agents-connect

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

connect

连接

Give your AgentCore agent access to external APIs, tools, and services via the AgentCore Gateway — and control what it can access with Cedar policies.

通过AgentCore Gateway让你的AgentCore Agent访问外部API、工具和服务，并使用Cedar策略控制其访问权限。

When to use

适用场景

You want your agent to call an external API or MCP server
You want to expose Lambda functions as agent tools
You have an OpenAPI spec you want to turn into agent tools
Your agent needs credentials to call an external service
You want to restrict which tools your agent can call (Cedar policies)
You want role-based or amount-based access control on tool calls
A gateway connection, tool call, or policy authorization is failing

For adding Cedar policies to control tool access, load

references/policy.md

你希望你的Agent调用外部API或MCP服务器
你希望将Lambda函数作为Agent工具暴露
你有一个OpenAPI规范，想要将其转换为Agent工具
你的Agent需要凭证来调用外部服务
你希望限制你的Agent可以调用的工具（Cedar策略）
你希望对工具调用实施基于角色或基于用量的访问控制
网关连接、工具调用或策略授权失败

如需添加Cedar策略以控制工具访问，请加载

references/policy.md

。

Input

输入

$ARGUMENTS

is optional:

/connect                    # interactive — asks what you're connecting to
/connect mcp                # MCP server setup
/connect lambda             # Lambda function as tools
/connect openapi            # OpenAPI schema as tools
/connect credential         # Add a credential for outbound auth

$ARGUMENTS

为可选参数：

/connect                    # 交互式模式——询问你要连接的对象
/connect mcp                # MCP服务器设置
/connect lambda             # 将Lambda函数作为工具
/connect openapi            # 将OpenAPI schema作为工具
/connect credential         # 添加用于出站认证的凭证

Process

流程

Step 0: Verify CLI version

步骤0：验证CLI版本

Run

agentcore --version

. This skill requires v0.9.0 or later. If the version is older, tell the developer to run

agentcore update

before proceeding.

运行

agentcore --version

。本技能需要v0.9.0或更高版本。如果版本较旧，请告知开发者先运行

agentcore update

再继续。

Step 1: Read the project

步骤1：读取项目信息

Read

agentcore/agentcore.json

to understand:

What framework the project uses
What gateways and targets are already configured (in the
```
agentCoreGateways
```
array)

If no project context: Ask what they're trying to connect to and proceed with the appropriate pattern.

读取

agentcore/agentcore.json

以了解：

项目使用的框架
已配置的网关和目标（在
```
agentCoreGateways
```
数组中）

**如果没有项目上下文：**询问开发者想要连接的对象，然后按照相应模式进行操作。

Step 2: Identify what they're connecting to

步骤2：确定连接目标

Ask (or infer from

$ARGUMENTS

"What are you connecting your agent to?

An external MCP server (e.g., a third-party tool provider)

A Lambda function you've written

An API with an OpenAPI spec

An AWS API Gateway REST API

An external service with no OpenAPI spec, MCP server, or Lambda in front of it — and you can't add one"

Options 1–4 front the service as a Gateway target. This is the default path: the gateway handles outbound auth via its credential providers (so the agent code never sees the secret), the tool becomes discoverable over MCP, and policy engines can authorize or deny calls at the edge. Pick the target type that matches the service.

Option 5 is Path D — register a credential and call the API directly from agent code. This is the fallback when fronting isn't practical; the skill walks through when it's appropriate and when it isn't.

询问（或从

$ARGUMENTS

推断）：

"你要将Agent连接到什么服务？

外部MCP服务器（例如第三方工具提供商）

你编写的Lambda函数

带有OpenAPI规范的API

AWS API Gateway REST API

没有OpenAPI规范、MCP服务器或Lambda前置的外部服务——且你无法添加这些前置服务"

选项1-4将服务作为Gateway目标前置。这是默认路径：网关通过其凭证提供商处理出站认证（因此Agent代码永远不会接触到密钥），工具可通过MCP被发现，策略引擎可在边缘层授权或拒绝调用。选择与服务匹配的目标类型。

选项5为路径D——注册凭证并直接从Agent代码调用API。这是无法前置服务时的 fallback 方案；本技能会说明何时适用该方案，何时不适用。

Default: prefer a Gateway target over direct API calls in code

默认规则：优先使用Gateway目标，而非代码中的直接API调用

Before jumping into paths, set expectations. Most "my agent needs to call X" requests land on a Gateway target — not on

httpx

inside the entrypoint.

Why Gateway is the default:

Credential injection at the edge. Gateway's credential providers (OAuth, API key, IAM) attach auth to the outbound request. The agent code calls
```
session.call_tool(...)
```
— it never touches the secret. Agent code that does
```
client = openai.OpenAI(api_key=...)
```
is one leaked prompt / log line / traceback away from exfiltrating the key.
Discoverable tool catalog. Tools are listed by the MCP server; the framework (Strands, LangGraph, etc.) binds them automatically. Adding a tool is an
```
agentcore add gateway-target
```
+ redeploy, not a code change.
Policy enforcement. Cedar policies can authorize or deny tool calls per principal, per tool, per argument value. This is impossible when tool calls are buried in
```
httpx.post(...)
```
inside agent code.
Semantic search. Once the catalog has 20+ tools,
```
x_amz_bedrock_agentcore_search
```
selects the relevant ones per turn.

When a direct API call in agent code is the right answer:

Situation	Why Gateway isn't right	What to do
Streaming/bidirectional protocol (SSE with live output, WebSockets, WebRTC, long-polling)	Gateway's MCP transport doesn't front those yet	Direct call, Path D
Latency hot path where the MCP hop is measurable and the trade-off is accepted	Extra network hop	Direct call, Path D, with measurement to back the decision
Vendor proprietary protocol / binary SDK	No HTTP surface for Gateway to front	Use the vendor SDK directly, Path D for any secrets
Calling another agent via A2A	A2A is HTTP-by-design and has its own auth model	`agents-build/references/multi-agent.md` , not a Gateway target
AWS service SDK (S3, DynamoDB, SQS, etc.) the runtime already has IAM for	No auth value in fronting — adds hops	Direct boto3 call with the runtime's execution role

For every other case, recommend a Gateway target. If the developer insists on a direct call, ask which of the five situations above applies. If none, steer them back to a Gateway target.

