The AWS Bedrock AgentCore connector syncs the following resources:
Resource
Sync
Provision
Agents
OAuth2 Credential Providers
API Key Credential Providers
Gateways
Gateway Targets
Agents: Non-human identities (NHIs) for AI agents (workload identities).
OAuth2 Credential Providers: OAuth2 client credentials stored in the Token Vault (GitHub, Slack, Google, etc.).
API Key Credential Providers: API key credentials stored in the Token Vault (Stripe, SendGrid, etc.).
Gateways: Proxies connecting agents to external tools. Each gateway has a “Gateway Access” entitlement showing which agent is associated.
Gateway Targets: External tool/API endpoints connected through a gateway (e.g., MCP servers). Each target has a “Target Access” entitlement derived from its parent gateway.
The connector exposes the following Baton actions:
provision_oauth_credential: Create or update an AgentCore OAuth2 credential provider (e.g. from a C1 Personal Client Credential) and point an existing gateway target at it.
To configure the AWS Bedrock AgentCore connector, you need an IAM user or
role with bedrock-agentcore:* permissions. You can use the AWS managed
policy BedrockAgentCoreFullAccess.Running the provision_oauth_credential action additionally requires
bedrock-agentcore:CreateOauth2CredentialProvider,
bedrock-agentcore:UpdateOauth2CredentialProvider,
bedrock-agentcore:GetOauth2CredentialProvider,
bedrock-agentcore:GetGatewayTarget, and
bedrock-agentcore:UpdateGatewayTarget when scoping a policy below
bedrock-agentcore:*. See the AWS service authorization reference for
Bedrock AgentCore
for the canonical action names.
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for AWS Bedrock AgentCore and click Add.
3
Choose how to set up the new connector:
Add the connector to a currently unmanaged app
Add the connector to a managed app
Create a new managed app
4
Set the owner for this connector.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the required configuration:
AWS Access Key ID: The IAM access key ID.
AWS Secret Access Key: The IAM secret access key.
AWS Region: The AWS region (defaults to us-east-1).
AWS Session Token: Optional, for temporary/SSO credentials.
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your AWS Bedrock AgentCore connector is now pulling access data into C1.
Follow these instructions to use the AWS Bedrock AgentCore connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Applications. On the Managed apps tab, locate and click the name of the application you added the connector to. Data should be found on the Entitlements, Accounts, and Secrets tabs.
Done. Your AWS Bedrock AgentCore connector is now pulling access data into C1.
