---
title: AWS Bedrock AgentCore
description: Configure the Advanced Identity Cloud AWS Bedrock AgentCore application template to discover and govern AI agents hosted in AWS Bedrock AgentCore
component: pingoneaic
page_id: pingoneaic:app-management:applications-agent-governance/aws-bedrock-agentcore
canonical_url: https://docs.pingidentity.com/pingoneaic/app-management/applications-agent-governance/aws-bedrock-agentcore.html
llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
section_ids:
  prerequisites-aic: Prerequisites in Advanced Identity Cloud
  prerequisites-aws-bedrock-agentcore: Prerequisites in AWS Bedrock AgentCore
  create-an-iam-access-policy: Create an IAM access policy
  create-an-iam-user-for-explicit-credentials: Create an IAM user for explicit credentials
  register-the-application: Register the application
  configure-the-provisioner: Configure the provisioner
  configure-provisioning-and-reconciliation-resources: Configure provisioning and reconciliation resources
---

# AWS Bedrock AgentCore

The Amazon Bedrock AgentCore application discovers and governs AI agents created in Amazon Bedrock AgentCore.

## Prerequisites in Advanced Identity Cloud

Before using the AWS Bedrock AgentCore application, ensure you've taken these actions:

* Purchased the Agent Governance add-on capability for Advanced Identity Cloud.

* Modified the user managed object with a `custom_iga_identity_type` property in the Alpha realm. Learn more in [Create the identity type](../../identity-governance/administration/iga-agent-governance.html#create-the-identity-type).

* Obtained the AWS Bedrock AgentCore connector JAR file. This isn't available to download from Backstage yet, but is available from your Ping Identity representative.

## Prerequisites in AWS Bedrock AgentCore

### Create an IAM access policy

The AWS Bedrock AgentCore application needs read permissions for Bedrock AgentCore.

1. In the AWS console, go to IAM > Policies > Create policy.

2. On the JSON tab, paste a policy similar to the following:

   ```json
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "BedrockAgentCoreConnectorReadOnly",
         "Effect": "Allow",
         "Action": [ (1)
           "bedrock-agentcore:ListAgentRuntimes",
           "bedrock-agentcore:GetAgentRuntime",
           "bedrock-agentcore:GetAgentRuntimeEndpoint",
           "bedrock-agentcore:GetResourcePolicy"
         ],
         "Resource": "*" (2)
       }
     ]
   }
   ```

   |       |                                                                                                                                                                             |
   | ----- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **1** | Note that the policy is read-only and doesn't allow any modifications to Bedrock AgentCore agents.                                                                          |
   | **2** | `ListAgentRuntimes` requires `Resource: "*"`. The other read actions can be scoped to AgentCore runtime ARNs if your AWS environment supports the narrower resource policy. |

3. Select Next.

4. Name the policy `iga-bedrock-agentcore-application-policy`, then select Create policy.

### Create an IAM user for explicit credentials

Choose one of the following options:

* If you intend to use the default credentials provider to access AWS Bedrock AgentCore, you don't need to create an IAM user and can skip to the next section.

* If you intend to use explicit credentials to access AWS Bedrock AgentCore, create an IAM user using these steps:

  1. In the AWS console, go to IAM > Users > Create user.

  2. Enter a username, for example `iga-bedrock-agentcore-application`.

  3. Select Next.

  4. Under Set permissions, choose Attach policies directly.

  5. Search for `iga-bedrock-agentcore-application-policy`, select it, then select Next > Create user.

  6. Open the user, then select the Security credentials tab.

  7. Select Create access key.

  8. For Use case, select Application running outside AWS, then select Next.

  9. Copy the access key ID and secret access key. You'll need these for the `Access Key ID` and `Secret Access Key` application properties.

## Register the application

1. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications, and click [icon: grid_view, set=material, size=inline] Browse App Catalog.

2. In the Browse App Catalog modal, select an application, and click Next.

3. Review the Application Integration information, and click Next.

4. In the Application Details window, specify the name, description, application owners, and logo for the application.

5. Leave the Authoritative checkbox unselected.

6. Click Create Application.

## Configure the provisioner

1. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications.

2. Click the application you just registered to open the application details page.

3. Click the Provisioning tab, then compare the message displayed with these options:

   * You haven't set up provisioning yet\
     This message indicates that Advanced Identity Cloud has found a connector server with a compatible connector installed, but you haven't set up provisioning yet. In this case, click Set up Provisioning to set up provisioning for the application.

   * No Connector Servers available\
     This message indicates that Advanced Identity Cloud either can't find a connector server to use for provisioning or that it can find a connector server but it doesn't have a compatible connector installed for this application.

     > **Collapse: Show guidance**
     >
     > * If you haven't set up a connector server:
     >
     >   1. [Register a remote server](../../identities/sync-identities.html#task-1-register-a-remote-server)
     >
     >   2. (Optional) [Reset the client secret](../../identities/sync-identities.html#task-2-reset-the-client-secret)
     >
     >   3. [Download a remote server](../../identities/sync-identities.html#task-3-download-a-remote-server)
     >
     >   4. Add the AWS Bedrock AgentCore connector JAR file to the remote server's connectors folder.
     >
     >   5. [Configure the remote server](../../identities/sync-identities.html#task-5-configure-a-remote-server)
     >
     >   6. Refresh the AWS Bedrock AgentCore application page in your browser, then begin step 3 again.
     >
     > * If you've already set up a connector server:
     >
     >   1. Add the AWS Bedrock AgentCore connector JAR file to the remote server's connectors folder, then restart the connector server.
     >
     >   2. Refresh the AWS Bedrock AgentCore application page in your browser, then begin step 3 again.

4. In the Connect to AWS Bedrock AgentCore modal, enter the following information:

   * Region: Enter your AWS region. For example, enter `us-east-1`.

   * Use Default Credentials Provider: Enable to use the default AWS credentials chain, or disable to enter an access key ID and secret access key.

   * Access Key ID (optional): If you disabled the default credentials provider, enter your AWS access key ID. For example, `AMZ4XF91LDHBOGFEQYKW`.

   * Secret Access Key (optional): If you disabled the default credentials provider, enter your AWS secret access key.

5. (Optional) Click Show advanced settings to set any of the following options:

   > **Collapse: Show advanced settings options**
   >
   > **Application specific settings**
   >
   > | Option             | Description                                                                          |
   > | ------------------ | ------------------------------------------------------------------------------------ |
   > | Exclude Unmodified | Select this option to synchronize only the modified properties on a target resource. |
   >
   > **Pool configuration**
   >
   > | Field                                   | Description                                                                                                                                                                           |
   > | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   > | Max idle and active container instances | The maximum number of idle and active container instances. The default value is `10`.                                                                                                 |
   > | Max Idle Connector Instances            | The maximum number of idle connector instances. The default value is `10`.                                                                                                            |
   > | Set Timeout Period                      | Select to enable a timeout period for the connection. After enabling, configure the following:- Timeout period (ms): The timeout period in milliseconds.                              |
   > | Set Minimum Idle Time                   | Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:- Min idle time (ms): The minimum idle time in milliseconds. |
   > | Min Idle Instances                      | The minimum number of idle connector instances.                                                                                                                                       |
   >
   > **Result Handler configuration**
   >
   > | Field                                                                   | Description                                                                       |
   > | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
   > | Enable for connectors with the attribute normalizer interface           | Enables the attribute normalizer interface for supported connectors.              |
   > | Enable local filtering/search features                                  | Enables local filtering and search capabilities.                                  |
   > | Enable case insensitive filter                                          | Configures filters to ignore case sensitivity.                                    |
   > | Enable configuration of search attributes; disable for local connectors | Enables search attribute configuration. Disable this option for local connectors. |
   >
   > 1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds.
   >
   >    Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search.
   >
   > 2. In the Operation Rate Limits area, select the operations to enforce rate limits on.
   >
   >    You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search.
   >
   >    For each selected operation, configure the following fields:
   >
   >    | Field           | Description                        |
   >    | --------------- | ---------------------------------- |
   >    | Request Limit   | Requests allowed over time.        |
   >    | Request Period  | Limit resets after this time (ms). |
   >    | Request Timeout | Time before exception thrown (ms). |

6. Click Connect.

7. Verify that the status shows Connected.

## Configure provisioning and reconciliation resources

To configure provisioning and reconciliation resources, follow the instructions in [Onboard AI agents](../../identity-governance/administration/iga-agent-governance.html#onboard-ai-agents) in the Agent Governance documentation.