Triage heuristic:

Service has an MCP server → Path A
Service is a Lambda function you control → Path B
Service has an OpenAPI spec (or you can generate one — FastAPI, ASP.NET, Spring, etc. generate OpenAPI automatically) → Path C
Service is already fronted by API Gateway → Path C (
```
--type api-gateway
```
)
None of the above and you can't add one → Path D

在进入具体路径之前，先明确预期。大多数“我的Agent需要调用X”的需求都应使用Gateway目标——而非在入口点内使用

httpx

。

Gateway成为默认方案的原因：

边缘层凭证注入。Gateway的凭证提供商（OAuth、API密钥、IAM）会将认证信息附加到出站请求中。Agent代码只需调用
```
session.call_tool(...)
```
——永远不会接触到密钥。如果Agent代码中出现
```
client = openai.OpenAI(api_key=...)
```
，那么只要有一处提示/日志/回溯泄露，密钥就会被窃取。
可发现的工具目录。工具由MCP服务器列出；框架（Strands、LangGraph等）会自动绑定这些工具。添加工具只需执行
```
agentcore add gateway-target
```
+ 重新部署，无需修改代码。
策略强制执行。Cedar策略可根据主体、工具、参数值授权或拒绝工具调用。当工具调用被隐藏在Agent代码的
```
httpx.post(...)
```
中时，这是无法实现的。
语义搜索。当目录中有20个以上工具时，
```
x_amz_bedrock_agentcore_search
```
会根据每一轮请求选择相关工具。

何时适合在Agent代码中直接调用API：

场景	Gateway不适用的原因	解决方案
流式/双向协议（带实时输出的SSE、WebSockets、WebRTC、长轮询）	Gateway的MCP传输目前不支持这些协议	直接调用，路径D
对延迟敏感的关键路径，且团队已接受MCP跳转带来的额外延迟	额外的网络跳转	直接调用，路径D，需有测量数据支撑该决策
供应商专有协议/二进制SDK	没有可供Gateway前置的HTTP接口	直接使用供应商SDK，路径D处理相关密钥
通过A2A调用另一个Agent	A2A本身基于HTTP，有自己的认证模型	`agents-build/references/multi-agent.md` ，而非Gateway目标
运行时已具备IAM权限的AWS服务SDK（S3、DynamoDB、SQS等）	前置没有认证价值——只会增加跳转	使用运行时的执行角色直接调用boto3

其他所有场景，都推荐使用Gateway目标。如果开发者坚持直接调用，请询问上述五种情况中哪一种适用。如果都不适用，请引导他们回到Gateway目标方案。

分类启发式规则：

服务有MCP服务器 → 路径A
服务是你控制的Lambda函数 → 路径B
服务有OpenAPI规范（或你可以生成一个——FastAPI、ASP.NET、Spring等会自动生成OpenAPI） → 路径C
服务已由API Gateway前置 → 路径C（
```
--type api-gateway
```
）
以上都不适用且无法添加前置服务 → 路径D

What Gateway is — and what it isn't

Gateway是什么——以及不是什么

Before choosing a target type, get the mental model right. Most Gateway confusion comes from having it flipped.

Gateway hosts tools for your agent to call. The direction is:

Your agent  ───→  Gateway  ───→  Lambda function / OpenAPI API / MCP server / Smithy model
             (agent calls tool)

The agent is the client. The Gateway fronts a catalog of tools. Each tool is a Gateway target (Lambda, OpenAPI, MCP server, API Gateway, Smithy).

Gateway is not an inbound reverse proxy for your agent. If you're building an app that needs to invoke your agent, the app does not go through a Gateway. The direction is:

Your app  ───→  AgentCore Runtime  (direct invoke_agent_runtime call)

The app signs the invocation with IAM SigV4 or presents a JWT. See

agents-build/references/integrate.md

for the app-side patterns.

在选择目标类型之前，先建立正确的认知模型。大多数对Gateway的困惑都源于对其方向的误解。

Gateway为你的Agent托管可调用的工具。方向如下：

你的Agent  ───→  Gateway  ───→  Lambda函数 / OpenAPI API / MCP服务器 / Smithy模型
             (Agent调用工具)

Agent是客户端。Gateway前置工具目录。每个工具都是一个Gateway目标（Lambda、OpenAPI、MCP服务器、API Gateway、Smithy）。

Gateway不是Agent的入站反向代理。如果你正在构建一个需要调用Agent的应用，该应用无需通过Gateway。方向如下：

你的应用  ───→  AgentCore Runtime  (直接调用invoke_agent_runtime)

应用使用IAM SigV4签名调用，或提供JWT。请查看

agents-build/references/integrate.md

了解应用端的模式。

When you're confused about which direction you need

当你对方向感到困惑时

Ask: who is calling whom?

"My agent needs to look up weather data" → agent is calling a tool → Gateway target (this skill, Paths A/B/C)
"My FastAPI app needs to call my agent" → app is calling the agent → direct invocation (not Gateway; use
```
agents-build/references/integrate.md
```
)
"My agent needs to fetch data from my FastAPI app" → agent is calling the app as a tool → Gateway target with the app exposed as an OpenAPI or REST target (Path C with your FastAPI's
```
/openapi.json
```
)

If you catch yourself configuring a Gateway target whose endpoint is

bedrock-agentcore.<region>.amazonaws.com

or pointing at your own runtime's URL, stop — you have the flow inverted.

