feat: add settings and user-level credential support

Author: kevmyung

agent-blueprint/agentcore-gateway-stack/lambda-functions/google-maps/lambda_function.py

@@ -62,14 +62,22 @@ def lambda_handler(event, context):
         return error_response(str(e))
 
 
-def get_google_maps_client() -> Optional[googlemaps.Client]:
+def get_google_maps_client(user_api_key: Optional[str] = None) -> Optional[googlemaps.Client]:
     """
     Get Google Maps client with API key from Secrets Manager (with caching)
 
+    Args:
+        user_api_key: Optional user-provided API key (takes priority)
+
     Returns googlemaps.Client instance
     """
     global _credentials_cache, _gmaps_client
 
+    # If user provides their own key, create a new client (don't use cache)
+    if user_api_key:
+        logger.info("Creating Google Maps client with user-provided API key")
+        return googlemaps.Client(key=user_api_key)
+
     # Return cached client if available
     if _gmaps_client:
         return _gmaps_client
@@ -115,13 +123,23 @@ def get_google_maps_client() -> Optional[googlemaps.Client]:
         return None
 
 
+def _extract_user_maps_api_key(params: Dict[str, Any]) -> Optional[str]:
+    """Extract user-provided Google Maps API key from params"""
+    user_api_keys = params.pop('__user_api_keys', None)
+    if user_api_keys and user_api_keys.get('google_maps_api_key'):
+        logger.info("Using user-provided Google Maps API key")
+        return user_api_keys['google_maps_api_key']
+    return None
+
+
 def search_places(params: Dict[str, Any]) -> Dict[str, Any]:
     """
     Text-based place search (e.g., "restaurants in Seoul")
 
     Uses Places API Text Search
     """
-    gmaps = get_google_maps_client()
+    user_api_key = _extract_user_maps_api_key(params)
+    gmaps = get_google_maps_client(user_api_key)
     if not gmaps:
         return error_response("Failed to initialize Google Maps client")
 
@@ -194,7 +212,8 @@ def search_nearby_places(params: Dict[str, Any]) -> Dict[str, Any]:
 
     Uses Places API Nearby Search
     """
-    gmaps = get_google_maps_client()
+    user_api_key = _extract_user_maps_api_key(params)
+    gmaps = get_google_maps_client(user_api_key)
     if not gmaps:
         return error_response("Failed to initialize Google Maps client")
 
@@ -271,7 +290,8 @@ def get_place_details(params: Dict[str, Any]) -> Dict[str, Any]:
 
     Uses Places API Place Details
     """
-    gmaps = get_google_maps_client()
+    user_api_key = _extract_user_maps_api_key(params)
+    gmaps = get_google_maps_client(user_api_key)
     if not gmaps:
         return error_response("Failed to initialize Google Maps client")
 
@@ -354,7 +374,8 @@ def get_directions(params: Dict[str, Any]) -> Dict[str, Any]:
 
     Uses Directions API
     """
-    gmaps = get_google_maps_client()
+    user_api_key = _extract_user_maps_api_key(params)
+    gmaps = get_google_maps_client(user_api_key)
     if not gmaps:
         return error_response("Failed to initialize Google Maps client")
 
@@ -435,7 +456,8 @@ def geocode_address(params: Dict[str, Any]) -> Dict[str, Any]:
 
     Uses Geocoding API
     """
-    gmaps = get_google_maps_client()
+    user_api_key = _extract_user_maps_api_key(params)
+    gmaps = get_google_maps_client(user_api_key)
     if not gmaps:
         return error_response("Failed to initialize Google Maps client")
 
@@ -494,7 +516,8 @@ def reverse_geocode(params: Dict[str, Any]) -> Dict[str, Any]:
 
     Uses Reverse Geocoding API
     """
-    gmaps = get_google_maps_client()
+    user_api_key = _extract_user_maps_api_key(params)
+    gmaps = get_google_maps_client(user_api_key)
     if not gmaps:
         return error_response("Failed to initialize Google Maps client")
 

agent-blueprint/agentcore-gateway-stack/lambda-functions/google-search/lambda_function.py

@@ -101,8 +101,24 @@ def get_google_credentials() -> Optional[Dict[str, str]]:
 def google_web_search(params: Dict[str, Any]) -> Dict[str, Any]:
     """Execute Google web search with optional image results"""
 
