Get workload access token - Amazon Bedrock AgentCore

Amazon Bedrock AgentCore is in preview release and is subject to change.

Get workload access token

There are two patterns to use to retrieve the workload access token depending on how you are able to identify the end user of the agent:

  • If the agent’s caller has a JWT identifying the end user, request a workload access token based on the agent’s identity and the end-user JWT. When you provide a JWT, AgentCore Identity will validate the JWT to ensure it is correctly signed and unexpired, and it will use its “iss” and “sub” claims to uniquely identify the user. Credentials stored by the agent on behalf of the user will be associated with this information, and future retrievals by the agent will require a valid workload access token containing the same information.

  • If the agent’s caller does not have a JWT identifying the end user, request a workload access token based on the agent’s identity and a unique string identifying the user.

The examples below illustrate using the AgentCore SDK to retrieve a workload access token using these two methods:

from bedrock_agentcore.services.identity import IdentityClient 
                
identity_client = IdentityClient("us-east-1")

# Obtain a token using the IAM identity of the caller to authenticate the agent and providing a JWT containing the identity of the end user.
# This is the recommended pattern whenever a JWT is available for the user. 
workload_access_token = identity_client.get_workload_access_token(workload_name="my-demo-agent", user_token="insert-jwt-here")

# Obtain a token using the IAM identity of the caller to authenticate the agent and providing a string representing the identity of the end user.
# Use this pattern when a JWT is not available for the user. 
workload_access_token = identity_client.get_workload_access_token(workload_name="my-demo-agent", user_id="insert-user-name-or-identifier")