2026/03/10 - Amazon Bedrock AgentCore Control - 3 updated api methods
Changes Adding first class support for AG-UI protocol in AgentCore Runtime.
{'protocolConfiguration': {'serverProtocol': {'AGUI'}}}
Creates an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.create_agent_runtime(
agentRuntimeName='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
clientToken='string',
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
environmentVariables={
'string': 'string'
},
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the AgentCore Runtime.
dict
[REQUIRED]
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the code (for example, Python 3.9 or Node.js 18).
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
The description of the AgentCore Runtime.
dict
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
dict
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
Environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
dict
A map of tag keys and values to assign to the agent runtime. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
status (string) --
The current status of the AgentCore Runtime.
{'protocolConfiguration': {'serverProtocol': {'AGUI'}}}
Gets an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.get_agent_runtime(
agentRuntimeId='string',
agentRuntimeVersion='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to retrieve.
string
The version of the AgentCore Runtime to retrieve.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'roleArn': 'string',
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'failureReason': 'string',
'description': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeArtifact': {
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14',
'entryPoint': [
'string',
]
}
},
'protocolConfiguration': {
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
'requestHeaderConfiguration': {
'requestHeaderAllowlist': [
'string',
]
},
'metadataConfiguration': {
'requireMMDSV2': True|False
}
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
agentRuntimeName (string) --
The name of the AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
roleArn (string) --
The IAM role ARN that provides permissions for the AgentCore Runtime.
networkConfiguration (dict) --
The network configuration for the AgentCore Runtime.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
status (string) --
The current status of the AgentCore Runtime.
lifecycleConfiguration (dict) --
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
failureReason (string) --
The reason for failure if the AgentCore Runtime is in a failed state.
description (string) --
The description of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeArtifact (dict) --
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) --
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) --
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) --
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) --
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) --
The runtime environment for executing the code (for example, Python 3.9 or Node.js 18).
entryPoint (list) --
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
protocolConfiguration (dict) --
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) --
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
environmentVariables (dict) --
Environment variables set in the AgentCore Runtime environment.
(string) --
(string) --
authorizerConfiguration (dict) --
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
requestHeaderConfiguration (dict) --
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
metadataConfiguration (dict) --
Configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.
requireMMDSV2 (boolean) --
Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.
{'protocolConfiguration': {'serverProtocol': {'AGUI'}}}
Updates an existing Amazon Secure Agent.
See also: AWS API Documentation
Request Syntax
client.update_agent_runtime(
agentRuntimeId='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
metadataConfiguration={
'requireMMDSV2': True|False
},
environmentVariables={
'string': 'string'
},
clientToken='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to update.
dict
[REQUIRED]
The updated artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the code (for example, Python 3.9 or Node.js 18).
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The updated network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
string
The updated description of the AgentCore Runtime.
dict
The updated authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
dict
The updated configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The updated life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
The updated configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.
requireMMDSV2 (boolean) -- [REQUIRED]
Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.
dict
Updated environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeId': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the updated AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the updated AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the updated AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeVersion (string) --
The version of the updated AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
status (string) --
The current status of the updated AgentCore Runtime.