Amazon Bedrock AgentCore Identity now allows you to bring your own secrets with AWS Secrets Manager

Amazon Web Services has updated its Bedrock AgentCore Identity service to allow customers to bring their own secrets through AWS Secrets Manager integration. The new capability enables organizations to reference existing AWS Secrets Manager secret ARNs directly in AgentCore Identity Credential Providers, replacing the previous service-managed approach where AWS created and controlled secrets on behalf of customers. This change addresses significant governance limitations that prevented customers from applying resource tags during creation, encrypting secrets with customer-managed keys, or implementing organization-specific compliance controls. The update maintains the same runtime functionality while giving customers complete ownership over secret creation, classification, and governance policies. Organizations can now implement their own tagging strategies, automatic rotation schedules, custom encryption keys, and resource policies before integrating secrets with AgentCore Identity. The feature is generally available across 14 AWS regions including major markets in North America, Europe, and Asia-Pacific, with full documentation available through the Amazon Bedrock AgentCore Identity developer guide.