Skip to content

feat(03-AgentCore-identity): Add private Keycloak IdP samples with VPC Lattice#1448

Open
CameronKeeneAWS wants to merge 1 commit into
awslabs:mainfrom
CameronKeeneAWS:feature/private-idp-keycloak
Open

feat(03-AgentCore-identity): Add private Keycloak IdP samples with VPC Lattice#1448
CameronKeeneAWS wants to merge 1 commit into
awslabs:mainfrom
CameronKeeneAWS:feature/private-idp-keycloak

Conversation

@CameronKeeneAWS

Copy link
Copy Markdown

Amazon Bedrock AgentCore Samples Pull Request

[!IMPORTANT]

  1. We strictly follow a issue-first approach, please first open an issue relating to this Pull Request.
  2. Once this Pull Request is ready for review please attach review ready label to it. Only PRs with review ready will be reviewed.

Issue number: #1447

Concise description of the PR

  • Adds two end-to-end samples demonstrating how to connect Amazon Bedrock AgentCore Identity to a privately hosted Keycloak IdP using Amazon VPC Lattice privateEndpoint, because many enterprises run Keycloak or similar OIDC providers in private networks with no public internet exposure and need a secure connectivity pattern for JWT validation.

User experience
Before: No sample existed showing how to integrate AgentCore with a private (non-internet-facing) Keycloak identity provider. Users wanting to use private IdPs with AgentCore received "Invalid inbound token" errors with no reference architecture to resolve the issue.

After: Users can follow fully automated deployments (deploy_sample.sh / cleanup_sample.sh) that provision:

  • A Keycloak 26 instance on EC2 behind an internal ALB with ACM certificate
  • VPC Lattice connectivity (AgentCore-managed mode)
  • Sample 13: AgentCore Runtime with CUSTOM_JWT auth validated against the private IdP
  • Sample 14: AgentCore Gateway with Lambda-backed MCP tools authenticated via the private IdP

The samples include architecture diagrams, CloudFormation templates, Keycloak setup scripts, and complete teardown scripts.

Checklist

  • I have reviewed the contributing guidelines
  • Add your name to CONTRIBUTORS.md
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Are you uploading a dataset?
  • Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
  • I agree to resolve any issues created for this example in the future.
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

…C Lattice

Add two tutorials demonstrating inbound JWT authorization from a private
VPC-hosted Keycloak instance using the privateEndpoint feature (VPC Lattice
managed connectivity).

13-Private-IdP-Keycloak-Runtime:
- Private Keycloak + privateEndpoint + AgentCore Runtime
- Inbound JWT auth for agent invocations
- One-click deploy/cleanup scripts

14-Private-IdP-Keycloak-Gateway:
- Private Keycloak + privateEndpoint + AgentCore Gateway
- Inbound JWT auth for MCP tool calls
- Lambda-backed gateway target with tool schema
- One-click deploy/cleanup scripts

Both samples include:
- CloudFormation template (EC2 + internal ALB + ACM cert + Route53)
- Keycloak setup script (Admin REST API configuration)
- Invoke script for end-to-end testing
- Troubleshooting guide
@github-actions github-actions Bot added 01-tutorials 01-tutorials 03-AgentCore-identity 01-tutorials/03-AgentCore-identity labels May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

01-tutorials 01-tutorials 03-AgentCore-identity 01-tutorials/03-AgentCore-identity

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant