# Creating and managing registries Creating and managing registries A registry is the top-level resource in AWS Agent Registry. Before you can publish records, you need to create a registry and configure its authorization and approval settings. This section covers the supported authorization types and how to create, view, update, and delete registries. **Topics** + [ # Supported Inbound Authorization types ](registry-supported-auth-types.md) + [ # Create and manage registries ](registry-create-manage.md) # Supported Inbound Authorization types Supported Inbound Authorization types Inbound authorization allows registry administrators to control which users can search for records in the registry (via AWS CLI, SDK, console, or MCP server). Administrators can configure inbound authorization using IAM or JWT. ## IAM-based authorization IAM-based authorization uses the caller’s AWS IAM credentials (SigV4 signing) for authorization. Use this option if your consumers already have AWS IAM access. ### To set up IAM-based authorization 1. Create or use an existing IAM identity for your registry consumers. 1. Create an identity-based IAM policy with the following permissions: 1. `bedrock-agentcore:SearchRegistryRecords` 1. `bedrock-agentcore:InvokeRegistryMcp` 1. You can optionally scope the IAM Permissions to the specific Registry Resource if you want to limit which registry a particular consumer can search in 1. Attach the policy to the consumer identity (IAM User or Role). ### Example policy ``` { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "bedrock-agentcore:SearchRegistryRecords", "bedrock-agentcore:InvokeRegistryMcp" ], "Resource": "arn:aws:bedrock-agentcore:us-east-1:123456789012:registry/" }] } ``` ## JWT-based authorization JSON Web Token (JWT) authorization lets consumers authorize using tokens from your organization’s identity provider — such as Amazon Cognito, Okta, Microsoft Azure AD, Auth0, or any OAuth 2.0-compatible provider. This is useful when you want to make the registry accessible to a broad set of users through existing corporate credentials, without provisioning individual IAM access. ### Set up a default JWT with Amazon Cognito When you create a registry through the console and select JWT authorization, you can choose the quick create option. AWS Agent Registry creates an Amazon Cognito user pool and configures the JWT authorization automatically. No additional setup is required. ### Set up a JWT manually with your own identity provider If you have an existing identity provider, configure JWT authorization manually. You need: + **Discovery URL** (required) — The OpenID Connect discovery URL from your identity provider (for example, `https://cognito-idp.us-east-1.amazonaws.com/YOUR_POOL_ID/.well-known/openid-configuration` ). AWS Agent Registry uses this URL to fetch the login, token, and verification settings. You must also configure at least one of the following JWT authorization rules: + **Allowed audiences** — Permitted values for the `aud` claim. An audience claim specifies which resource server the token is intended for, preventing token reuse across different APIs. + **Allowed clients** — Permitted values for the `client_id` claim. A client ID is a unique identifier for the application requesting access tokens. + **Allowed scopes** — Required permission scopes. At least one scope in the incoming token must match one of the configured values. + **Custom claims** — Rules that match specific claims in the incoming token against predefined values. For each rule, specify the claim name, value type (STRING or STRING\$1ARRAY), and the required match value. If you configure more than one authorization rule, AWS Agent Registry verifies all of them. ## Changing Authorization type You cannot change authorization Type after a Registry has been created. Additionally, for registries setup with JWT based authorization, the Discovery URL cannot be edited after the Registry has been created. ## Authorization scope The authorization type you configure only affects the data plane APIs — SearchRegistryRecords and InvokeRegistryMcp. All control plane APIs (CreateRegistry, CreateRegistryRecord, UpdateRegistryRecordStatus, and others) always require IAM authorization, regardless of the registry’s authorization setting. # Create and manage registries Create and manage registries ## Create a registry ### Console 1. Open the [Amazon Bedrock AgentCore console](https://console.aws.amazon.com/bedrock-agentcore/home?region=us-east-1#). 1. In the navigation pane, under **Discover** , choose **Registry**. 1. In the **Registries** section, choose **Create registry**. 1. For **Name** , enter a name for your registry. The name must start with a letter or digit. Valid characters are a-z, A-Z, 0-9, \$1 (underscore), - (hyphen), . (dot), and / (forward slash). The name can have up to 64 characters. 1. (Optional) Expand **Additional details** and enter a **Description** (1–4,096 characters). 1. (Optional) Expand **Search API Authorization** to configure how consumers authorize when searching the registry (Inbound Authorization). Choose ** AWS IAM** to use standard AWS credentials, or **JSON Web tokens (JWT)** to use your corporate identity provider credentials. If you choose JWT, you can either quick create with Cognito, or bring your own IdP by providing the discovery URL, audience, scope, custom claims and clients. 1. Under **Record approval** , choose whether to enable **Auto-approval** . When auto-approval is off, a curator must review and approve each record before it becomes searchable. 1. Choose **Create registry**. The registry status starts as **Creating** and transitions to **Ready** when provisioning completes. **Note** For JWT enabled registries, At least one **JWT authorization configuration** field is required: allowed audiences, allowed clients, allowed scopes, or custom claims. If you configure more than one, AWS Agent Registry verifies all of them. ### AWS CLI **IAM-based registry:** ``` aws bedrock-agentcore-control create-registry \ --name "MyRegistry" \ --description "Production registry" \ --region us-east-1 ``` **JWT-based registry:** ``` aws bedrock-agentcore-control create-registry \ --name "MyOAuthRegistry" \ --authorizer-type CUSTOM_JWT \ --authorizer-configuration '{"customJWTAuthorizer": {"discoveryUrl": "https://cognito-idp.us-east-1.amazonaws.com//.well-known/openid-configuration", "allowedClients": [""]}}' \ --region us-east-1 ``` ### AWS SDK **IAM-based registry:** ``` import boto3 client = boto3.client('bedrock-agentcore-control') response = client.create_registry( name='MyRegistry', description='Production registry' ) print(response['registryArn']) ``` **JWT-based registry:** ``` import boto3 client = boto3.client('bedrock-agentcore-control') response = client.create_registry( name='MyOAuthRegistry', authorizerType='CUSTOM_JWT', authorizerConfiguration={ 'customJWTAuthorizer': { 'discoveryUrl': 'https://cognito-idp.us-east-1.amazonaws.com//.well-known/openid-configuration', 'allowedClients': [''] } } ) print(response['registryArn']) ``` ## List registries ### Console 1. Open the [Amazon Bedrock AgentCore console](https://console.aws.amazon.com/bedrock-agentcore/home?region=us-east-1#). 1. In the navigation pane, under **Discover** , choose **Registry**. 1. The **Registries** table displays all registries in your account with the following columns: 1. **Name** — The registry name (linked to the detail page). 1. **Description** — The registry description, if provided. 1. **Authorization type** — The inbound authorization method (AWS\$1IAM or CUSTOM\$1JWT). 1. **Status** — The current status (Creating, Ready, Updating, Deleting, or a failure state). 1. **ARN** — The registry Amazon Resource Name. 1. **Created** — The creation timestamp. 1. **Last updated** — The last modification timestamp. 1. Use the **Find registries** search bar to filter by name. 1. Use the pagination controls to navigate through results. ### AWS CLI ``` aws bedrock-agentcore-control list-registries \ --region us-east-1 ``` ### AWS SDK ``` import boto3 client = boto3.client('bedrock-agentcore-control') response = client.list_registries() for registry in response['registries']: print(f"{registry['name']} - {registry['status']} - {registry['registryArn']}") ``` ## View registry details ### Console 1. Open the [Amazon Bedrock AgentCore console](https://console.aws.amazon.com/bedrock-agentcore/home?region=us-east-1#). 1. In the navigation pane, under **Discover** , choose **Registry**. 1. Choose the registry name from the **Registries** table. 1. The registry detail page has two tabs: 1. **Manage records** — View and manage registry records. 1. **Search records** — Search for approved records in the registry. 1. The **Registry details** section displays: Name, Status, Description, Auto-approval (Enabled or Disabled), Registry ARN, Last updated date, Created date. 1. The **Registry records** section shows status summary counters (Total submitted, Pending approval, Approved, Deprecated, Rejected) and a records table. 1. The **Search API Authorization** (Inbound Authorization) section shows the current authorization type. ### AWS CLI ``` aws bedrock-agentcore-control get-registry \ --registry-id "" \ --region us-east-1 ``` ### AWS SDK ``` import boto3 client = boto3.client('bedrock-agentcore-control') response = client.get_registry( registryId='' ) print(f"Name: {response['name']}") print(f"Status: {response['status']}") print(f"ARN: {response['registryArn']}") ``` ## Update a registry ### Console 1. Open the [Amazon Bedrock AgentCore console](https://console.aws.amazon.com/bedrock-agentcore/home?region=us-east-1#). 1. In the navigation pane, under **Discover** , choose **Registry**. 1. Select the radio button next to the registry you want to edit, then choose **Edit** . Alternatively, choose the registry name and then choose **Edit**. 1. On the **Edit registry** page, update any of the following: 1. **Name** — Change the registry name (same naming rules as creation). 1. **Description** — Under **Additional details** , update or add a description. 1. **Record approval** — Toggle **Auto-approval** on or off. Changes only affect records submitted after the update. 1. Choose **Save changes**. **Note** Updating auto-approval config from OFF to ON only affects records submitted after the change. Existing records already 'Pending Approval' are not affected and must still be approved or rejected by calling UpdateRegistryRecordStatus API. Changing the config from ON to OFF only affects records that are published to 'Pending Approval' after the change is made. **Note** The discovery URL (for a JWT authorized registry) cannot be changed after the registry is created. The inbound authorization type (IAM or JWT) cannot be changed after the registry is created. ### AWS CLI ``` aws bedrock-agentcore-control update-registry \ --registry-id "" \ --description '{"optionalValue": "Updated description"}' \ --region us-east-1 ``` ### AWS SDK ``` import boto3 client = boto3.client('bedrock-agentcore-control') response = client.update_registry( registryId='', description={'optionalValue': 'Updated description'} ) print(f"Updated: {response['name']} - Status: {response['status']}") ``` ## Delete a registry ### Console 1. Open the [Amazon Bedrock AgentCore console](https://console.aws.amazon.com/bedrock-agentcore/home?region=us-east-1#). 1. In the navigation pane, under **Discover** , choose **Registry**. 1. Select the radio button next to the registry you want to delete, then choose **Delete**. 1. In the confirmation dialog, review the warning: you must first delete all registry records before deleting the registry. 1. Type **delete** in the confirmation field. 1. Choose **Delete**. The registry status changes to **Deleting** . A success banner confirms when deletion completes. ### AWS CLI ``` aws bedrock-agentcore-control delete-registry \ --registry-id "" \ --region us-east-1 ``` ### AWS SDK ``` import boto3 client = boto3.client('bedrock-agentcore-control') response = client.delete_registry( registryId='' ) print(f"Status: {response['status']}") # DELETING ```