问自己：谁在调用谁？

"我的Agent需要查询天气数据" → Agent调用工具 → Gateway目标（本技能，路径A/B/C）
"我的FastAPI应用需要调用我的Agent" → 应用调用Agent → 直接调用（非Gateway；使用
```
agents-build/references/integrate.md
```
）
"我的Agent需要从我的FastAPI应用获取数据" → Agent将应用作为工具调用 → Gateway目标，将应用暴露为OpenAPI或REST目标（路径C，使用FastAPI的
```
/openapi.json
```
）

如果你发现自己配置的Gateway目标端点是

bedrock-agentcore.<region>.amazonaws.com

或指向你自己的运行时URL，请停止——你搞反了流程。

What target type fits your tool

哪种目标类型适合你的工具

What the tool is	Target type	Notes
MCP server (third-party or your own)	`mcp-server`	Most common for MCP tool catalogs
AWS Lambda function you wrote	`lambda-function-arn`	Uses IAM auth automatically
HTTP API with an OpenAPI spec	`open-api-schema`	FastAPI's built-in `/openapi.json` works
AWS API Gateway REST API	`api-gateway`	For APIs already fronted by API Gateway
AWS service with a Smithy model	`smithy-model`	Direct AWS service integration

Your tool doesn't naturally have an OpenAPI spec and isn't an MCP server or Lambda? Either wrap it in a Lambda (simplest), generate an OpenAPI spec for it (FastAPI does this automatically), or front it with API Gateway.

工具类型	目标类型	说明
MCP服务器（第三方或自建）	`mcp-server`	MCP工具目录最常用的类型
你编写的AWS Lambda函数	`lambda-function-arn`	自动使用IAM认证
带有OpenAPI规范的HTTP API	`open-api-schema`	FastAPI内置的 `/openapi.json` 适用
AWS API Gateway REST API	`api-gateway`	适用于已由API Gateway前置的API
带有Smithy模型的AWS服务	`smithy-model`	直接集成AWS服务

如果你的工具天然没有OpenAPI规范，也不是MCP服务器或Lambda？可以将其包装在Lambda中（最简单）、为其生成OpenAPI规范（FastAPI会自动完成），或用API Gateway前置。

Step 3: Navigate the auth matrix

步骤3：梳理认证矩阵

This is the most common source of errors. The auth options depend on the target type, and the CLI exposes only a subset of what the API/SDK support.

What you're connecting to	CLI `--type`	Outbound auth via CLI	Additional options via API/SDK
External MCP server	`mcp-server`	`none` , `oauth` (2LO only)	OAuth 3LO ( `AUTHORIZATION_CODE` ); IAM (SigV4)
Lambda function	`lambda-function-arn`	`none` (default — direct invoke via gateway role), `oauth` (2LO) for OAuth-protected downstreams	OAuth 3LO
OpenAPI spec	`open-api-schema`	`oauth` (2LO), `api-key` (required — no `none` )	OAuth 3LO
AWS API Gateway	`api-gateway`	`none` , `api-key`	IAM ( `GATEWAY_IAM_ROLE` )
Smithy model	`smithy-model`	`oauth` (2LO)	IAM; OAuth 3LO

Two OAuth grant types, not one. The CLI's

--outbound-auth oauth

only configures 2-legged OAuth (client credentials / M2M). If the service requires 3-legged OAuth (

AUTHORIZATION_CODE

grant, user-delegated access), there is no CLI flag — you must configure the target via boto3 / the AWS SDK. See the CreateGatewayTarget docs for the

OAuthCredentialProvider

with

grantType: AUTHORIZATION_CODE

and

defaultReturnUrl

. 3LO applies to MCP, Lambda, OpenAPI, and Smithy targets. Call this out up front — developers who need 3LO will otherwise burn a round-trip trying CLI flags that don't exist.

IAM (SigV4) for MCP servers is configured via the AWS SDK/API (

CreateGatewayTarget

with

GATEWAY_IAM_ROLE

credential provider +

iamCredentialProvider.service

), not the CLI. It requires the MCP server to be hosted behind an AWS service that natively verifies SigV4: AgentCore Runtime, AgentCore Gateway, Amazon API Gateway, or Lambda Function URLs. ALB or direct EC2 endpoints do not verify SigV4 — use OAuth there instead. (MCP server target auth strategies)

API key auth for MCP server targets is not supported at the API level — not just a CLI gap. The MCP server targets docs list only "No authorization, OAuth, and IAM" as supported authorization strategies for MCP targets. If the MCP server uses an API key (a common pattern for third-party MCP providers), handle it in agent code via Path D.

Auth options change. If the matrix above doesn't match what the CLI accepts, check the current CLI help (

agentcore add gateway-target --help

) and the AWS docs — auth support per target type evolves across releases. If the

awsknowledge

MCP server is available, search for "AgentCore CreateGatewayTarget" to get the current API parameters.

CLI vs. API for gateway auth: The CLI covers

none

oauth

(2LO), and

api-key

. For IAM (SigV4) and 3-legged OAuth, use boto3 directly — the examples are in the Path A section below. The general pattern: create the gateway and target via CLI, deploy, then apply the advanced auth config via boto3 if the CLI doesn't support it.

Tell the developer which auth option applies to their target type before generating any commands.

这是最常见的错误来源。认证选项取决于目标类型，CLI仅暴露API/SDK支持的子集。

连接对象	CLI `--type`	CLI支持的出站认证	API/SDK支持的额外选项
外部MCP服务器	`mcp-server`	`none` , `oauth` （仅2LO）	OAuth 3LO（ `AUTHORIZATION_CODE` ）；IAM（SigV4）
Lambda函数	`lambda-function-arn`	`none` （默认——通过网关角色直接调用）， `oauth` （2LO）用于受OAuth保护的下游服务	OAuth 3LO
OpenAPI规范	`open-api-schema`	`oauth` （2LO）， `api-key` （必填——无 `none` 选项）	OAuth 3LO
AWS API Gateway	`api-gateway`	`none` , `api-key`	IAM（ `GATEWAY_IAM_ROLE` ）
Smithy模型	`smithy-model`	`oauth` （2LO）	IAM；OAuth 3LO

两种OAuth授权类型，而非一种。CLI的

--outbound-auth oauth

仅配置2-legged OAuth（客户端凭证/M2M）。如果服务需要3-legged OAuth（

AUTHORIZATION_CODE

授权，用户委托访问），则没有对应的CLI标志——你必须通过boto3/AWS SDK配置目标。请查看 CreateGatewayTarget文档了解带有

grantType: AUTHORIZATION_CODE

和

defaultReturnUrl

的

OAuthCredentialProvider

。3LO适用于MCP、Lambda、OpenAPI和Smithy目标。请提前说明这一点——需要3LO的开发者否则会浪费时间尝试不存在的CLI标志。

MCP服务器的IAM（SigV4） 通过AWS SDK/API配置（

CreateGatewayTarget

搭配

GATEWAY_IAM_ROLE

凭证提供商 +

iamCredentialProvider.service

），而非CLI。这要求MCP服务器托管在原生支持SigV4验证的AWS服务之后：AgentCore Runtime、AgentCore Gateway、Amazon API Gateway或Lambda Function URLs。ALB或直接EC2端点不验证SigV4——请改用OAuth。(MCP服务器目标认证策略)

MCP服务器目标不支持API密钥认证——这不仅是CLI的局限。MCP服务器目标文档列出MCP目标仅支持“无认证、OAuth和IAM”作为认证策略。如果MCP服务器使用API密钥（第三方MCP提供商的常见模式），请通过路径D在Agent代码中处理。

认证选项会变化。如果上述矩阵与CLI接受的选项不符，请查看当前CLI帮助（

agentcore add gateway-target --help

）和AWS文档——每个目标类型的认证支持会随着版本更新而演进。如果

awsknowledge

MCP服务器可用，请搜索“AgentCore CreateGatewayTarget”获取当前API参数。

网关认证的CLI vs API： CLI支持

none

、

oauth

（2LO）和

api-key

。对于IAM（SigV4）和3-legged OAuth，请直接使用boto3——示例在下方路径A部分。通用模式：通过CLI创建网关和目标，部署，然后如果CLI不支持，通过boto3应用高级认证配置。

在生成任何命令之前，告知开发者其目标类型适用的认证选项。

When your gateway has many tools, let the model search for them

当网关有大量工具时，让模型搜索工具

Once a gateway has more than a handful of tools — roughly 20+ — passing every tool definition to the model on every turn wastes tokens and degrades accuracy. The model does better when it sees only the tools relevant to the current request.

AgentCore Gateway has a built-in semantic search tool for exactly this. Your agent calls a single MCP tool named

x_amz_bedrock_agentcore_search

with a natural-language query, and the gateway returns the most relevant tools from its catalog. The agent then invokes the returned tools normally.

If a developer is considering building their own tool-selection layer with Bedrock Knowledge Bases, a vector store, or custom embeddings — stop them. The gateway already does this, evaluated against curated relevance criteria, with no infrastructure to manage.

Usage pattern (the agent calls this the same way it calls any other gateway tool):

python

undefined

一旦网关有大量工具——大约20个以上——在每一轮请求中将所有工具定义传递给模型会浪费token并降低准确性。模型只看到与当前请求相关的工具时表现更好。

AgentCore Gateway内置了语义搜索工具来解决这个问题。你的Agent只需调用一个名为

x_amz_bedrock_agentcore_search

的MCP工具，传入自然语言查询，网关就会从其目录中返回最相关的工具。然后Agent正常调用返回的工具。

如果开发者考虑用Bedrock知识库、向量存储或自定义嵌入构建自己的工具选择层——请阻止他们。网关已经实现了这个功能，并且是根据精心设计的相关性标准评估的，无需管理基础设施。

使用模式（Agent调用该工具的方式与调用其他网关工具相同）：

python

undefined

Via the MCP client, as a tool call

通过MCP客户端，作为工具调用

result = await session.call_tool( "x_amz_bedrock_agentcore_search", arguments={"query": "find tools related to processing refunds"} )

result = await session.call_tool( "x_amz_bedrock_agentcore_search", arguments={"query": "查找与处理退款相关的工具"} )

result.content lists the most relevant tools — the agent then invokes them

result.content列出最相关的工具——Agent随后调用这些工具


The feature works with any target type (Lambda, OpenAPI, MCP, API Gateway, Smithy). Enable it per gateway — see the [Search for tools in your AgentCore gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-using-mcp-semantic-search.html) docs for the exact API surface and framework-specific client code.

Rule of thumb: if a gateway has more than 20 tools, recommend enabling semantic search. For smaller catalogs, passing all tools directly is still fine.


该功能适用于任何目标类型（Lambda、OpenAPI、MCP、API Gateway、Smithy）。按网关启用——请查看 [在AgentCore网关中搜索工具](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-using-mcp-semantic-search.html) 文档了解确切的API接口和框架特定的客户端代码。

经验法则：如果网关有20个以上工具，建议启用语义搜索。对于较小的目录，直接传递所有工具仍然可行。

Passing custom headers from the caller to the agent

将调用方的自定义标头传递给Agent

If the developer needs callers to send custom HTTP headers (tenant IDs, correlation IDs, protocol-specific headers like

A2A-Version

, tracing headers, idempotency keys), the runtime's default is to strip most headers before they reach agent code. Load

agents-build/references/request-headers.md

for the allowlist configuration and prefix pattern.

This is about inbound calls to your agent, not outbound calls to tools — but developers hit it often enough that it's worth mentioning here.

如果开发者需要调用方发送自定义HTTP标头（租户ID、关联ID、特定协议标头如

A2A-Version

、追踪标头、幂等键），运行时默认会在标头到达Agent代码之前剥离大部分标头。请加载

agents-build/references/request-headers.md

了解允许列表配置和前缀模式。

这是关于对Agent的入站调用，而非对工具的出站调用——但开发者经常遇到这个问题，因此值得在此提及。

Path A: MCP server

路径A：MCP服务器

Add a gateway (if none exists)

添加网关（如果不存在）

[!WARNING] Never deploy a gateway without inbound authentication to production. A gateway with no authorizer exposes all connected tools (Lambda, MCP, OpenAPI) to any caller who knows the URL — functionally equivalent to --authorizer-type NONE on the runtime. Always use --authorizer-type CUSTOM_JWT or AWS_IAM for production gateways. The no-auth form (agentcore add gateway --name X) is for local testing only.

bash

undefined

[!WARNING] 切勿将无入站认证的网关部署到生产环境。没有授权器的网关会将所有连接的工具（Lambda、MCP、OpenAPI）暴露给任何知道URL的调用方——功能上等同于运行时的 --authorizer-type NONE。生产网关始终使用 --authorizer-type CUSTOM_JWT 或 AWS_IAM。无认证形式（agentcore add gateway --name X）仅用于本地测试。

bash

undefined

Development (no inbound auth — for testing only)

