akeyless-agentcore-runtime 0.2.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- akeyless_agentcore/__init__.py +17 -0
- akeyless_agentcore/auth.py +134 -0
- akeyless_agentcore/cache.py +40 -0
- akeyless_agentcore/client.py +363 -0
- akeyless_agentcore/config.py +168 -0
- akeyless_agentcore/paths.py +79 -0
- akeyless_agentcore/tools/__init__.py +31 -0
- akeyless_agentcore/tools/gateway.py +103 -0
- akeyless_agentcore/tools/mcp.py +70 -0
- akeyless_agentcore/tools/service.py +144 -0
- akeyless_agentcore/tools/strands.py +44 -0
- akeyless_agentcore_runtime-0.2.0.dist-info/METADATA +257 -0
- akeyless_agentcore_runtime-0.2.0.dist-info/RECORD +16 -0
- akeyless_agentcore_runtime-0.2.0.dist-info/WHEEL +4 -0
- akeyless_agentcore_runtime-0.2.0.dist-info/entry_points.txt +2 -0
- akeyless_agentcore_runtime-0.2.0.dist-info/licenses/LICENSE +19 -0
|
@@ -0,0 +1,257 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: akeyless-agentcore-runtime
|
|
3
|
+
Version: 0.2.0
|
|
4
|
+
Summary: Fetch Akeyless secrets at runtime on AWS Bedrock AgentCore using cloud identity authentication
|
|
5
|
+
Project-URL: Homepage, https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime
|
|
6
|
+
Project-URL: Repository, https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime
|
|
7
|
+
Author: Akeyless Community
|
|
8
|
+
License-Expression: Apache-2.0
|
|
9
|
+
License-File: LICENSE
|
|
10
|
+
Keywords: agentcore,akeyless,aws,bedrock,runtime,secrets
|
|
11
|
+
Classifier: Development Status :: 4 - Beta
|
|
12
|
+
Classifier: Intended Audience :: Developers
|
|
13
|
+
Classifier: License :: OSI Approved :: Apache Software License
|
|
14
|
+
Classifier: Programming Language :: Python :: 3
|
|
15
|
+
Classifier: Programming Language :: Python :: 3.10
|
|
16
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
18
|
+
Classifier: Topic :: Security
|
|
19
|
+
Requires-Python: >=3.10
|
|
20
|
+
Requires-Dist: akeyless-cloud-id>=0.3.1
|
|
21
|
+
Requires-Dist: akeyless>=5.0.0
|
|
22
|
+
Provides-Extra: all
|
|
23
|
+
Requires-Dist: bedrock-agentcore-starter-toolkit>=0.1.0; extra == 'all'
|
|
24
|
+
Requires-Dist: mcp>=1.9.0; extra == 'all'
|
|
25
|
+
Requires-Dist: strands-agents>=0.1.0; extra == 'all'
|
|
26
|
+
Provides-Extra: dev
|
|
27
|
+
Requires-Dist: pytest-cov>=5.0.0; extra == 'dev'
|
|
28
|
+
Requires-Dist: pytest>=8.0.0; extra == 'dev'
|
|
29
|
+
Provides-Extra: gateway
|
|
30
|
+
Requires-Dist: bedrock-agentcore-starter-toolkit>=0.1.0; extra == 'gateway'
|
|
31
|
+
Provides-Extra: mcp
|
|
32
|
+
Requires-Dist: mcp>=1.9.0; extra == 'mcp'
|
|
33
|
+
Provides-Extra: strands
|
|
34
|
+
Requires-Dist: strands-agents>=0.1.0; extra == 'strands'
|
|
35
|
+
Description-Content-Type: text/markdown
|
|
36
|
+
|
|
37
|
+
# akeyless-agentcore-runtime
|
|
38
|
+
|
|
39
|
+
Fetch [Akeyless](https://www.akeyless.io) secrets at **runtime** on [AWS Bedrock AgentCore](https://aws.amazon.com/bedrock/agentcore/). Authenticate with **cloud identity** (AWS IAM) — no long-lived API keys in your agent deployment. Application secrets stay in Akeyless, not AWS Secrets Manager.
