  • ✅ OAuth initialized with provider
  • ✅ M2M token obtained successfully
  • ✅ MCP client ready

Common error patterns:

  • ❌ OAuth provider not found → Check deployment step 03
  • ❌ Invalid client credentials → Check client secret environment variable
  • ❌ Token validation failed → Check JWT configuration in static-config.yaml

Security Best Practices

  1. Never commit secrets - Always use environment variables for client secrets
  2. Use HTTPS in production - Update redirect URIs for production deployment
  3. Rotate tokens regularly - Configure appropriate token lifetimes in Okta
  4. Validate token audiences - Ensure JWT audience validation is strict
  5. Monitor authentication - Review Okta system logs regularly

Production Deployment

For production, update:

  1. Redirect URIs to your production domain
  2. Environment variables in your deployment pipeline
  3. Network security to restrict access appropriately
  4. Token lifetimes based on your security requirements

For additional help, refer to: