Secure AI agents with Amazon Bedrock AgentCore Identity on Amazon ECS

AI agents in production require secure access to external services on behalf of users. Amazon Bedrock AgentCore Identity, available as a standalone service, now provides a complete OAuth 2.0 Authorization Code Grant implementation for agents running on Amazon ECS. The solution addresses two critical questions: how to build an application-owned session binding endpoint, and how to manage workload access token lifecycle. It prevents CSRF and browser-swapping attacks by binding each authorization request to the authenticated user session, and issues auth tokens scoped to each user session, following least-privilege principles. The architecture separates the agentic workload from the session binding service, with both running on ECS behind an ALB that handles inbound OIDC authentication.

The deployment uses OAuth 2.0 and OpenID Connect (OIDC) to authenticate users and authorize their actions. Users authenticate with an identity provider (e.g., Microsoft Entra ID) and grant consent, after which the application exchanges an authorization code for a scoped access token. Amazon Bedrock AgentCore Identity secures these tokens in its token vault, maintaining an auditable chain from user authentication to agent action. The solution includes two key URLs: a callback URL pointing to AgentCore Identity, and a session binding URL pointing to a customer-managed service that completes the binding. The provided GitHub repository contains full source code for a FastAPI-based agentic workload and session binding service, making it straightforward for teams to implement secure, user-delegated AI agents in production.