开发环境（无入站认证——仅用于测试）

agentcore add gateway --name MyGateway

Production (JWT inbound auth)

生产环境（JWT入站认证）

agentcore add gateway
--name MyGateway
--authorizer-type CUSTOM_JWT
--discovery-url https://your-idp.example.com/.well-known/openid-configuration
--allowed-audience my-api
--allowed-clients my-client-id

undefined

undefined

Add the MCP server as a target

将MCP服务器添加为目标

bash

undefined

bash

undefined

No outbound auth (public MCP server)

无出站认证（公开MCP服务器）

agentcore add gateway-target
--type mcp-server
--name WeatherTools
--endpoint https://mcp.example.com/mcp
--gateway MyGateway

OAuth outbound auth (2-legged — client credentials / M2M)

OAuth出站认证（2-legged——客户端凭证/M2M）

agentcore add gateway-target
--type mcp-server
--name WeatherTools
--endpoint https://mcp.example.com/mcp
--gateway MyGateway
--outbound-auth oauth
--oauth-client-id your-client-id
--oauth-client-secret your-client-secret
--oauth-discovery-url https://auth.example.com/.well-known/openid-configuration
--oauth-scopes read,write


Note: The CLI `--outbound-auth` flag supports `oauth` (2LO / client credentials) or `none` for MCP servers.

- **3-legged OAuth (`AUTHORIZATION_CODE` grant)** — user-delegated access — is supported by the API but has no CLI path. Configure via boto3 `create_gateway_target` with `OAuthCredentialProvider.grantType = "AUTHORIZATION_CODE"` and `defaultReturnUrl`. See [Connecting to an OAuth-protected MCP server using Authorization Code flow](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-target-MCPservers.html#gateway-target-MCPservers-auth-code-grant-flow).
- **IAM (SigV4)** for MCP servers hosted on AgentCore Runtime, another AgentCore Gateway, API Gateway, or Lambda Function URLs is configured via the AWS SDK/API (not the CLI) — use `CreateGatewayTarget` with `GATEWAY_IAM_ROLE` credential provider and an `iamCredentialProvider.service` value.
- **API key auth** is not supported for MCP server targets at the API level (the MCP target docs list only no-auth, OAuth, and IAM as strategies) — if the MCP server uses an API key, handle it in agent code directly (see Path D).


注意：CLI `--outbound-auth` 标志支持MCP服务器的 `oauth`（2LO/客户端凭证）或 `none`。

- **3-legged OAuth（`AUTHORIZATION_CODE`授权）**——用户委托访问——受API支持但无CLI路径。通过boto3 `create_gateway_target` 配置，设置 `OAuthCredentialProvider.grantType = "AUTHORIZATION_CODE"` 和 `defaultReturnUrl`。请查看 [使用授权码流连接受OAuth保护的MCP服务器](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-target-MCPservers.html#gateway-target-MCPservers-auth-code-grant-flow)。
- **IAM（SigV4）** 适用于托管在AgentCore Runtime、另一个AgentCore Gateway、API Gateway或Lambda Function URLs上的MCP服务器，通过AWS SDK/API配置（非CLI）——使用带有 `GATEWAY_IAM_ROLE` 凭证提供商和 `iamCredentialProvider.service` 值的 `CreateGatewayTarget`。
- **API密钥认证** 在API层面不支持MCP服务器目标（MCP目标文档仅列出无认证、OAuth和IAM作为策略）——如果MCP服务器使用API密钥，请直接在Agent代码中处理（查看路径D）。

Deploy and get the gateway URL

部署并获取网关URL

bash

agentcore deploy -y
agentcore fetch access --name MyGateway

The gateway URL is injected as

AGENTCORE_GATEWAY_<NAME>_URL

after deploy.

bash

agentcore deploy -y
agentcore fetch access --name MyGateway

部署后，网关URL会被注入为

AGENTCORE_GATEWAY_<NAME>_URL

。

Generate gateway client code

生成网关客户端代码

Framework-agnostic MCP client:

python

import os
import asyncio
from mcp import ClientSession
from mcp.client.streamable_http import streamablehttp_client

框架无关的MCP客户端：

python

import os
import asyncio
from mcp import ClientSession
from mcp.client.streamable_http import streamablehttp_client

Injected by AgentCore after deploy. Format: AGENTCORE_GATEWAY_<UPPERCASENAME>_URL

部署后由AgentCore注入。格式：AGENTCORE_GATEWAY_<UPPERCASENAME>_URL

GATEWAY_URL = os.getenv("AGENTCORE_GATEWAY_MYGATEWAY_URL")

async def get_gateway_tools(): """Discover tools from the gateway. Returns empty list if not deployed.""" if not GATEWAY_URL: return [] async with streamablehttp_client(GATEWAY_URL) as (read, write, _): async with ClientSession(read, write) as session: await session.initialize() result = await session.list_tools() return result.tools

async def call_gateway_tool(tool_name: str, arguments: dict): """Call a specific tool through the gateway.""" if not GATEWAY_URL: raise RuntimeError("Gateway not available in local dev — deploy first") async with streamablehttp_client(GATEWAY_URL) as (read, write, _): async with ClientSession(read, write) as session: await session.initialize() return await session.call_tool(tool_name, arguments)


