BedrockAgentCoreControl / Client / update_agent_runtime
update_agent_runtime¶
- BedrockAgentCoreControl.Client.update_agent_runtime(**kwargs)¶
Updates an existing Amazon Secure Agent.
See also: AWS API Documentation
Request Syntax
response = client.update_agent_runtime( agentRuntimeId='string', agentRuntimeArtifact={ 'containerConfiguration': { 'containerUri': 'string' }, 'codeConfiguration': { 'code': { 's3': { 'bucket': 'string', 'prefix': 'string', 'versionId': 'string' } }, 'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22', 'entryPoint': [ 'string', ] } }, roleArn='string', networkConfiguration={ 'networkMode': 'PUBLIC'|'VPC', 'networkModeConfig': { 'securityGroups': [ 'string', ], 'subnets': [ 'string', ], 'requireServiceS3Endpoint': True|False } }, description='string', authorizerConfiguration={ 'customJWTAuthorizer': { 'discoveryUrl': 'string', 'allowedAudience': [ 'string', ], 'allowedClients': [ 'string', ], 'allowedScopes': [ 'string', ], 'customClaims': [ { 'inboundTokenClaimName': 'string', 'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY', 'authorizingClaimMatchValue': { 'claimMatchValue': { 'matchValueString': 'string', 'matchValueStringList': [ 'string', ] }, 'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY' } }, ], 'privateEndpoint': { 'selfManagedLatticeResource': { 'resourceConfigurationIdentifier': 'string' }, 'managedVpcResource': { 'vpcIdentifier': 'string', 'subnetIds': [ 'string', ], 'endpointIpAddressType': 'IPV4'|'IPV6', 'securityGroupIds': [ 'string', ], 'tags': { 'string': 'string' }, 'routingDomain': 'string' } }, 'privateEndpointOverrides': [ { 'domain': 'string', 'privateEndpoint': { 'selfManagedLatticeResource': { 'resourceConfigurationIdentifier': 'string' }, 'managedVpcResource': { 'vpcIdentifier': 'string', 'subnetIds': [ 'string', ], 'endpointIpAddressType': 'IPV4'|'IPV6', 'securityGroupIds': [ 'string', ], 'tags': { 'string': 'string' }, 'routingDomain': 'string' } } }, ] } }, requestHeaderConfiguration={ 'requestHeaderAllowlist': [ 'string', ] }, protocolConfiguration={ 'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI' }, lifecycleConfiguration={ 'idleRuntimeSessionTimeout': 123, 'maxLifetime': 123 }, metadataConfiguration={ 'requireMMDSV2': True|False }, environmentVariables={ 'string': 'string' }, filesystemConfigurations=[ { 'sessionStorage': { 'mountPath': 'string' }, 's3FilesAccessPoint': { 'accessPointArn': 'string', 'mountPath': 'string' }, 'efsAccessPoint': { 'accessPointArn': 'string', 'mountPath': 'string' } }, ], clientToken='string' )
- Parameters:
agentRuntimeId (string) –
[REQUIRED]
The unique identifier of the AgentCore Runtime to update.
agentRuntimeArtifact (dict) –
[REQUIRED]
The updated artifact of the AgentCore Runtime.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
containerConfiguration,codeConfiguration.containerConfiguration (dict) –
The container configuration for the agent artifact.
containerUri (string) – [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) –
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) – [REQUIRED]
The source code location and configuration details.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
s3.s3 (dict) –
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) – [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) – [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) –
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) – [REQUIRED]
The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.
entryPoint (list) – [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) –
roleArn (string) –
[REQUIRED]
The updated IAM role ARN that provides permissions for the AgentCore Runtime.
networkConfiguration (dict) –
[REQUIRED]
The updated network configuration for the AgentCore Runtime.
networkMode (string) – [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) –
The network mode configuration for the AgentCore Runtime.
securityGroups (list) – [REQUIRED]
The security groups associated with the VPC configuration.
(string) –
subnets (list) – [REQUIRED]
The subnets associated with the VPC configuration.
(string) –
requireServiceS3Endpoint (boolean) –
Note
This field applies only to Agent Runtimes. It is not applicable to Browsers or Code Interpreters.
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an
UpdateAgentRuntimerequest for these agent runtimes returns aValidationException.Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to
falsevia theUpdateAgentRuntimeAPI. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set totrue, the service-managed Amazon S3 gateway remains provisioned.This field is only supported in the
UpdateAgentRuntimeAPI for pre-rollout agent runtimes. Passing this field in aCreateAgentRuntimerequest returns aValidationException.
description (string) – The updated description of the AgentCore Runtime.
authorizerConfiguration (dict) –
The updated authorizer configuration for the AgentCore Runtime.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
customJWTAuthorizer.customJWTAuthorizer (dict) –
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) – [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) –
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) –
allowedClients (list) –
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) –
allowedScopes (list) –
An array of scopes that are allowed to access the token.
(string) –
customClaims (list) –
An array of objects that define a custom claim validation name, value, and operation
(dict) –
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) – [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) – [REQUIRED]
The data type of the claim value to check for.
Use
STRINGif you want to find an exact match to a string you define.Use
STRING_ARRAYif you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) – [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) – [REQUIRED]
The value or values to match for.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
matchValueString,matchValueStringList.matchValueString (string) –
The string value to match for.
matchValueStringList (list) –
An array of strings to check for a match.
(string) –
claimMatchOperator (string) – [REQUIRED]
Defines the relationship between the claim field value and the value or values you’re matching for.
privateEndpoint (dict) –
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
selfManagedLatticeResource,managedVpcResource.selfManagedLatticeResource (dict) –
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
resourceConfigurationIdentifier.resourceConfigurationIdentifier (string) –
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) –
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) – [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) – [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) –
endpointIpAddressType (string) – [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) –
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) –
tags (dict) –
Tags to apply to the managed VPC Lattice resource gateway.
(string) –
(string) –
routingDomain (string) –
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) –
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) –
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) – [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) – [REQUIRED]
The private endpoint configuration for the specified domain.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
selfManagedLatticeResource,managedVpcResource.selfManagedLatticeResource (dict) –
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
resourceConfigurationIdentifier.resourceConfigurationIdentifier (string) –
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) –
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) – [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) – [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) –
endpointIpAddressType (string) – [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) –
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) –
tags (dict) –
Tags to apply to the managed VPC Lattice resource gateway.
(string) –
(string) –
routingDomain (string) –
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
requestHeaderConfiguration (dict) –
The updated configuration for HTTP request headers that will be passed through to the runtime.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
requestHeaderAllowlist.requestHeaderAllowlist (list) –
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) –
protocolConfiguration (dict) –
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) – [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
lifecycleConfiguration (dict) –
The updated life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) –
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) –
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
metadataConfiguration (dict) –
The updated configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.
requireMMDSV2 (boolean) – [REQUIRED]
Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to
true, the runtime microVM will only accept MMDSv2 requests.
environmentVariables (dict) –
Updated environment variables to set in the AgentCore Runtime environment.
(string) –
(string) –
filesystemConfigurations (list) –
The updated filesystem configurations to mount into the AgentCore Runtime.
(dict) –
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
sessionStorage,s3FilesAccessPoint,efsAccessPoint.sessionStorage (dict) –
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) – [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under
/mntwith exactly one subdirectory level (for example,/mnt/data).
s3FilesAccessPoint (dict) –
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) – [REQUIRED]
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) – [REQUIRED]
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under
/mntwith exactly one subdirectory level (for example,/mnt/data).
efsAccessPoint (dict) –
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) – [REQUIRED]
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) – [REQUIRED]
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under
/mntwith exactly one subdirectory level (for example,/mnt/data).
clientToken (string) –
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
- Return type:
dict
- Returns:
Response Syntax
{ 'agentRuntimeArn': 'string', 'agentRuntimeId': 'string', 'workloadIdentityDetails': { 'workloadIdentityArn': 'string' }, 'agentRuntimeVersion': 'string', 'createdAt': datetime(2015, 1, 1), 'lastUpdatedAt': datetime(2015, 1, 1), 'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING' }
Response Structure
(dict) –
agentRuntimeArn (string) –
The Amazon Resource Name (ARN) of the updated AgentCore Runtime.
agentRuntimeId (string) –
The unique identifier of the updated AgentCore Runtime.
workloadIdentityDetails (dict) –
The workload identity details for the updated AgentCore Runtime.
workloadIdentityArn (string) –
The ARN associated with the workload identity.
agentRuntimeVersion (string) –
The version of the updated AgentCore Runtime.
createdAt (datetime) –
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) –
The timestamp when the AgentCore Runtime was last updated.
status (string) –
The current status of the updated AgentCore Runtime.
Exceptions
BedrockAgentCoreControl.Client.exceptions.ServiceQuotaExceededExceptionBedrockAgentCoreControl.Client.exceptions.AccessDeniedExceptionBedrockAgentCoreControl.Client.exceptions.ConflictExceptionBedrockAgentCoreControl.Client.exceptions.ValidationExceptionBedrockAgentCoreControl.Client.exceptions.ResourceNotFoundExceptionBedrockAgentCoreControl.Client.exceptions.ThrottlingExceptionBedrockAgentCoreControl.Client.exceptions.InternalServerException