-    # Get credentials
-    credentials = get_google_credentials()
+    # Check for user-provided API keys first (from __user_api_keys)
+    user_api_keys = params.pop('__user_api_keys', None)
+    credentials = None
+
+    if user_api_keys:
+        user_api_key = user_api_keys.get('google_api_key')
+        user_search_engine_id = user_api_keys.get('google_search_engine_id')
+        if user_api_key and user_search_engine_id:
+            credentials = {
+                'api_key': user_api_key,
+                'search_engine_id': user_search_engine_id
+            }
+            logger.info("Using user-provided Google API credentials")
+
+    # Fall back to default credentials from Secrets Manager
+    if not credentials:
+        credentials = get_google_credentials()
+
     if not credentials:
         return error_response("Failed to get Google API credentials")
 

agent-blueprint/agentcore-gateway-stack/lambda-functions/tavily/lambda_function.py

@@ -96,8 +96,18 @@ def get_tavily_api_key() -> Optional[str]:
 def tavily_search(params: Dict[str, Any]) -> Dict[str, Any]:
     """Execute Tavily web search"""
 
-    # Get API key from Secrets Manager (with caching)
-    api_key = get_tavily_api_key()
+    # Check for user-provided API key first (from __user_api_keys)
+    user_api_keys = params.pop('__user_api_keys', None)
+    api_key = None
+
+    if user_api_keys and user_api_keys.get('tavily_api_key'):
+        api_key = user_api_keys['tavily_api_key']
+        logger.info("Using user-provided Tavily API key")
+
+    # Fall back to default API key from Secrets Manager
+    if not api_key:
+        api_key = get_tavily_api_key()
+
     if not api_key:
         return error_response("Failed to get Tavily API key")
 
@@ -174,8 +184,18 @@ def tavily_search(params: Dict[str, Any]) -> Dict[str, Any]:
 def tavily_extract(params: Dict[str, Any]) -> Dict[str, Any]:
     """Extract content from URLs using Tavily"""
 
-    # Get API key from Secrets Manager (with caching)
-    api_key = get_tavily_api_key()
+    # Check for user-provided API key first (from __user_api_keys)
+    user_api_keys = params.pop('__user_api_keys', None)
+    api_key = None
+
+    if user_api_keys and user_api_keys.get('tavily_api_key'):
+        api_key = user_api_keys['tavily_api_key']
+        logger.info("Using user-provided Tavily API key")
+
+    # Fall back to default API key from Secrets Manager
+    if not api_key:
+        api_key = get_tavily_api_key()
+
     if not api_key:
         return error_response("Failed to get Tavily API key")
 

agent-blueprint/agentcore-gateway-stack/scripts/deploy.sh

@@ -256,10 +256,45 @@ if [ "$FORCE_REBUILD" = true ]; then
 fi
 
 # ============================================================================
-# Step 5: Deploy to AWS (CodeBuild will build Lambda packages automatically)
+# Step 5: Upload Lambda Sources to S3
 # ============================================================================
 
-echo "☁️  Step 5: Deploying to AWS..."
+echo "📤 Step 5: Uploading Lambda sources to S3..."
+echo ""
+
+# Get AWS account ID
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text 2>/dev/null || echo "")
+LAMBDA_BUCKET="${PROJECT_NAME}-gateway-lambdas-${AWS_ACCOUNT_ID}-${AWS_REGION}"
+
+# Check if bucket exists, create if not
+if ! aws s3 ls "s3://${LAMBDA_BUCKET}" > /dev/null 2>&1; then
+    echo "   Creating S3 bucket: ${LAMBDA_BUCKET}"
+    aws s3 mb "s3://${LAMBDA_BUCKET}" --region "$AWS_REGION" 2>/dev/null || true
+fi
+
+# Upload all Lambda sources
+LAMBDA_FUNCTIONS_DIR="$PROJECT_ROOT/lambda-functions"
+for func in tavily wikipedia arxiv google-search google-maps finance weather; do
+    if [ -d "$LAMBDA_FUNCTIONS_DIR/$func" ]; then
+        echo "   Uploading $func..."
+        aws s3 sync "$LAMBDA_FUNCTIONS_DIR/$func/" "s3://${LAMBDA_BUCKET}/source/$func/" \
+            --exclude "__pycache__/*" \
+            --exclude "*.pyc" \
+            --exclude ".DS_Store" \
+            --exclude "build/*" \
+            --exclude "*.zip" \
+            --delete \
+            --quiet
+    fi
+done
+echo "   ✅ All Lambda sources uploaded"
+echo ""
+
+# ============================================================================
+# Step 6: Deploy to AWS (CodeBuild will build Lambda packages automatically)
+# ============================================================================
+
+echo "☁️  Step 6: Deploying to AWS..."
 echo ""
 echo "ℹ️  Lambda functions will be built automatically by CodeBuild during deployment"
 echo "   This may take 5-10 minutes for the first deployment."
@@ -268,10 +303,10 @@ npm run deploy
 echo ""
 