**For Strands**, pass gateway tools directly to the agent:

```python
from mcp.client.streamable_http import streamablehttp_client
from mcp import ClientSession
from strands import Agent
from bedrock_agentcore.runtime import BedrockAgentCoreApp
from model.load import load_model  # scaffolded by `agentcore create`

app = BedrockAgentCoreApp()
GATEWAY_URL = os.getenv("AGENTCORE_GATEWAY_MYGATEWAY_URL")

@app.entrypoint
def invoke(payload, context):
    if not GATEWAY_URL:
        # Local dev — run without gateway tools
        agent = Agent(model=load_model())
        return {"response": str(agent(payload.get("prompt", "")))}

    # Deployed — discover and use gateway tools
    tools = asyncio.run(get_gateway_tools())
    agent = Agent(
        model=load_model(),
        tools=tools,
    )
    return {"response": str(agent(payload.get("prompt", "")))}

if __name__ == "__main__":
    app.run()

For LangGraph, add gateway tools to the tool node:

python

from langchain_mcp_adapters.client import MultiServerMCPClient

@app.entrypoint
def agent_invocation(payload, context):
    if not GATEWAY_URL:
        tools = []
    else:
        # Use LangChain MCP adapter to get tools as LangChain-compatible tools
        client = MultiServerMCPClient({"gateway": {"url": GATEWAY_URL, "transport": "streamable_http"}})
        tools = asyncio.run(client.get_tools())

    llm_with_tools = llm.bind_tools(tools)
    # ... rest of your LangGraph graph ...

GATEWAY_URL = os.getenv("AGENTCORE_GATEWAY_MYGATEWAY_URL")

async def get_gateway_tools(): """从网关发现工具。如果未部署则返回空列表。""" if not GATEWAY_URL: return [] async with streamablehttp_client(GATEWAY_URL) as (read, write, _): async with ClientSession(read, write) as session: await session.initialize() result = await session.list_tools() return result.tools

async def call_gateway_tool(tool_name: str, arguments: dict): """通过网关调用特定工具。""" if not GATEWAY_URL: raise RuntimeError("本地开发中网关不可用——请先部署") async with streamablehttp_client(GATEWAY_URL) as (read, write, _): async with ClientSession(read, write) as session: await session.initialize() return await session.call_tool(tool_name, arguments)


**对于Strands**，直接将网关工具传递给Agent：

```python
from mcp.client.streamable_http import streamablehttp_client
from mcp import ClientSession
from strands import Agent
from bedrock_agentcore.runtime import BedrockAgentCoreApp
from model.load import load_model  # 由`agentcore create`生成脚手架代码

app = BedrockAgentCoreApp()
GATEWAY_URL = os.getenv("AGENTCORE_GATEWAY_MYGATEWAY_URL")

@app.entrypoint
def invoke(payload, context):
    if not GATEWAY_URL:
        # 本地开发——不使用网关工具运行
        agent = Agent(model=load_model())
        return {"response": str(agent(payload.get("prompt", "")))}

    # 已部署——发现并使用网关工具
    tools = asyncio.run(get_gateway_tools())
    agent = Agent(
        model=load_model(),
        tools=tools,
    )
    return {"response": str(agent(payload.get("prompt", "")))}

if __name__ == "__main__":
    app.run()

对于LangGraph，将网关工具添加到工具节点：

python

from langchain_mcp_adapters.client import MultiServerMCPClient

@app.entrypoint
def agent_invocation(payload, context):
    if not GATEWAY_URL:
        tools = []
    else:
        # 使用LangChain MCP适配器将工具转换为LangChain兼容的工具
        client = MultiServerMCPClient({"gateway": {"url": GATEWAY_URL, "transport": "streamable_http"}})
        tools = asyncio.run(client.get_tools())

    llm_with_tools = llm.bind_tools(tools)
    # ... 你的LangGraph图的其余部分 ...

Path B: Lambda function as tools

路径B：将Lambda函数作为工具

bash

agentcore add gateway-target \
  --type lambda-function-arn \
  --name MyTools \
  --lambda-arn arn:aws:lambda:us-east-1:123456789012:function:my-tools \
  --tool-schema-file tools.json \
  --gateway MyGateway

The

tools.json

defines the tool schemas:

json

{
  "inlinePayload": [
    {
      "name": "get_weather",
      "description": "Get current weather for a city",
      "inputSchema": {
        "type": "object",
        "properties": {
          "city": {"type": "string", "description": "City name"}
        },
        "required": ["city"]
      }
    }
  ]
}

Auth: Lambda targets use IAM role auth automatically — no

--outbound-auth

flag. The gateway's execution role needs

lambda:InvokeFunction

on the Lambda ARN.

Use the same MCP client code from Path A to call the tools.

bash

agentcore add gateway-target \
  --type lambda-function-arn \
  --name MyTools \
  --lambda-arn arn:aws:lambda:us-east-1:123456789012:function:my-tools \
  --tool-schema-file tools.json \
  --gateway MyGateway

tools.json

定义工具schema：

json

{
  "inlinePayload": [
    {
      "name": "get_weather",
      "description": "获取城市当前天气",
      "inputSchema": {
        "type": "object",
        "properties": {
          "city": {"type": "string", "description": "城市名称"}
        },
        "required": ["city"]
      }
    }
  ]
}

认证： Lambda目标自动使用IAM角色认证——无需

--outbound-auth

标志。网关的执行角色需要对Lambda ARN拥有

lambda:InvokeFunction

权限。

使用路径A中的MCP客户端代码调用工具。

Path C: OpenAPI spec as tools

路径C：将OpenAPI规范作为工具

bash

undefined

bash

undefined

From a local file (api-key auth)

本地文件（API密钥认证）

agentcore add credential --name MyAPIKey --api-key sk-...

agentcore add gateway-target
--type open-api-schema
--name MyAPI
--schema specs/api.json
--gateway MyGateway
--outbound-auth api-key
--credential-name MyAPIKey


**Auth is required** for OpenAPI targets — either `oauth` (client credentials or authorization code) or `api-key`.

⚠️ **Security note:** `--api-key` appears in shell history. Two safer options:

1. **Interactive prompt (recommended):** run `agentcore add credential --name MyAPIKey --type api-key` without `--api-key` — the CLI will prompt, and the value goes straight into the credential provider (Secrets Manager-backed) without hitting your shell history.
2. **Edit `agentcore.json` + `.env.local` for local dev only:** if you need the credential to work under `agentcore dev`, put the value in `agentcore/.env.local` (gitignored). This file is read by the local dev server only — it is **not** uploaded to runtime on deploy. The deployed runtime gets the value from the credential provider.

Do **not** try to ship a credential to the deployed runtime via environment variables — AgentCore Runtime env vars are not vault-backed. Register the credential once with `agentcore add credential` and reference it by name in the gateway target or in code (Path D).

