Set up an AWS Bedrock AgentCore connector

Capabilities

The AWS Bedrock AgentCore connector syncs the following resources:

Resource	Sync	Provision
Agents
OAuth2 Credential Providers
API Key Credential Providers
Gateways
Gateway Targets

Agents: Non-human identities (NHIs) for AI agents (workload identities).
OAuth2 Credential Providers: OAuth2 client credentials stored in the Token Vault (GitHub, Slack, Google, etc.).
API Key Credential Providers: API key credentials stored in the Token Vault (Stripe, SendGrid, etc.).
Gateways: Proxies connecting agents to external tools. Each gateway has a “Gateway Access” entitlement showing which agent is associated.
Gateway Targets: External tool/API endpoints connected through a gateway (e.g., MCP servers). Each target has a “Target Access” entitlement derived from its parent gateway.

Actions

The connector exposes the following Baton actions:

provision_oauth_credential: Create or update an AgentCore OAuth2 credential provider (e.g. from a C1 Personal Client Credential) and point an existing gateway target at it.

Gather AWS credentials

To configure the AWS Bedrock AgentCore connector, you need an IAM user or role with bedrock-agentcore:* permissions. You can use the AWS managed policy BedrockAgentCoreFullAccess.Running the provision_oauth_credential action additionally requires bedrock-agentcore:CreateOauth2CredentialProvider, bedrock-agentcore:UpdateOauth2CredentialProvider, bedrock-agentcore:GetOauth2CredentialProvider, bedrock-agentcore:GetGatewayTarget, and bedrock-agentcore:UpdateGatewayTarget when scoping a policy below bedrock-agentcore:*. See the AWS service authorization reference for Bedrock AgentCore for the canonical action names.

Go to IAM > Users > select your user (or create a new one).

Attach the BedrockAgentCoreFullAccess managed policy (or create a custom policy with bedrock-agentcore:*).

Click Security Credentials > Create access key > choose Application running outside AWS.

Copy the Access Key ID and Secret Access Key.

Configure the AWS Bedrock AgentCore connector

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by C1.

In C1, navigate to Integrations > Connectors and click Add connector.

Search for AWS Bedrock AgentCore and click Add.

Choose how to set up the new connector:

Add the connector to a currently unmanaged app
Add the connector to a managed app
Create a new managed app

Set the owner for this connector.

Click Next.

Find the Settings area of the page and click Edit.

Enter the required configuration:

AWS Access Key ID: The IAM access key ID.
AWS Secret Access Key: The IAM secret access key.
AWS Region: The AWS region (defaults to us-east-1).
AWS Session Token: Optional, for temporary/SSO credentials.

Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

Done. Your AWS Bedrock AgentCore connector is now pulling access data into C1.

Follow these instructions to use the AWS Bedrock AgentCore connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.

Step 1: Set up a new connector

In C1, navigate to Integrations > Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new connector.

Set the owner for this connector and click Next.

In the Settings area of the page, click Edit, then click Rotate to generate a new Client ID and Secret. Carefully copy and save these credentials.

Step 2: Create Kubernetes configuration files

Secrets configuration

# baton-aws-bedrock-agentcore-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-aws-bedrock-agentcore-secrets
type: Opaque
stringData:
  BATON_CLIENT_ID: <C1 client ID>
  BATON_CLIENT_SECRET: <C1 client secret>
  BATON_AWS_ACCESS_KEY_ID: <AWS Access Key ID>
  BATON_AWS_SECRET_ACCESS_KEY: <AWS Secret Access Key>
  BATON_AWS_REGION: us-east-1

Deployment configuration

# baton-aws-bedrock-agentcore.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-aws-bedrock-agentcore
  labels:
    app: baton-aws-bedrock-agentcore
spec:
  selector:
    matchLabels:
      app: baton-aws-bedrock-agentcore
  template:
    metadata:
      labels:
        app: baton-aws-bedrock-agentcore
        baton: "true"
        baton-app: aws-bedrock-agentcore
    spec:
      containers:
      - name: baton-aws-bedrock-agentcore
        image: public.ecr.aws/conductorone/baton-aws-bedrock-agentcore:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-aws-bedrock-agentcore
        - name: BATON_PROVISIONING
          value: "false"
        envFrom:
        - secretRef:
            name: baton-aws-bedrock-agentcore-secrets

Step 3: Deploy the connector

Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In C1, click Applications. On the Managed apps tab, locate and click the name of the application you added the connector to. Data should be found on the Entitlements, Accounts, and Secrets tabs.

Done. Your AWS Bedrock AgentCore connector is now pulling access data into C1.

Set up an AWS connector

Set up an AWS Cognito connector

⌘I

​Capabilities

​Actions

​Gather AWS credentials

​Configure the AWS Bedrock AgentCore connector

​Step 1: Set up a new connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector