Building an Agent that respects User Permissions — With AWS Bedrock AgentCore and Entra ID
This article presents a solution for building secure AI agents using AWS Bedrock AgentCore and Microsoft Entra ID, ensuring that agents act on behalf of users with their exact permissions. It highlights the risks of using service accounts for accessing enterprise systems like ServiceNow, where overprivileged access can expose sensitive data. By leveraging AgentCore Identity's On-Behalf-Of (OBO) token exchange, the agent securely accesses downstream services as the authenticated user, preserving auditability and least-privilege security.
- ▪The agent uses On-Behalf-Of token exchange to access ServiceNow with the user's actual permissions, not a service account.
- ▪AWS Bedrock AgentCore now supports OBO natively, enabling secure, delegated access without custom code.
- ▪ServiceNow audit logs show the real user (e.g., [email protected]), not a generic bot account.
- ▪The OBO flow uses two tokens: one for the agent app and a downstream-scoped one for ServiceNow, both tied to the user's identity.
- ▪Currently, the Python SDK doesn't fully support OBO, requiring direct API or CLI use for implementation.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3877422) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Sumanth P Posted on May 1 Building an Agent that respects User Permissions — With AWS Bedrock AgentCore and Entra ID #agents #aws #security #tutorial A practical guide to building an AI agent that queries ServiceNow as the actual user, not a service account, using AgentCore Identity's On-Behalf-Of token exchange. The Problem Nobody Talks About Everyone's building AI agents that talk to enterprise systems. But here's the thing most demos skip over: security. Picture this.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV Community.
Discussion
0 commentsMore from DEV Community
