akeyless-agentcore-runtime 0.2.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,257 @@
1
+ Metadata-Version: 2.4
2
+ Name: akeyless-agentcore-runtime
3
+ Version: 0.2.0
4
+ Summary: Fetch Akeyless secrets at runtime on AWS Bedrock AgentCore using cloud identity authentication
5
+ Project-URL: Homepage, https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime
6
+ Project-URL: Repository, https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime
7
+ Author: Akeyless Community
8
+ License-Expression: Apache-2.0
9
+ License-File: LICENSE
10
+ Keywords: agentcore,akeyless,aws,bedrock,runtime,secrets
11
+ Classifier: Development Status :: 4 - Beta
12
+ Classifier: Intended Audience :: Developers
13
+ Classifier: License :: OSI Approved :: Apache Software License
14
+ Classifier: Programming Language :: Python :: 3
15
+ Classifier: Programming Language :: Python :: 3.10
16
+ Classifier: Programming Language :: Python :: 3.11
17
+ Classifier: Programming Language :: Python :: 3.12
18
+ Classifier: Topic :: Security
19
+ Requires-Python: >=3.10
20
+ Requires-Dist: akeyless-cloud-id>=0.3.1
21
+ Requires-Dist: akeyless>=5.0.0
22
+ Provides-Extra: all
23
+ Requires-Dist: bedrock-agentcore-starter-toolkit>=0.1.0; extra == 'all'
24
+ Requires-Dist: mcp>=1.9.0; extra == 'all'
25
+ Requires-Dist: strands-agents>=0.1.0; extra == 'all'
26
+ Provides-Extra: dev
27
+ Requires-Dist: pytest-cov>=5.0.0; extra == 'dev'
28
+ Requires-Dist: pytest>=8.0.0; extra == 'dev'
29
+ Provides-Extra: gateway
30
+ Requires-Dist: bedrock-agentcore-starter-toolkit>=0.1.0; extra == 'gateway'
31
+ Provides-Extra: mcp
32
+ Requires-Dist: mcp>=1.9.0; extra == 'mcp'
33
+ Provides-Extra: strands
34
+ Requires-Dist: strands-agents>=0.1.0; extra == 'strands'
35
+ Description-Content-Type: text/markdown
36
+
37
+ # akeyless-agentcore-runtime
38
+
39
+ Fetch [Akeyless](https://www.akeyless.io) secrets at **runtime** on [AWS Bedrock AgentCore](https://aws.amazon.com/bedrock/agentcore/). Authenticate with **cloud identity** (AWS IAM) — no long-lived API keys in your agent deployment. Application secrets stay in Akeyless, not AWS Secrets Manager.
40
+
41
+ **Repository:** [github.com/akeyless-community/bedrock-agentcore-akeyless-runtime](https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime)
42
+
43
+ ## Documentation
44
+
45
+ | Guide | Description |
46
+ |-------|-------------|
47
+ | **[Installation](docs/INSTALL.md)** | **pip install — no git clone required** |
48
+ | [Akeyless setup](docs/AKEYLESS_SETUP.md) | Auth method, RBAC, secret paths — do this first |
49
+ | [Deployment patterns](docs/DEPLOYMENT.md) | In-agent fetch, hybrid, MCP server, Gateway Lambda |
50
+ | [Examples](examples/README.md) | Runnable sample agents |
51
+ | [Security](SECURITY.md) | Production checklist and reporting |
52
+ | [Contributing](CONTRIBUTING.md) | Development setup and PR guidelines |
53
+
54
+ ## Why this integration?
55
+
56
+ | Concern | AWS default pattern | This integration |
57
+ |---------|--------------------|------------------|
58
+ | **Authentication to secrets platform** | IAM role → Secrets Manager | IAM role → Akeyless (AWS IAM auth method) |
59
+ | **Secret storage** | AWS Secrets Manager | Akeyless (static, dynamic, rotated) |
60
+ | **Bootstrap credentials** | None (IAM only) | Only `AKEYLESS_ACCESS_ID` (no secret key) |
61
+ | **Rotation & governance** | Secrets Manager policies | Akeyless RBAC, rotation, audit |
62
+
63
+ AgentCore Runtime provides an IAM execution role with ambient AWS credentials. This library uses those credentials to generate an Akeyless **cloud ID** and authenticate — the same pattern used by EKS, Lambda, and other Akeyless integrations.
64
+
65
+ ## Install
66
+
67
+ **No git clone needed.** Add to your agent project and install with pip.
68
+
69
+ ### From PyPI (when published)
70
+
71
+ ```bash
72
+ pip install akeyless-agentcore-runtime
73
+ ```
74
+
75
+ ### From GitHub (available now)
76
+
77
+ ```bash
78
+ pip install "akeyless-agentcore-runtime @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
79
+ ```
80
+
81
+ Add to your AgentCore `requirements.txt`:
82
+
83
+ ```text
84
+ akeyless-agentcore-runtime @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0
85
+ bedrock-agentcore>=0.1.0
86
+ ```
87
+
88
+ Full install guide (extras, MCP CLI, verification): **[docs/INSTALL.md](docs/INSTALL.md)**
89
+
90
+ Optional extras:
91
+
92
+ ```bash
93
+ pip install "akeyless-agentcore-runtime[strands] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
94
+ pip install "akeyless-agentcore-runtime[mcp] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
95
+ pip install "akeyless-agentcore-runtime[gateway] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
96
+ pip install "akeyless-agentcore-runtime[all] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
97
+ ```
98
+
99
+ Requires **Python 3.10+**.
100
+
101
+ ## Quick start
102
+
103
+ ### 1. Configure Akeyless
104
+
105
+ Follow the full guide: **[docs/AKEYLESS_SETUP.md](docs/AKEYLESS_SETUP.md)**
106
+
107
+ Summary:
108
+
109
+ 1. Create an **AWS IAM Auth Method** bound to your AgentCore execution role ARN
110
+ 2. Grant read/list on `/bedrock-agentcore/<agent>/<env>/*`
111
+ 3. Store secrets in Akeyless (not in AgentCore env vars)
112
+
113
+ ### 2. Set bootstrap env vars on AgentCore
114
+
115
+ Configure only auth + path prefix — **not** application secrets:
116
+
117
+ | Variable | Required | Example |
118
+ |----------|----------|---------|
119
+ | `AKEYLESS_ACCESS_ID` | Yes | `p-xxxxx` |
120
+ | `AKEYLESS_ACCESS_TYPE` | No (default: `aws_iam`) | `aws_iam` |
121
+ | `AKEYLESS_SECRET_PREFIX` | Recommended | `/bedrock-agentcore/my-agent/production` |
122
+ | `AKEYLESS_GATEWAY_URL` | No | `https://api.akeyless.io` |
123
+ | `AGENTCORE_AGENT_NAME` | No | `my-agent` |
124
+
125
+ ### 3. Fetch a secret in your agent
126
+
127
+ ```python
128
+ from akeyless_agentcore import get_secret_sync
129
+
130
+ api_key = get_secret_sync("OPENAI_API_KEY")
131
+ ```
132
+
133
+ ### 4. Deploy
134
+
135
+ ```bash
136
+ pip install akeyless-agentcore-runtime bedrock-agentcore
137
+ agentcore deploy
138
+ ```
139
+
140
+ See [examples/strands-agent/](examples/strands-agent/) for a complete agent.