|
|
40
|
+
|
|
41
|
+
**Repository:** [github.com/akeyless-community/bedrock-agentcore-akeyless-runtime](https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime)
|
|
42
|
+
|
|
43
|
+
## Documentation
|
|
44
|
+
|
|
45
|
+
| Guide | Description |
|
|
46
|
+
|-------|-------------|
|
|
47
|
+
| **[Installation](docs/INSTALL.md)** | **pip install — no git clone required** |
|
|
48
|
+
| [Akeyless setup](docs/AKEYLESS_SETUP.md) | Auth method, RBAC, secret paths — do this first |
|
|
49
|
+
| [Deployment patterns](docs/DEPLOYMENT.md) | In-agent fetch, hybrid, MCP server, Gateway Lambda |
|
|
50
|
+
| [Examples](examples/README.md) | Runnable sample agents |
|
|
51
|
+
| [Security](SECURITY.md) | Production checklist and reporting |
|
|
52
|
+
| [Contributing](CONTRIBUTING.md) | Development setup and PR guidelines |
|
|
53
|
+
|
|
54
|
+
## Why this integration?
|
|
55
|
+
|
|
56
|
+
| Concern | AWS default pattern | This integration |
|
|
57
|
+
|---------|--------------------|------------------|
|
|
58
|
+
| **Authentication to secrets platform** | IAM role → Secrets Manager | IAM role → Akeyless (AWS IAM auth method) |
|
|
59
|
+
| **Secret storage** | AWS Secrets Manager | Akeyless (static, dynamic, rotated) |
|
|
60
|
+
| **Bootstrap credentials** | None (IAM only) | Only `AKEYLESS_ACCESS_ID` (no secret key) |
|
|
61
|
+
| **Rotation & governance** | Secrets Manager policies | Akeyless RBAC, rotation, audit |
|
|
62
|
+
|
|
63
|
+
AgentCore Runtime provides an IAM execution role with ambient AWS credentials. This library uses those credentials to generate an Akeyless **cloud ID** and authenticate — the same pattern used by EKS, Lambda, and other Akeyless integrations.
|
|
64
|
+
|
|
65
|
+
## Install
|
|
66
|
+
|
|
67
|
+
**No git clone needed.** Add to your agent project and install with pip.
|
|
68
|
+
|
|
69
|
+
### From PyPI (when published)
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
pip install akeyless-agentcore-runtime
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
### From GitHub (available now)
|
|
76
|
+
|
|
77
|
+
```bash
|
|
78
|
+
pip install "akeyless-agentcore-runtime @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
Add to your AgentCore `requirements.txt`:
|
|
82
|
+
|
|
83
|
+
```text
|
|
84
|
+
akeyless-agentcore-runtime @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0
|
|
85
|
+
bedrock-agentcore>=0.1.0
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
Full install guide (extras, MCP CLI, verification): **[docs/INSTALL.md](docs/INSTALL.md)**
|
|
89
|
+
|
|
90
|
+
Optional extras:
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
pip install "akeyless-agentcore-runtime[strands] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
|
|
94
|
+
pip install "akeyless-agentcore-runtime[mcp] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
|
|
95
|
+
pip install "akeyless-agentcore-runtime[gateway] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
|
|
96
|
+
pip install "akeyless-agentcore-runtime[all] @ git+https://github.com/akeyless-community/bedrock-agentcore-akeyless-runtime.git@v0.2.0"
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
Requires **Python 3.10+**.
|
|
100
|
+
|
|
101
|
+
## Quick start
|
|
102
|
+
|
|
103
|
+
### 1. Configure Akeyless
|
|
104
|
+
|
|
105
|
+
Follow the full guide: **[docs/AKEYLESS_SETUP.md](docs/AKEYLESS_SETUP.md)**
|
|
106
|
+
|
|
107
|
+
Summary:
|
|
108
|
+
|
|
109
|
+
1. Create an **AWS IAM Auth Method** bound to your AgentCore execution role ARN
|
|
110
|
+
2. Grant read/list on `/bedrock-agentcore/<agent>/<env>/*`
|
|
111
|
+
3. Store secrets in Akeyless (not in AgentCore env vars)
|
|
112
|
+
|
|
113
|
+
### 2. Set bootstrap env vars on AgentCore
|
|
114
|
+
|
|
115
|
+
Configure only auth + path prefix — **not** application secrets:
|
|
116
|
+
|
|
117
|
+
| Variable | Required | Example |
|
|
118
|
+
|----------|----------|---------|
|
|
119
|
+
| `AKEYLESS_ACCESS_ID` | Yes | `p-xxxxx` |
|
|
120
|
+
| `AKEYLESS_ACCESS_TYPE` | No (default: `aws_iam`) | `aws_iam` |
|
|
121
|
+
| `AKEYLESS_SECRET_PREFIX` | Recommended | `/bedrock-agentcore/my-agent/production` |
|
|
122
|
+
| `AKEYLESS_GATEWAY_URL` | No | `https://api.akeyless.io` |
|
|
123
|
+
| `AGENTCORE_AGENT_NAME` | No | `my-agent` |
|
|
124
|
+
|
|
125
|
+
### 3. Fetch a secret in your agent
|
|
126
|
+
|
|
127
|
+
```python
|
|
128
|
+
from akeyless_agentcore import get_secret_sync
|
|
129
|
+
|
|
130
|
+
api_key = get_secret_sync("OPENAI_API_KEY")
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
### 4. Deploy
|
|
134
|
+
|
|
135
|
+
```bash
|
|
136
|
+
pip install akeyless-agentcore-runtime bedrock-agentcore
|
|
137
|
+
agentcore deploy
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
See [examples/strands-agent/](examples/strands-agent/) for a complete agent.
|
|
141
|
+
|
|
142
|
+
## In-agent fetch vs AgentCore tools
|
|
143
|
+
|
|
144
|
+
Use **both** in production — they solve different problems:
|
|
145
|
+
|
|
146
|
+
| Pattern | When to use | Example |
|
|
147
|
+
|---------|-------------|---------|
|
|
148
|
+
| **In-agent fetch** | Bootstrap secrets on every invocation; no tool-call overhead | Model API key at cold start |
|
|
149
|
+
| **AgentCore tools** | Agent decides which secret to fetch; shared across agents | `get_akeyless_secret("DATABASE_URL")` on demand |
|
|
150
|
+
| **Hybrid (recommended)** | Bootstrap + on-demand | [examples/hybrid-agent/](examples/hybrid-agent/) |
|
|
151
|
+
|
|
152
|
+
```python
|
|
153
|
+
from akeyless_agentcore import get_secret_sync
|
|
154
|
+
from akeyless_agentcore.tools.strands import create_strands_tools
|
|
155
|
+
|
|
156
|
+
api_key = get_secret_sync("OPENAI_API_KEY") # bootstrap
|
|
157
|
+
agent = Agent(model=model, tools=create_strands_tools()) # on-demand
|
|
158
|
+
```
|
|
159
|
+
|
|
160
|
+
### Tool deployment options
|
|
161
|
+
|
|
162
|
+
| Deployment | Install extra | Use case |
|
|
163
|
+
|------------|---------------|----------|
|
|
164
|
+
| In-process Strands tools | `[strands]` | Tools in the same agent process |
|
|
165
|
+
| MCP server on AgentCore Runtime | `[mcp]` | Dedicated secrets MCP endpoint |
|
|
166
|
+
| Gateway Lambda target | `[gateway]` | Shared tools via AgentCore Gateway |
|
|
167
|
+
|
|
168
|
+
| Tool | Returns values? | Description |
|
|
169
|
+
|------|----------------|-------------|
|
|
170
|
+
| `list_akeyless_secrets` | No | Discover secret names under a prefix |
|
|
171
|
+
| `get_akeyless_secret` | Yes | Fetch static, dynamic, or rotated secret |
|
|
172
|
+
|
|
173
|
+
Full details: **[docs/DEPLOYMENT.md](docs/DEPLOYMENT.md)**
|
|
174
|
+
|
|
175
|
+
## API reference
|
|
176
|
+
|
|
177
|
+
### Convenience functions
|
|
178
|
+
|
|
179
|
+
```python
|
|
180
|
+
from akeyless_agentcore import get_secret_sync, get_secret
|
|
181
|
+
|
|
182
|
+
api_key = get_secret_sync("OPENAI_API_KEY")
|
|
183
|
+
api_key = await get_secret("OPENAI_API_KEY") # async
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
### Client
|
|
187
|
+
|
|
188
|
+
```python
|
|
189
|
+
from akeyless_agentcore import AkeylessRuntimeClient
|
|
190
|
+
|
|
191
|
+
client = AkeylessRuntimeClient(
|
|
192
|
+
gateway_url="https://api.akeyless.io",
|
|
193
|
+
secret_prefix="/bedrock-agentcore/my-agent/production",
|
|
194
|
+
access_id="p-xxxxx",
|
|
195
|
+
access_type="aws_iam",
|
|
196
|
+
)
|
|
197
|
+
|
|
198
|
+
client.get_secret_sync("OPENAI_API_KEY")
|
|
199
|
+
client.get_secret_json_sync("APP_CONFIG")
|
|
200
|
+
client.get_dynamic_secret_sync("aws-creds")
|
|
201
|
+
client.get_rotated_secret_sync("api-key")
|
|
202
|
+
client.list_secrets_sync()
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
## Authentication
|
|
206
|
+
|
|
207
|
+
| Method | `AKEYLESS_ACCESS_TYPE` | Additional env |
|
|
208
|
+
|--------|------------------------|----------------|
|
|
209
|
+
| **AWS IAM (recommended)** | `aws_iam` | `AKEYLESS_ACCESS_ID` |
|
|
210
|
+
| Access key | `access_key` | `AKEYLESS_ACCESS_ID`, `AKEYLESS_ACCESS_KEY` |
|
|
211
|
+
| API key | `api_key` | `AKEYLESS_ACCESS_ID`, `AKEYLESS_ACCESS_KEY` |
|
|
212
|
+
| Universal Identity | `universal_identity` | `AKEYLESS_UID_TOKEN` |
|
|
213
|
+
| JWT | `jwt` | `AKEYLESS_ACCESS_ID`, `AKEYLESS_JWT` |
|
|
214
|
+
| Pre-authenticated | — | `AKEYLESS_TOKEN` |
|
|
215
|
+
|
|
216
|
+
## Architecture
|
|
217
|
+
|
|
218
|
+
```mermaid
|
|
219
|
+
sequenceDiagram
|
|
220
|
+
participant Agent as AgentCore Runtime
|
|
221
|
+
participant Lib as akeyless-agentcore-runtime
|
|
222
|
+
participant AWS as AWS STS/IAM
|
|
223
|
+
participant AKL as Akeyless Gateway
|
|
224
|
+
|
|
225
|
+
Agent->>Lib: get_secret_sync("OPENAI_API_KEY")
|
|
226
|
+
Lib->>AWS: Generate cloud ID (SigV4 GetCallerIdentity)
|
|
227
|
+
AWS-->>Lib: Signed identity proof
|
|
228
|
+
Lib->>AKL: POST /auth (access_id, aws_iam, cloud_id)
|
|
229
|
+
AKL-->>Lib: Session token
|
|
230
|
+
Lib->>AKL: GET /get-secret-value
|
|
231
|
+
AKL-->>Lib: Secret value
|
|
232
|
+
Lib-->>Agent: OPENAI_API_KEY
|
|
233
|
+
```
|
|
234
|
+
|
|
235
|
+
## Local development
|
|
236
|
+
|
|
237
|
+
```bash
|
|
238
|
+
cp .env.example .env # edit with your test credentials — never commit .env
|
|
239
|
+
|
|
240
|
+
export AKEYLESS_ACCESS_ID=p-xxxxx
|
|
241
|
+
export AKEYLESS_ACCESS_TYPE=access_key
|
|
242
|
+
export AKEYLESS_ACCESS_KEY=your-readonly-key
|
|
243
|
+
export AKEYLESS_SECRET_PREFIX=/bedrock-agentcore/my-agent/dev
|
|
244
|
+
|
|
245
|
+
python3 -c "from akeyless_agentcore import get_secret_sync; print(get_secret_sync('OPENAI_API_KEY')[:8] + '...')"
