Amazon Bedrock AgentCore Identity meets this challenge through credential providers and a token vault that automatically create and manage a secret in AWS Secrets Manager in your account for each Outbound credential provider resource. This secret contains either the API key or client secret along with the other metadata for the external identity provider. While AgentCore Identity fully creates and manages these secrets, customers couldn’t configure custom tags, rotation policies, or customer managed AWS Key Management Service (AWS KMS) key encryption at creation time.

Today, we’re excited to announce the ability to reference a secret in AWS Secrets Manager for AgentCore Identity, so you can reference your own preconfigured secret from Secrets Manager and retain full control over how it is managed. With this ability, you can extend your organization’s existing secrets governance processes to AgentCore. You can provide an existing, preconfigured AWS Secrets Manager secret to use with your credential provider resources. You retain full control over its encryption configuration, rotation, replication, tags, and resource policies, just as you would manage other secrets in Secrets Manager. You can also choose a secret from another AWS account within the same AWS Region, though cross-Region secret sharing isn’t supported. This also supports secrets brought in through AWS Secrets Manager external connectors, enabling integration with third-party secret managers.

In this post, we will review example use cases, and walk through how to get started configuring your credential provider resources with an existing secret.

To learn more about the secret configuration options available, see the AWS Secrets Manager User Guide.

To reference a secret in AWS Secrets Manager, provide the secret ARN and JSON key when creating your credential provider resources through the AgentCore Identity API. AgentCore Identity retrieves the credential value from the specified JSON key in your secret at runtime.