Building and Deploying Your First AI Agent with Amazon Bedrock AgentCore

Introduction

Amazon Bedrock AgentCore is a managed service that simplifies the building, deployment, and operation of AI agents on AWS. It handles runtime management, AWS IAM role configuration, observability, and authentication so you can focus on your agent logic. Amazon Bedrock AgentCore works with popular frameworks like Strands Agents, LangGraph, and CrewAI.

In this guide, we walk through creating a simple AI agent using Strands Agents, testing it locally, deploying it to Amazon Bedrock AgentCore Runtime, and securing it with JWT-based inbound authentication using Amazon Cognito. By the end, you will have a fully deployed agent that can be invoked securely from any frontend application.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Step-by-Step Guide

Step 1: Set Up the Project

Start by creating a project folder and installing the required dependencies. You need Python 3.10 or newer and AWS credentials configured via the AWS CLI.

mkdir agentcore-test

cd agentcore-test

python -m venv .venv

.venv\Scripts\activate

pip install bedrock-agentcore strands-agents bedrock-agentcore-starter-toolkit python-dotenv

Create a .env file to store your AWS credentials (access key, secret key, session token, and region). Use python-dotenv to load these at runtime. Always add .env to your .gitignore to avoid committing secrets.

Step 2: Create the Agent

Create a file named my_agent.py with the following code:

from dotenv import load_dotenv

load_dotenv()

from bedrock_agentcore import BedrockAgentCoreApp

from strands import Agent

app = BedrockAgentCoreApp()

agent = Agent()

@app.entrypoint

def invoke(payload):

user_message = payload.get("prompt", "Hello!")

result = agent(user_message)

return {"result": result.message}

if __name__ == "__main__":

app.run()

The Strands Agent uses Amazon Bedrock as the default model provider. When you call the agent(message), it invokes the configured foundation model (e.g., Claude Sonnet) behind the scenes using your AWS credentials.

Step 3: Test Locally

Run the agent locally with python my_agent.py. It starts a server on port 8080. From another terminal, send a test request:

1	curl -X POST http://localhost:8080/invocations -H "Content-Type: application/json" -d "{\"prompt\": \"Tell me a joke\"}"

If you receive a JSON response with the agent’s reply, your agent is working correctly.

Step 4: Configure and Deploy to AgentCore Runtime

Use the Amazon Bedrock AgentCore starter toolkit CLI to configure and deploy your agent:

1 2	agentcore configure -e my_agent.py -r ap-south-1 agentcore launch

The toolkit creates the necessary AWS resources, including AWS IAM execution roles, Amazon ECR repositories, or Amazon S3 buckets, and the Amazon Bedrock AgentCore Runtime. The default deployment mode is direct code deploy, which packages your Python code without requiring Docker. Check the deployment status with agentcore status.

Step 5: Secure with JWT Authentication (Inbound Auth)

To allow a frontend application to call your agent directly, you need inbound authentication. AgentCore supports two inbound auth modes: AWS IAM SigV4 (default) and JWT Bearer Token. For frontend-to-agent communication, JWT is the right choice.

Inbound auth controls who can call your agent. Outbound auth controls what external services your agent can access (like GitHub or Google Drive APIs). Think of inbound as the locked front door and outbound as the agent’s wallet full of keycards.

Set up Amazon Cognito as your identity provider:

Create an Amazon Cognito User Pool in the AWS Console (ap-south-1 region).
2. Create an App Client without a client secret (required for frontend/SPA apps).
3. Create a test user with an email and password.
4. Update the .bedrock_agentcore.yaml file with the JWT authorizer configuration, specifying the Cognito discovery URL and allowed client ID.
5. Redeploy with Amazon Bedrock AgentCore launch.

Step 6: Invoke the Deployed Agent

Get a JWT token from Amazon Cognito and invoke your agent:

1	aws cognito-idp initiate-auth --client-id YOUR_CLIENT_ID --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=user@example.com,PASSWORD=YourPass123! --region ap-south-1

Copy the AccessToken from the response and use it to invoke the agent:

1	agentcore invoke --bearer-token YOUR_ACCESS_TOKEN "{\"prompt\": \"Tell me a joke\"}"

You can also invoke programmatically from any system using boto3, passing the JWT token via the authorizationToken parameter in the invoke_agent_runtime call.

Conclusion

Amazon Bedrock AgentCore significantly reduces the operational overhead of deploying AI agents. With just a few lines of code and CLI commands, you can go from a local prototype to a production-ready, authenticated agent running on AWS.

The combination of Strands Agents for the framework, Amazon Bedrock for model access, and Amazon Cognito for authentication provides a complete, secure stack. Amazon Bedrock AgentCore is available in multiple regions, including ap-south-1 (Mumbai), making it accessible for teams across the globe.

Drop a query if you have any questions regarding Amazon Bedrock AgentCore and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Do I need Docker to deploy an agent to Amazon Bedrock AgentCore Runtime?

ANS: – No. The default deployment mode is direct code deploy, which packages your Python code and uploads it without requiring Docker. Docker is only needed if you choose the –local or –local-build deployment modes.

2. Can I use an identity provider other than Amazon Cognito?

ANS: – Yes. Amazon Bedrock AgentCore’s JWT authorizer is identity provider agnostic. It works with any OAuth 2.0-compatible provider, including Okta, Microsoft EntraID, Auth0, and others. You need to provide the correct OpenID Connect discovery URL and client configuration.

3. What is the difference between inbound and outbound auth in Amazon Bedrock AgentCore?

ANS: – Inbound auth controls who can invoke your agent. It validates incoming requests using either IAM credentials or JWT tokens. Outbound auth manages the credentials your agent uses to access external services like GitHub, Google Drive, or third-party APIs. Amazon Bedrock AgentCore Identity securely stores these credentials and automatically refreshes tokens.

WRITTEN BY Venkata Kiran

Kiran works as an AI & Data Engineer with 4+ years of experience designing and deploying end-to-end AI/ML solutions across domains including healthcare, legal, and digital services. He is proficient in Generative AI, RAG frameworks, and LLM fine-tuning (GPT, LLaMA, Mistral, Claude, Titan) to drive automation and insights. Kiran is skilled in AWS ecosystem (Amazon SageMaker, Amazon Bedrock, AWS Glue) with expertise in MLOps, feature engineering, and real-time model deployment.