141
+
142
+ ## In-agent fetch vs AgentCore tools
143
+
144
+ Use **both** in production — they solve different problems:
145
+
146
+ | Pattern | When to use | Example |
147
+ |---------|-------------|---------|
148
+ | **In-agent fetch** | Bootstrap secrets on every invocation; no tool-call overhead | Model API key at cold start |
149
+ | **AgentCore tools** | Agent decides which secret to fetch; shared across agents | `get_akeyless_secret("DATABASE_URL")` on demand |
150
+ | **Hybrid (recommended)** | Bootstrap + on-demand | [examples/hybrid-agent/](examples/hybrid-agent/) |
151
+
152
+ ```python
153
+ from akeyless_agentcore import get_secret_sync
154
+ from akeyless_agentcore.tools.strands import create_strands_tools
155
+
156
+ api_key = get_secret_sync("OPENAI_API_KEY") # bootstrap
157
+ agent = Agent(model=model, tools=create_strands_tools()) # on-demand
158
+ ```
159
+
160
+ ### Tool deployment options
161
+
162
+ | Deployment | Install extra | Use case |
163
+ |------------|---------------|----------|
164
+ | In-process Strands tools | `[strands]` | Tools in the same agent process |
165
+ | MCP server on AgentCore Runtime | `[mcp]` | Dedicated secrets MCP endpoint |
166
+ | Gateway Lambda target | `[gateway]` | Shared tools via AgentCore Gateway |
167
+
168
+ | Tool | Returns values? | Description |
169
+ |------|----------------|-------------|
170
+ | `list_akeyless_secrets` | No | Discover secret names under a prefix |
171
+ | `get_akeyless_secret` | Yes | Fetch static, dynamic, or rotated secret |
172
+
173
+ Full details: **[docs/DEPLOYMENT.md](docs/DEPLOYMENT.md)**
174
+
175
+ ## API reference
176
+
177
+ ### Convenience functions
178
+
179
+ ```python
180
+ from akeyless_agentcore import get_secret_sync, get_secret
181
+
182
+ api_key = get_secret_sync("OPENAI_API_KEY")
183
+ api_key = await get_secret("OPENAI_API_KEY") # async
184
+ ```
185
+
186
+ ### Client
187
+
188
+ ```python
189
+ from akeyless_agentcore import AkeylessRuntimeClient
190
+
191
+ client = AkeylessRuntimeClient(
192
+ gateway_url="https://api.akeyless.io",
193
+ secret_prefix="/bedrock-agentcore/my-agent/production",
194
+ access_id="p-xxxxx",
195
+ access_type="aws_iam",
196
+ )
197
+
198
+ client.get_secret_sync("OPENAI_API_KEY")
199
+ client.get_secret_json_sync("APP_CONFIG")
200
+ client.get_dynamic_secret_sync("aws-creds")
201
+ client.get_rotated_secret_sync("api-key")
202
+ client.list_secrets_sync()
203
+ ```
204
+
205
+ ## Authentication
206
+
207
+ | Method | `AKEYLESS_ACCESS_TYPE` | Additional env |
208
+ |--------|------------------------|----------------|
209
+ | **AWS IAM (recommended)** | `aws_iam` | `AKEYLESS_ACCESS_ID` |
210
+ | Access key | `access_key` | `AKEYLESS_ACCESS_ID`, `AKEYLESS_ACCESS_KEY` |
211
+ | API key | `api_key` | `AKEYLESS_ACCESS_ID`, `AKEYLESS_ACCESS_KEY` |
212
+ | Universal Identity | `universal_identity` | `AKEYLESS_UID_TOKEN` |
213
+ | JWT | `jwt` | `AKEYLESS_ACCESS_ID`, `AKEYLESS_JWT` |
214
+ | Pre-authenticated | — | `AKEYLESS_TOKEN` |
215
+
216
+ ## Architecture
217
+
218
+ ```mermaid
219
+ sequenceDiagram
220
+ participant Agent as AgentCore Runtime
221
+ participant Lib as akeyless-agentcore-runtime
222
+ participant AWS as AWS STS/IAM
223
+ participant AKL as Akeyless Gateway
224
+
225
+ Agent->>Lib: get_secret_sync("OPENAI_API_KEY")
226
+ Lib->>AWS: Generate cloud ID (SigV4 GetCallerIdentity)
227
+ AWS-->>Lib: Signed identity proof
228
+ Lib->>AKL: POST /auth (access_id, aws_iam, cloud_id)
229
+ AKL-->>Lib: Session token
230
+ Lib->>AKL: GET /get-secret-value
231
+ AKL-->>Lib: Secret value
232
+ Lib-->>Agent: OPENAI_API_KEY
233
+ ```
234
+
235
+ ## Local development
236
+
237
+ ```bash
238
+ cp .env.example .env # edit with your test credentials — never commit .env
239
+
240
+ export AKEYLESS_ACCESS_ID=p-xxxxx
241
+ export AKEYLESS_ACCESS_TYPE=access_key
242
+ export AKEYLESS_ACCESS_KEY=your-readonly-key
243
+ export AKEYLESS_SECRET_PREFIX=/bedrock-agentcore/my-agent/dev
244
+
245
+ python3 -c "from akeyless_agentcore import get_secret_sync; print(get_secret_sync('OPENAI_API_KEY')[:8] + '...')"