|
|
246
|
+
```
|
|
247
|
+
|
|
248
|
+
## Related community projects
|
|
249
|
+
|
|
250
|
+
- [netlify-akeyless-runtime](https://github.com/akeyless-community/netlify-runtime) — Netlify Functions
|
|
251
|
+
- [fly-akeyless-runtime](https://github.com/akeyless-community/fly-runtime) — Fly.io Machines
|
|
252
|
+
- [vercel-akeyless-runtime](https://github.com/akeyless-community/vercel-runtime) — Vercel serverless
|
|
253
|
+
- [heroku-akeyless-runtime](https://github.com/akeyless-community/heroku-runtime) — Heroku dynos
|
|
254
|
+
|
|
255
|
+
## License
|
|
256
|
+
|
|
257
|
+
Apache-2.0
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
akeyless_agentcore/__init__.py,sha256=f9TotZfj5jpbzLPkfCEtgGx1Llg_UEwDLsO1vHcfaww,331
|
|
2
|
+
akeyless_agentcore/auth.py,sha256=mO3LsRu0k2s34RibheFtlDue1K8gdpo8moaXLQAaZYo,4188
|
|
3
|
+
akeyless_agentcore/cache.py,sha256=mGmNKOqHD-XjAG57QH72E7jvbNb0PSW48OdXl-Ogvt8,1098
|
|
4
|
+
akeyless_agentcore/client.py,sha256=KOplX6gfz75RIMvvjxbOYghekTx6kAuZWYnmClbIrnU,11327
|
|
5
|
+
akeyless_agentcore/config.py,sha256=p5ZIXMMzJLaybouWyEX6vlOXClIIS6g4CoBfus0G7tk,5574
|
|
6
|
+
akeyless_agentcore/paths.py,sha256=LmP-XiPTUPzc4o-S_AZawT_pdQy5TeXVdg1e8TKVV_E,2216
|
|
7
|
+
akeyless_agentcore/tools/__init__.py,sha256=hkfgoB1oUFDRulEUYTFZ7gV1V2LcOQj0ZNB3dB1UeSs,1098
|
|
8
|
+
akeyless_agentcore/tools/gateway.py,sha256=Iq_63ikmlLPMNdS8gnIVPZ-aZR3bc-VVrWtes15cyZo,4114
|
|
9
|
+
akeyless_agentcore/tools/mcp.py,sha256=mTCWCvx1glfsOvnohXKjZhoZ7TOm2Nqqs-mKFT3_IGU,2507
|
|
10
|
+
akeyless_agentcore/tools/service.py,sha256=Olpevh5CawYV7wMS9STYoaBDhbu_EVVp2jv7_GsHQ5A,4514
|
|
11
|
+
akeyless_agentcore/tools/strands.py,sha256=6_n1KMlepMHH5sTFwBm4g6S2k-kKquIuBZYFn9ewz88,1513
|
|
12
|
+
akeyless_agentcore_runtime-0.2.0.dist-info/METADATA,sha256=P-v3kbyHLoacQ-XzCLNpD7SmGl2cVBey2QhtdpOym-Q,9784
|
|
13
|
+
akeyless_agentcore_runtime-0.2.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
|
|
14
|
+
akeyless_agentcore_runtime-0.2.0.dist-info/entry_points.txt,sha256=za1BxweigFdMPYyxJU-cYVBzOx0xlrM0W-yYx2_k3Z4,87
|
|
15
|
+
akeyless_agentcore_runtime-0.2.0.dist-info/licenses/LICENSE,sha256=jybSB_OL0Oup6eCAX9JlK7O3TeZ33GlftcyD7Ym8APM,812
|
|
16
|
+
akeyless_agentcore_runtime-0.2.0.dist-info/RECORD,,
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
Apache License
|
|
2
|
+
Version 2.0, January 2004
|
|
3
|
+
http://www.apache.org/licenses/
|
|
4
|
+
|
|
5
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
6
|
+
|
|
7
|
+
Copyright 2026 Akeyless Community
|
|
8
|
+
|
|
9
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
|
10
|
+
you may not use this file except in compliance with the License.
|
|
11
|
+
You may obtain a copy of the License at
|
|
12
|
+
|
|
13
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
|
14
|
+
|
|
15
|
+
Unless required by applicable law or agreed to in writing, software
|
|
16
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
|
17
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
18
|
+
See the License for the specific language governing permissions and
|
|
19
|
+
limitations under the License.
|