Amazon Web Services (AWS) has announced an update to its Bedrock AgentCore Identity service, enabling users to reference their own preconfigured secrets from AWS Secrets Manager. This new capability addresses a critical challenge in building production-ready AI agentic systems: securely passing credentials at runtime when agents need to call external APIs. Previously, AgentCore Identity automatically created and managed secrets, but customers lacked the ability to configure custom tags, rotation policies, or customer-managed AWS Key Management Service (AWS KMS) key encryption at the time of creation.

This enhancement is significant because AI agents often require access to external tools and data, necessitating secure authentication. Hardcoding secrets in code or exposing them in agent prompts poses substantial security risks. By allowing users to provide existing, preconfigured AWS Secrets Manager secrets, AWS enables organizations to extend their established secrets governance processes to AgentCore. This means full control over encryption configuration, rotation, replication, tags, and resource policies, aligning AI agent security with existing enterprise standards.

The update has broad implications for developers and enterprises deploying AI agents. It simplifies compliance and strengthens the security posture of AI applications by integrating seamlessly with existing security frameworks. Furthermore, the feature supports referencing secrets from other AWS accounts within the same region and secrets brought in through AWS Secrets Manager external connectors, facilitating integration with third-party secret managers. This flexibility and enhanced control are crucial for fostering trust and accelerating the adoption of AI agents in sensitive enterprise environments.