---

agentcore add credential --name MyAPIKey --api-key sk-...

agentcore add gateway-target
--type open-api-schema
--name MyAPI
--schema specs/api.json
--gateway MyGateway
--outbound-auth api-key
--credential-name MyAPIKey


**OpenAPI目标必须配置认证**——要么是 `oauth`（客户端凭证或授权码），要么是 `api-key`。

⚠️ **安全注意：** `--api-key` 会出现在shell历史中。有两种更安全的选项：

1. **交互式提示（推荐）：** 运行 `agentcore add credential --name MyAPIKey --type api-key` 时不带 `--api-key` 参数——CLI会提示输入，值会直接进入凭证提供商（基于Secrets Manager），不会出现在你的shell历史中。
2. **仅本地开发：编辑 `agentcore.json` + `.env.local`**：如果需要凭证在 `agentcore dev` 下工作，将值放入 `agentcore/.env.local`（已加入git忽略）。该文件仅被本地开发服务器读取——**不会**在部署时上传到运行时。已部署的运行时会从凭证提供商获取值。

请勿尝试通过环境变量将凭证发送到已部署的运行时——AgentCore Runtime环境变量不具备 vault 支持。使用 `agentcore add credential` 注册一次凭证，然后在网关目标或代码中（路径D）按名称引用。

---

Path D: Credentials for use in agent code

路径D：在Agent代码中使用凭证

For calling APIs directly in agent code (not through a gateway target).

用于直接在Agent代码中调用API（不通过网关目标）。

Before you reach for Path D, check if it's actually the right path

在选择路径D之前，先确认这是否是正确的路径

Path D is the fallback, not the starting point. For most external services, a Gateway target (Paths A–C) is safer and less code. Before generating Path D code, confirm one of these applies:

The service uses a streaming/bidirectional protocol Gateway doesn't front (SSE with live output, WebSockets, WebRTC)
It's a measurably latency-critical hot path and the team has accepted the trade-off
The client is a vendor binary SDK with no HTTP surface
It's an AWS service SDK where the runtime's execution role already has IAM permissions (in which case: use the SDK directly — no credential registration needed)
The developer has a specific blocker (e.g., the service ships an OpenAI-shaped API the vendor's SDK wraps, and rebuilding the SDK call as a Gateway target would be a regression)

If none of those applies, route back to Path A/B/C:

"Before we wire up a credential for direct use in agent code, can we front this as a Gateway target instead? Gateway injects the credential at the edge — your agent code never touches the secret — and the tool becomes policy-enforceable. If SERVICE has an OpenAPI spec, MCP server, or Lambda function in front of it, Path C / A / B is the better fit. Which one applies?"

Only continue into the rest of Path D when the developer confirms a legitimate reason Gateway won't work.

路径D是fallback方案，而非起点。对于大多数外部服务，Gateway目标（路径A-C）更安全且代码更少。在生成路径D代码之前，请确认以下情况之一适用：

服务使用Gateway不支持的流式/双向协议（带实时输出的SSE、WebSockets、WebRTC）
它是对延迟敏感的关键路径，且团队已接受权衡
客户端是没有HTTP接口的供应商二进制SDK
它是运行时执行角色已具备IAM权限的AWS服务SDK（这种情况下：直接使用SDK——无需注册凭证）
开发者有特定障碍（例如，服务提供了供应商SDK封装的类OpenAI API，将SDK调用重构为Gateway目标会导致功能退化）

如果以上情况都不适用，请引导回到路径A/B/C：

"在我们为Agent代码中的直接使用配置凭证之前，能否将该服务作为Gateway目标前置？Gateway会在边缘层注入凭证——你的Agent代码永远不会接触到密钥——且工具可被策略强制执行。如果SERVICE有OpenAPI规范、MCP服务器或Lambda前置，路径C/A/B是更好的选择。哪一种适用？"

只有当开发者确认Gateway确实无法工作的合理原因时，才继续路径D的其余部分。

Register the credential

注册凭证

bash

undefined

bash

undefined

API key

API密钥

agentcore add credential --name OpenAI --api-key sk-...

OAuth (machine-to-machine)

OAuth（机器到机器）

agentcore add credential
--name MyOAuthProvider
--type oauth
--discovery-url https://idp.example.com/.well-known/openid-configuration
--client-id my-client-id
--client-secret my-client-secret
--scopes read,write


⚠️ **Security note:** `--api-key` and `--client-secret` appear in shell history. Run the command without those flags to get an interactive prompt — the value goes straight into the credential provider without touching your shell history.

**For local dev only**, put the same value in `agentcore/.env.local` (gitignored) so `agentcore dev` can resolve the decorator locally. The deployed runtime ignores `.env.local` and fetches the secret from the credential provider at call time — **never** ship secrets as runtime environment variables.


⚠️ **安全注意：** `--api-key` 和 `--client-secret` 会出现在shell历史中。运行命令时不带这些标志，获取交互式提示——值会直接进入凭证提供商，不会接触你的shell历史。

**仅本地开发**，将相同的值放入 `agentcore/.env.local`（已加入git忽略），以便 `agentcore dev` 可以在本地解析装饰器。已部署的运行时会忽略 `.env.local`，并在调用时从凭证提供商获取密钥——**切勿**将密钥作为运行时环境变量发布。

Use credentials in agent code

在Agent代码中使用凭证

Use the

@requires_api_key

@requires_access_token

decorators — they handle token caching and refresh automatically. The decorators work with both sync and async functions:

python

from bedrock_agentcore.identity.auth import requires_api_key, requires_access_token

使用

@requires_api_key

或

@requires_access_token

装饰器——它们会自动处理token缓存和刷新。这些装饰器适用于同步和异步函数：

python

from bedrock_agentcore.identity.auth import requires_api_key, requires_access_token

Sync function — decorator injects the fetched key via keyword arg

同步函数——装饰器通过关键字参数注入获取的密钥

@requires_api_key(provider_name="OpenAI") def call_openai(prompt: str, *, api_key: str) -> str: import openai client = openai.OpenAI(api_key=api_key) response = client.chat.completions.create( model="gpt-4o", messages=[{"role": "user", "content": prompt}] ) return response.choices[0].message.content

Async function — same decorator, async def

异步函数——相同的装饰器，使用async def

@requires_access_token( provider_name="MyOAuthProvider", scopes=["read", "write"], auth_flow="M2M", ) async def call_my_api(data: dict, *, access_token: str) -> dict: import httpx async with httpx.AsyncClient() as client: response = await client.post( "https://api.example.com/endpoint", headers={"Authorization": f"Bearer {access_token}"}, json=data, ) return response.json()


The decorator itself handles the token lifecycle — you don't need to make the function async just to use it. Parameters are keyword-only (`*, api_key: str` or `*, access_token: str`) — the decorator injects them.

