Skip to content

New pattern - agentcore-gateway-lambda-cdk#3085

Open
NithinChandranR-AWS wants to merge 2 commits into
aws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-agentcore-gateway-lambda-cdk
Open

New pattern - agentcore-gateway-lambda-cdk#3085
NithinChandranR-AWS wants to merge 2 commits into
aws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-agentcore-gateway-lambda-cdk

Conversation

@NithinChandranR-AWS
Copy link
Copy Markdown
Contributor

@NithinChandranR-AWS NithinChandranR-AWS commented Apr 30, 2026

Description

Deploy an Amazon Bedrock AgentCore Gateway with Lambda tool targets, exposing tools via the MCP protocol with IAM authentication.

Changes

  • lib/agentcore-gateway-lambda-stack.ts — CDK stack: AgentCore Gateway + Lambda tool target with MCP protocol
  • src/index.js — Lambda handler with input validation and error sanitization
  • README.md — Architecture, deployment steps, and testing instructions (tools/list + tools/call)
  • example-pattern.json — Pattern metadata with services field

Testing

  • cdk synth — clean, 7 resources
  • Deployed to AWS account, tested tools/list and tools/call via MCP
  • Input validation: 100-char limit, regex sanitization, required field checks
  • IAM: least-privilege, grantInvoke scoped to specific Lambda

@NithinChandranR-AWS
feat(bedrock-agent-openai-cdk): Add Bedrock Agent with OpenAI GPT OSS…
e7edf4c 
… pattern

Deploy an Amazon Bedrock Agent powered by OpenAI GPT OSS model with
a Lambda action group for tool use (weather + time). First pattern
combining Bedrock Agents with OpenAI models on Bedrock.
@NithinChandranR-AWS
feat(agentcore-gateway-lambda-cdk): Add AgentCore Gateway with Lambda…
40c6399 
… tools pattern

Deploy an AgentCore Gateway exposing Lambda functions as MCP tools.
First CDK pattern for AgentCore Gateway with Lambda tool targets,
inline tool schemas, and IAM authentication.
@NithinChandranR-AWS
Copy link
Copy Markdown
Contributor Author

NithinChandranR-AWS commented Apr 30, 2026

Hi @biswanathmukherjee 👋 Friendly nudge — this pattern is ready for review. Deployed and tested end-to-end on a live AWS account. Would appreciate a look when you have time. Thank you!

@NithinChandranR-AWS
Copy link
Copy Markdown
Contributor Author

NithinChandranR-AWS commented May 8, 2026

Hi @biswanathmukherjee 👋 This is the first AgentCore Gateway pattern — a brand new service (Spring 2026) exposing Lambda tools via MCP protocol with IAM auth. Zero existing patterns for this service. Deployed and tested.

parikhudit
parikhudit reviewed May 24, 2026
View reviewed changes
Comment thread agentcore-gateway-lambda-cdk/lib/agentcore-gateway-lambda-stack.ts
Comment on lines +22 to +26
const gatewayRole = new iam.Role(this, "GatewayRole", {
assumedBy: new iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"),
description: "Role for AgentCore Gateway to invoke Lambda tools",
});
toolFn.grantInvoke(gatewayRole);
Copy link
Copy Markdown
Contributor

@parikhudit parikhudit May 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trust policy missing aws:SourceAccount / aws:SourceArn conditions (confused-deputy risk)

The Gateway service role is assumed by bedrock-agentcore.amazonaws.com with no Condition block. AWS docs explicitly recommend restricting this trust policy with aws:SourceAccount and aws:SourceArn to prevent another customer's gateway from being able to assume this role.

https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-prerequisites-permissions.html#gateway-service-role-permissions-trust

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parikhudit parikhudit parikhudit left review comments

Assignees

@parikhudit parikhudit

@julianwood julianwood

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NithinChandranR-AWS @parikhudit @julianwood