Document Type: Technical Requirements Document Status: Draft Priority: P1 - Future Enhancement (not required for v0.2.0) Date: January 4, 2026 Author: AgentPlexus Team
This document defines the authentication architecture for agent-to-agent (A2A) communication in AgentPlexus when deployed on AWS Bedrock AgentCore. This is a future enhancement, not a v0.2.0 requirement.
v0.2.0 prioritizes a functioning prototype deployed on AgentCore via CDK. Baseline security is provided by:
- VPC isolation (agents only reachable within VPC)
- TLS in transit (HTTPS mandatory)
- Security groups (network-level access control)
For production deployments requiring zero-trust security, AWS expects you to use IAM SigV4 or OAuth for inter-agent authentication. AgentCore does NOT provide automatic mTLS or Nitro-enforced A2A encryption.
AgentCore runs your code inside Nitro-backed infrastructure, but that only protects:
- The host
- The runtime isolation
- Memory and CPU boundaries
It does not automatically secure traffic between agents.
Nitro protects where agents run, not how they talk.
Even without extra work:
- TLS in transit - All AWS-managed endpoints require HTTPS (TLS 1.2+)
- IAM identity per agent - Each AgentCore agent runs with a dedicated IAM role and short-lived STS credentials
| Pattern | Use Case |
|---|---|
| IAM SigV4 | All agents in AWS (RECOMMENDED) |
| OAuth/JWT | Cross-cloud agents or external IdP |
| mTLS | Regulated environments, legacy systems |
This is the canonical AWS approach:
- Calling agent: Signs HTTP requests using SigV4
- Receiving agent: Fronted by API Gateway or ALB with IAM auth
Security properties:
- Mutual authentication
- Strong identity (IAM role)
- Short-lived credentials
- No certificate management
- Auditable via CloudTrail
In AWS, IAM ≈ mTLS, but at the API layer.
| Layer | Responsibility |
|---|---|
| AgentKit | Transport, auth, signing, verification |
| Agent implementations | Business logic only |
| AgentCore | Runtime + IAM role |
| AgentPlexus A2A | Protocol semantics |
SigV4 should be implemented once in AgentKit and reused everywhere. This mirrors:
- AWS SDKs (signing is in the SDK, not app code)
- gRPC interceptors
- HTTP middleware stacks
Agent
└─ AgentKit
├─ A2A Client (SigV4 signer)
├─ A2A Server (SigV4 verifier via API Gateway)
└─ Transport (HTTP)
type AuthProvider interface {
Sign(req *http.Request) error
Verify(req *http.Request) error // Only needed if not using API Gateway
}This allows future support for:
- OAuth
- mTLS
- Custom auth
import (
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
)
type SigV4Signer struct {
Creds aws.CredentialsProvider
Region string
Service string // e.g., "execute-api"
}
func (s *SigV4Signer) Sign(req *http.Request) error {
creds, err := s.Creds.Retrieve(context.Background())
if err != nil {
return err
}
signer := v4.NewSigner()
payloadHash := "UNSIGNED-PAYLOAD"
return signer.SignHTTP(
context.Background(),
creds,
req,
payloadHash,
s.Service,
s.Region,
time.Now(),
)
}AgentCore does NOT validate SigV4 for you.
Recommended pattern: API Gateway in front of agents
Agent A
└─ AgentKit (SigV4)
↓
API Gateway (IAM auth)
↓
Agent B (AgentCore)
Benefits:
- AWS validates SigV4
- No crypto code in AgentKit server
- IAM policies enforce agent allowlists
- CloudTrail auditing
Alternative: ALB with IAM auth (slightly more setup, still no verification code needed).
agentkit.NewAgent(
agentkit.WithA2ATransport(
agentkit.HTTPTransport{
Auth: agentkit.SigV4(
agentkit.SigV4Config{
Region: "us-east-1",
Service: "execute-api",
},
),
},
),
)Agent authors never need to:
- Import AWS SDK auth code
- Know about IAM
- Handle signatures
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:123456789012:agent-a2a/*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/agent-planner"
}
}
}Use when:
- Agents may run outside AWS
- You want portable A2A
- You already have an IdP (Cognito, Okta, Auth0)
Flow:
- Agent authenticates to IdP
- Receives JWT
- Sends
Authorization: Bearer <token> - Receiving agent validates token
Use when:
- Regulated environments require it
- Existing mTLS mesh
- Non-HTTP transports
Requirements:
- Private CA (ACM PCA)
- Certificate distribution
- Certificate rotation
- Custom TLS servers in agents
For most AgentCore users: overkill.
- HTTPS everywhere
- IAM SigV4 for A2A
- VPC + security groups
- Least-privilege IAM roles
- IAM auth for A2A
- Private ALB / API Gateway
- VPC-only traffic
- CloudWatch + X-Ray with propagated trace IDs
- Explicit agent allowlists in IAM
| Requirement | Best Choice |
|---|---|
| All agents in AWS | IAM (SigV4) |
| Cross-cloud agents | OAuth / JWT |
| Zero-trust + simplicity | IAM |
| Regulated + legacy | mTLS |
| "Nitro-secured channels" | Not a thing |
AgentCore provides CfnWorkloadIdentity for OAuth2 scenarios:
type CfnWorkloadIdentityProps struct {
Name *string // Unique name
AllowedResourceOauth2ReturnUrls *[]*string // OAuth2 return URLs
Tags *[]*CfnTag // Resource tags
}This is primarily for:
- External OAuth providers
- Cross-cloud agent communication
- Web-based OAuth flows
For pure AWS-to-AWS A2A, IAM SigV4 is preferred.
- Define
AuthProviderinterface in AgentKit - Implement
SigV4Signerfor outbound requests - Add configuration options to A2A client
- Add API Gateway creation to agentkit-aws-cdk
- Configure IAM auth on API Gateway
- Generate per-agent IAM policies
- Implement
OAuthProviderin AgentKit - Add WorkloadIdentity to agentkit-aws-cdk
- Document OAuth configuration
- Should we support direct agent-to-agent calls without API Gateway?
- What is the policy structure for per-agent allowlists?
- How do we handle local development (auth bypass)?
- AWS Bedrock AgentCore Documentation
- AWS SigV4 Signing Process
- A2A Protocol Specification
- MCP Gateway Architecture
| Date | Version | Changes |
|---|---|---|
| 2026-01-04 | Draft | Initial document |