Step 3: Obtain an OAuth 2.0 access token - Amazon Bedrock AgentCore

Amazon Bedrock AgentCore is in preview release and is subject to change.

Step 3: Obtain an OAuth 2.0 access token

Once you have the Google Credential Provider created in the previous step, add the @requires_access_token decorator to your agent code that requires a Google access token. Copy the authorization URL from your console output, then paste it in your browser and complete the consent flow with Google Drive.

import asyncio

# Injects Google Access Token
@requires_access_token(
    # Uses the same credential provider name created above
    provider_name = "google-provider", 
    # Requires Google OAuth2 scope to access Google Drive
    scopes = ["https://www.googleapis.com/auth/drive.metadata.readonly"],
    # Sets to OAuth 2.0 Authorization Code flow
    auth_flow="USER_FEDERATION",
    # Prints authorization URL to console
    on_auth_url=lambda x: print("\nPlease copy and paste this URL in your browser:\n" + x),
    # If false, caches obtained access token
    force_authentication=False,
)
async def write_to_google_drive(*, access_token: str):
    # Prints the access token obtained from Google
    print(access_token)

asyncio.run(write_to_google_drive(access_token=""))

Behind the scenes, the @requires_access_token decorator runs through the following sequence:

Flow diagram showing the sequence of API calls made by the @requires_access_token decorator

  1. The SDK makes API calls to CreateWorkloadIdentity, GetWorkloadAccessToken, and GetResourceOauth2Token.

  2. When running the agent code locally, the SDK automatically generates an agent identity ID and a random user ID for local testing, and stores them in a local file called .agentcore.yaml.

  3. When running the agent code with AgentCore Runtime, the SDK does not generate an agent identity ID or random user ID. Instead, it uses the agent identity ID assigned, and the user ID or JWT token passed in by the agent caller.

  4. Agent access token is an encrypted (opaque) token that contains the agent identity ID and user ID.

  5. AgentCore Identity service stores the Google access token in the Token Vault under the agent identity ID and user ID. This creates a binding among the agent identity, user identity, and the Google access token.