Bedrock AgentCore Runtime L3 Construct
This construct provides a high-level abstraction for creating Amazon Bedrock AgentCore Runtimes with Docker container deployment.
Features
- Custom Runtime Deployment: Deploy custom agent runtimes using Docker containers
- Docker Image Management: Build and push Docker images to ECR or use existing images
- IAM Role Management: Automatic creation of IAM roles with required permissions
- VPC Network Configuration: Secure VPC deployment (required for all runtimes)
- JWT Authorization: Configure custom JWT authorizers for access control
- Lifecycle Management: Configure session timeouts and maximum lifetimes
- Runtime Endpoints: Create endpoints for runtime invocation
- SSM Parameter Storage: Automatic storage of runtime ARNs and IDs
Usage
import { BedrockAgentcoreRuntimeL3Construct } from '@aws-mdaa/bedrock-agentcore-runtime-l3-construct';
const runtime = new BedrockAgentcoreRuntimeL3Construct(this, 'MyRuntime', {
agentRuntimeName: 'my-agent-runtime',
description: 'Custom agent runtime for development',
agentRuntimeArtifact: {
containerConfiguration: {
codePath: './agent-code',
platform: 'linux/arm64'
}
},
networkConfiguration: {
securityGroups: ['sg-12345678'],
subnets: ['subnet-12345678', 'subnet-87654321']
},
environmentVariables: {
ENVIRONMENT: 'dev',
LOG_LEVEL: 'INFO'
},
authorizerConfiguration: {
customJwtAuthorizer: {
discoveryUrl: 'https://cognito-idp.region.amazonaws.com/pool/.well-known/openid-configuration',
allowedAudience: ['client-id']
}
},
runtimeEndpoint: {
name: 'my_runtime_endpoint',
description: 'Runtime endpoint for invocation'
},
naming: naming,
roleHelper: roleHelper
});
Configuration Options
Runtime Properties
agentRuntimeName: Name of the runtime (required)description: Optional descriptionagentRuntimeArtifact: Container configuration (required)networkConfiguration: VPC network configuration (required)environmentVariables: Environment variables for the containerlifecycleConfiguration: Session timeout and lifetime settingsauthorizerConfiguration: JWT authorizer configurationrequestHeaderConfiguration: HTTP header forwarding configurationruntimeEndpoint: Endpoint configuration for runtime invocation
Container Configuration
containerUri: Pre-built ECR image URIcodePath: Local directory path for building Docker imageplatform: Target platform (linux/arm64 or linux/amd64)
Network Configuration
securityGroups: Array of security group IDs (1-16 items, required)subnets: Array of subnet IDs (1-16 items, required)
Note: All runtimes are deployed in VPC mode for security. The network mode is automatically set to VPC.
JWT Authorizer
discoveryUrl: OIDC discovery URL (required)allowedAudience: Array of allowed audience valuesallowedClients: Array of allowed client IDs
Lifecycle Configuration
idleRuntimeSessionTimeout: Idle timeout in seconds (60-28800)maxLifetime: Maximum lifetime in seconds (60-28800)
IAM Permissions
The construct automatically creates IAM roles with permissions for: - ECR image access (GetAuthorizationToken, BatchGetImage, GetDownloadUrlForLayer) - CloudWatch Logs (CreateLogGroup, CreateLogStream, PutLogEvents) - X-Ray tracing (PutTraceSegments, PutTelemetryRecords) - CloudWatch Metrics (PutMetricData for bedrock-agentcore namespace) - Bedrock AgentCore workload identity tokens - Bedrock model invocation
SSM Parameters
The construct stores the following information in SSM Parameter Store:
- Runtime ARN: /mdaa/{env}/{runtime-name}-arn
- Runtime ID: /mdaa/{env}/{runtime-name}-id
- Runtime Name: /mdaa/{env}/{runtime-name}-name
- Endpoint ARN: /mdaa/{env}/{runtime-name}-endpoint-arn (if endpoint configured)
- Endpoint ID: /mdaa/{env}/{runtime-name}-endpoint-id (if endpoint configured)
Dependencies
@aws-mdaa/iam-constructs@aws-mdaa/iam-role-helper@aws-mdaa/kms-constructs@aws-mdaa/l3-constructaws-cdk-libconstructs