246
+ ```
247
+
248
+ ## Related community projects
249
+
250
+ - [netlify-akeyless-runtime](https://github.com/akeyless-community/netlify-runtime) — Netlify Functions
251
+ - [fly-akeyless-runtime](https://github.com/akeyless-community/fly-runtime) — Fly.io Machines
252
+ - [vercel-akeyless-runtime](https://github.com/akeyless-community/vercel-runtime) — Vercel serverless
253
+ - [heroku-akeyless-runtime](https://github.com/akeyless-community/heroku-runtime) — Heroku dynos
254
+
255
+ ## License
256
+
257
+ Apache-2.0
@@ -0,0 +1,16 @@
1
+ akeyless_agentcore/__init__.py,sha256=f9TotZfj5jpbzLPkfCEtgGx1Llg_UEwDLsO1vHcfaww,331
2
+ akeyless_agentcore/auth.py,sha256=mO3LsRu0k2s34RibheFtlDue1K8gdpo8moaXLQAaZYo,4188
3
+ akeyless_agentcore/cache.py,sha256=mGmNKOqHD-XjAG57QH72E7jvbNb0PSW48OdXl-Ogvt8,1098
4
+ akeyless_agentcore/client.py,sha256=KOplX6gfz75RIMvvjxbOYghekTx6kAuZWYnmClbIrnU,11327
5
+ akeyless_agentcore/config.py,sha256=p5ZIXMMzJLaybouWyEX6vlOXClIIS6g4CoBfus0G7tk,5574
6
+ akeyless_agentcore/paths.py,sha256=LmP-XiPTUPzc4o-S_AZawT_pdQy5TeXVdg1e8TKVV_E,2216
7
+ akeyless_agentcore/tools/__init__.py,sha256=hkfgoB1oUFDRulEUYTFZ7gV1V2LcOQj0ZNB3dB1UeSs,1098
8
+ akeyless_agentcore/tools/gateway.py,sha256=Iq_63ikmlLPMNdS8gnIVPZ-aZR3bc-VVrWtes15cyZo,4114
9
+ akeyless_agentcore/tools/mcp.py,sha256=mTCWCvx1glfsOvnohXKjZhoZ7TOm2Nqqs-mKFT3_IGU,2507
10
+ akeyless_agentcore/tools/service.py,sha256=Olpevh5CawYV7wMS9STYoaBDhbu_EVVp2jv7_GsHQ5A,4514
11
+ akeyless_agentcore/tools/strands.py,sha256=6_n1KMlepMHH5sTFwBm4g6S2k-kKquIuBZYFn9ewz88,1513
12
+ akeyless_agentcore_runtime-0.2.0.dist-info/METADATA,sha256=P-v3kbyHLoacQ-XzCLNpD7SmGl2cVBey2QhtdpOym-Q,9784
13
+ akeyless_agentcore_runtime-0.2.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
14
+ akeyless_agentcore_runtime-0.2.0.dist-info/entry_points.txt,sha256=za1BxweigFdMPYyxJU-cYVBzOx0xlrM0W-yYx2_k3Z4,87
15
+ akeyless_agentcore_runtime-0.2.0.dist-info/licenses/LICENSE,sha256=jybSB_OL0Oup6eCAX9JlK7O3TeZ33GlftcyD7Ym8APM,812
16
+ akeyless_agentcore_runtime-0.2.0.dist-info/RECORD,,
@@ -0,0 +1,4 @@
1
+ Wheel-Version: 1.0
2
+ Generator: hatchling 1.30.1
3
+ Root-Is-Purelib: true
4
+ Tag: py3-none-any
@@ -0,0 +1,2 @@
1
+ [console_scripts]
2
+ akeyless-agentcore-mcp = akeyless_agentcore.tools.mcp:run_mcp_server
@@ -0,0 +1,19 @@
1
+ Apache License
2
+ Version 2.0, January 2004
3
+ http://www.apache.org/licenses/
4
+
5
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6
+
7
+ Copyright 2026 Akeyless Community
8
+
9
+ Licensed under the Apache License, Version 2.0 (the "License");
10
+ you may not use this file except in compliance with the License.
11
+ You may obtain a copy of the License at
12
+
13
+ http://www.apache.org/licenses/LICENSE-2.0
14
+
15
+ Unless required by applicable law or agreed to in writing, software
16
+ distributed under the License is distributed on an "AS IS" BASIS,
17
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18
+ See the License for the specific language governing permissions and
19
+ limitations under the License.