**Local dev:** In `agentcore dev`, credentials are read from `agentcore/.env.local`. The decorator pattern works the same way locally and deployed.

---


装饰器本身会处理token生命周期——你无需为了使用它而将函数设为异步。参数是仅关键字参数（`*, api_key: str` 或 `*, access_token: str`）——装饰器会注入这些参数。

**本地开发：** 在 `agentcore dev` 中，凭证从 `agentcore/.env.local` 读取。装饰器模式在本地和部署环境中的工作方式相同。

---

Local dev gap

本地开发差距

[!WARNING] Gateway URLs (AGENTCORE_GATEWAY_*_URL) are only available after deploy. In agentcore dev, these env vars are not set. Always check before using:
python
GATEWAY_URL = os.getenv("AGENTCORE_GATEWAY_MYGATEWAY_URL")
if not GATEWAY_URL:
    # run without gateway tools in local dev
Never assume the gateway is available locally.

[!WARNING] 网关URL（AGENTCORE_GATEWAY_*_URL）仅在部署后可用。在agentcore dev中，这些环境变量未设置。使用前务必检查：
python
GATEWAY_URL = os.getenv("AGENTCORE_GATEWAY_MYGATEWAY_URL")
if not GATEWAY_URL:
    # 本地开发中不使用网关工具运行
切勿假设网关在本地可用。

Troubleshooting

故障排除

"mcp-server target doesn't support api-key auth" Correct — API key auth is not supported for MCP server targets at the API level (MCP target auth strategies). Options: OAuth (2LO or 3LO), IAM (for MCP servers hosted on AgentCore Runtime, API Gateway, or Lambda Function URLs), or Path D — manage the credential in agent code and call the MCP server directly.

"I need 3LO / authorization-code OAuth but
--outbound-auth oauth
doesn't ask for a return URL" The CLI only configures 2LO (client credentials). 3-legged OAuth requires boto3 — call

create_gateway_target

with

credentialProviderType: OAUTH

grantType: AUTHORIZATION_CODE

, and

defaultReturnUrl

. See Connecting to an OAuth-protected MCP server using Authorization Code flow.

"api-gateway target doesn't support oauth" Use

api-key

none

for API Gateway targets.

Gateway URL not set after deploy Run

agentcore fetch access --name MyGateway

to get the URL. Check

agentcore status --type gateway

to verify the gateway is deployed.

Tool calls failing with auth errors Check

agentcore logs --runtime MyAgent --since 1h --level error

for the specific error. Common causes: expired OAuth token, wrong credential name, IAM permission missing.

"Adding gateway to existing agent" workaround The CLI recommends creating a throwaway agent to copy gateway client code. This skill generates the code directly — no workaround needed.

MCP clients (Claude Desktop, claude.ai) can't auto-connect to Gateway AgentCore Gateway does not currently implement the MCP OAuth spec endpoints (RFC 8414 OAuth Authorization Server Metadata, RFC 7591 Dynamic Client Registration). MCP clients that expect to auto-discover OAuth config and register themselves — like Claude Desktop and claude.ai — cannot connect without manual credential configuration. The workaround is to manually obtain the Cognito

client_id

and

client_secret

and enter them in the MCP client's advanced settings. This is a platform limitation, not a config error.

"mcp-server目标不支持api-key认证" 正确——API密钥认证在API层面不支持MCP服务器目标(MCP目标认证策略)。选项：OAuth（2LO或3LO）、IAM（适用于托管在AgentCore Runtime、API Gateway或Lambda Function URLs上的MCP服务器），或路径D——在Agent代码中管理凭证并直接调用MCP服务器。

"我需要3LO/授权码OAuth，但
--outbound-auth oauth
不询问返回URL" CLI仅配置2LO（客户端凭证）。3-legged OAuth需要boto3——调用

create_gateway_target

，设置

credentialProviderType: OAUTH

、

grantType: AUTHORIZATION_CODE

和

defaultReturnUrl

。请查看使用授权码流连接受OAuth保护的MCP服务器。

"api-gateway目标不支持oauth" 对API Gateway目标使用

api-key

或

none

。

部署后网关URL未设置 运行

agentcore fetch access --name MyGateway

获取URL。运行

agentcore status --type gateway

验证网关是否已部署。

工具调用因认证错误失败 运行

agentcore logs --runtime MyAgent --since 1h --level error

查看具体错误。常见原因：OAuth token过期、凭证名称错误、缺少IAM权限。

"向现有Agent添加网关"的解决方法 CLI建议创建一个临时Agent来复制网关客户端代码。本技能直接生成代码——无需解决方法。

MCP客户端（Claude Desktop、claude.ai）无法自动连接到Gateway AgentCore Gateway目前未实现MCP OAuth规范端点（RFC 8414 OAuth授权服务器元数据、RFC 7591动态客户端注册）。期望自动发现OAuth配置并注册自身的MCP客户端——如Claude Desktop和claude.ai——无法在不手动配置凭证的情况下连接。解决方法是手动获取Cognito

client_id

和

client_secret

，并在MCP客户端的高级设置中输入。这是平台限制，而非配置错误。

Output

输出

A clear recommendation on Gateway target vs direct API call, grounded in the five cases where direct is legitimate
CLI commands to set up the gateway and target (or to register the credential, if Path D is the right call)
Framework-specific gateway client code
Credential setup (avoiding shell history exposure, never stored in runtime env vars)
Local dev gap handling

关于Gateway目标vs直接API调用的明确建议，基于直接调用合法的五种情况
设置网关和目标的CLI命令（如果路径D是正确选择，则为注册凭证的命令）
框架特定的网关客户端代码
凭证设置（避免暴露shell历史，永远不存储在运行时环境变量中）
本地开发差距处理