 # ============================================================================
-# Step 6: Retrieve Gateway Information
+# Step 7: Retrieve Gateway Information
 # ============================================================================
 
-echo "📡 Step 6: Retrieving Gateway information..."
+echo "📡 Step 7: Retrieving Gateway information..."
 echo ""
 
 # Get Gateway URL from Parameter Store
@@ -299,7 +334,7 @@ echo "Region:       $AWS_REGION"
 echo ""
 
 # ============================================================================
-# Step 7: Verify API Key Configuration
+# Step 8: Verify API Key Configuration
 # ============================================================================
 
 echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

agent-blueprint/chatbot-deployment/infrastructure/lib/chatbot-stack.ts

@@ -246,13 +246,16 @@ export class ChatbotStack extends cdk.Stack {
       })
     );
 
-    // Secrets Manager Access for Google Maps API Key
+    // Secrets Manager Access for API Keys detection
     codeBuildRole.addToPolicy(
       new iam.PolicyStatement({
         effect: iam.Effect.ALLOW,
         actions: ['secretsmanager:GetSecretValue'],
         resources: [
           `arn:aws:secretsmanager:${this.region}:${this.account}:secret:${projectName}/mcp/google-maps-credentials-*`,
+          `arn:aws:secretsmanager:${this.region}:${this.account}:secret:${projectName}/mcp/tavily-api-key-*`,
+          `arn:aws:secretsmanager:${this.region}:${this.account}:secret:${projectName}/mcp/google-credentials-*`,
+          `arn:aws:secretsmanager:${this.region}:${this.account}:secret:${projectName}/nova-act-api-key-*`,
         ],
       })
     );
@@ -288,6 +291,14 @@ export class ChatbotStack extends cdk.Stack {
               `GOOGLE_MAPS_SECRET=$(aws secretsmanager get-secret-value --secret-id "${projectName}/mcp/google-maps-credentials" --region ${this.region} --query SecretString --output text || echo "{}")`,
               `GOOGLE_MAPS_API_KEY=$(echo $GOOGLE_MAPS_SECRET | jq -r '.api_key // empty')`,
               'echo "Google Maps API Key: ${GOOGLE_MAPS_API_KEY:0:10}..." # Show first 10 chars only for security',
+              '',
+              'echo Detecting configured API keys from Secrets Manager...',
+              'DEFAULT_KEYS=""',
+              `if aws secretsmanager get-secret-value --secret-id "${projectName}/mcp/tavily-api-key" --region ${this.region} &>/dev/null; then DEFAULT_KEYS="tavily_api_key"; echo "  ✓ Tavily"; fi`,
+              `if aws secretsmanager get-secret-value --secret-id "${projectName}/mcp/google-credentials" --region ${this.region} &>/dev/null; then [ -n "$DEFAULT_KEYS" ] && DEFAULT_KEYS="$DEFAULT_KEYS,"; DEFAULT_KEYS="\${DEFAULT_KEYS}google_api_key,google_search_engine_id"; echo "  ✓ Google Search"; fi`,
+              `if aws secretsmanager get-secret-value --secret-id "${projectName}/mcp/google-maps-credentials" --region ${this.region} &>/dev/null; then [ -n "$DEFAULT_KEYS" ] && DEFAULT_KEYS="$DEFAULT_KEYS,"; DEFAULT_KEYS="\${DEFAULT_KEYS}google_maps_api_key"; echo "  ✓ Google Maps"; fi`,
+              `if aws secretsmanager get-secret-value --secret-id "${projectName}/nova-act-api-key" --region ${this.region} &>/dev/null; then [ -n "$DEFAULT_KEYS" ] && DEFAULT_KEYS="$DEFAULT_KEYS,"; DEFAULT_KEYS="\${DEFAULT_KEYS}nova_act_api_key"; echo "  ✓ Nova Act"; fi`,
+              'echo "Default API keys: $DEFAULT_KEYS"',
             ],
           },
           build: {
@@ -299,6 +310,7 @@ export class ChatbotStack extends cdk.Stack {
               '--build-arg NEXT_PUBLIC_COGNITO_USER_POOL_CLIENT_ID=$COGNITO_CLIENT_ID ' +
               '--build-arg NEXT_PUBLIC_STREAMING_API_URL=$ALB_DNS ' +
               '--build-arg NEXT_PUBLIC_GOOGLE_MAPS_EMBED_API_KEY=$GOOGLE_MAPS_API_KEY ' +
+              '--build-arg NEXT_PUBLIC_DEFAULT_KEYS=$DEFAULT_KEYS ' +
               '-t frontend:latest .',
               `docker tag frontend:latest ${frontendRepository.repositoryUri}:latest`,
             ],

agent-blueprint/chatbot-deployment/infrastructure/scripts/deploy.sh

@@ -210,6 +210,52 @@ else
     echo "🌐 CORS Origins: $CORS_ORIGINS"
 fi
 
+# Detect configured API keys from Secrets Manager
+echo ""
+echo "🔑 Detecting configured API keys from Secrets Manager..."
+DEFAULT_KEYS=""
+
+# Check Tavily
+if aws secretsmanager get-secret-value --secret-id "strands-agent-chatbot/mcp/tavily-api-key" --region "$AWS_REGION" &>/dev/null; then
+    DEFAULT_KEYS="tavily_api_key"
+    echo "  ✓ Tavily API key found"
+fi
+
+# Check Google Search
+if aws secretsmanager get-secret-value --secret-id "strands-agent-chatbot/mcp/google-credentials" --region "$AWS_REGION" &>/dev/null; then
+    [ -n "$DEFAULT_KEYS" ] && DEFAULT_KEYS="$DEFAULT_KEYS,"
+    DEFAULT_KEYS="${DEFAULT_KEYS}google_api_key,google_search_engine_id"
+    echo "  ✓ Google Search credentials found"
+fi
+
+# Check Google Maps
+if aws secretsmanager get-secret-value --secret-id "strands-agent-chatbot/mcp/google-maps-credentials" --region "$AWS_REGION" &>/dev/null; then
+    [ -n "$DEFAULT_KEYS" ] && DEFAULT_KEYS="$DEFAULT_KEYS,"
+    DEFAULT_KEYS="${DEFAULT_KEYS}google_maps_api_key"
+    echo "  ✓ Google Maps credentials found"
+fi
+
+# Check Nova Act
+if aws secretsmanager get-secret-value --secret-id "strands-agent-chatbot/nova-act-api-key" --region "$AWS_REGION" &>/dev/null; then
+    [ -n "$DEFAULT_KEYS" ] && DEFAULT_KEYS="$DEFAULT_KEYS,"
+    DEFAULT_KEYS="${DEFAULT_KEYS}nova_act_api_key"
+    echo "  ✓ Nova Act API key found"
+fi
+
+if [ -n "$DEFAULT_KEYS" ]; then
+    export NEXT_PUBLIC_DEFAULT_KEYS="$DEFAULT_KEYS"
+    echo "✅ Default API keys: $DEFAULT_KEYS"
+
+    # Save to master .env file
+    MAIN_ENV_FILE="../../.env"
+    grep -v "^NEXT_PUBLIC_DEFAULT_KEYS=" "$MAIN_ENV_FILE" > "$MAIN_ENV_FILE.tmp" 2>/dev/null || touch "$MAIN_ENV_FILE.tmp"
+    mv "$MAIN_ENV_FILE.tmp" "$MAIN_ENV_FILE"
+    echo "NEXT_PUBLIC_DEFAULT_KEYS=$DEFAULT_KEYS" >> "$MAIN_ENV_FILE"
+else
+    echo "⚠️  No default API keys found in Secrets Manager"
+fi
+echo ""
+
 # Collect IP ranges for CIDR-based access control (if not using Cognito)
 if [ "$ENABLE_COGNITO" != "true" ]; then
     # Set default IP ranges if not configured