# Amazon Bedrock AgentCore

## Selecting the Connection Type

Once you have [selected your connection type](https://docs.probe.splx.ai/ai-red-teaming/probe/add-target/integration-setup#selecting-a-connection-type), a configuration tab will appear on the next step, prompting you to input the required connection details.

## Integration Setup

<figure><img src="https://1029475228-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi12bk7lo75SODuwcRCQp%2Fuploads%2FTbhYVi9SOIxxW476urSs%2Fprobe.dev.splx.ai_w_339_target_create_99.png?alt=media&#x26;token=59a61dac-37b6-4391-a837-c31a8422d57c" alt=""><figcaption><p>Figure 1: Amazon Bedrock AgentCore Integration Example</p></figcaption></figure>

* **Agent Runtime ARN** - ARN (Amazon Resource Name) of the Bedrock AgentCore runtime you want to invoke.
* **AWS Region** - AWS region where that runtime is deployed (for example: "us-east-1").
* **AWS Access Key Id** - IAM (Identity and Access Management) access key used to sign Bedrock AgentCore API calls.
* **AWS Secret Access Key** - IAM secret access key paired with the Access Key Id. Note that AWS **only shows secret keys at creation time**, so store it securely.
* **Qualifier** - Optional runtime qualifier (for example a version or alias) used to route the invocation to a specific runtime revision. Leave it empty to use the runtime’s default.
* **Payload Template** - JSON payload sent to the AgentCore runtime on each invocation. Use placeholders to let the platform inject dynamic values:
  * **{message}** - the current probe/test message.
  * **{session\_id}** - unique identifier for the conversation session (useful for multi-step tests).
* **Response Path** - The JSON path pointing to the text response in the response.
* **Image Response Path** - The JSON path pointing to generated **images** in the response(for example an array of base64 strings or URLs). Leave empty if your runtime does not return images.
* **Audios Response Path** - The JSON path pointing to generated **audio** in the response. Leave empty if not applicable.
* **Documents Response Path** - The JSON path pointing to generated **documents/files** in the response. Leave empty if not applicable.

## How to Obtain Required Fields

* **Agent Runtime ARN**
  * Find the runtime in the AWS console where you manage your AgentCore runtime.
  * Copy the resource **ARN** from the runtime details page.
  * If you provisioned it via IaC (CloudFormation/Terraform/CDK), you can also use the output variable that contains the ARN.
* **AWS Region**
  * Use the same region where the runtime lives.
  * You can read it from the AWS console region selector or from the ARN.
* **AWS Access Key Id / AWS Secret Access Key**
  * Create an access key for an IAM principal that has permission to invoke the runtime.
  * IAM console path: **IAM** → **Users** → select user → **Security credentials** → **Access keys**.
  * AWS docs: <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html>
* **Qualifier**
  * Only needed if your runtime supports routing by version/alias/qualifier.
  * Use the exact qualifier value your runtime expects. Otherwise leave it blank.
* **Payload Template**

  * Use the request payload schema your runtime expects.
  * Example:<br>

    ```
    { "prompt": "{message}", "session": "{session_id}", "media": {"type": "image", "data": "{image_base64}"} }
    ```
  * Easiest way: run one test invocation from your app/SDK, then copy the JSON body and replace the user message with **`{message}`**.
  * Add **`{session_id}`** if your runtime supports multi-turn sessions.

  | Placeholder        | Description                 |
  | ------------------ | --------------------------- |
  | {message}          | Main text message           |
  | {session\_id}      | Runtime session ID          |
  | {image\_url}       | Image URL                   |
  | {image\_base64}    | Image as base64 data URL    |
  | {audio\_url}       | Audio URL                   |
  | {audio\_base64}    | Audio as base64 data URL    |
  | {document\_url}    | Document URL                |
  | {document\_base64} | Document as base64 data URL |
* **Response Path**
  * Invoke the runtime once and inspect the raw JSON response.
  * Set this to the JSON path pointing to the **text** content you want SPLX to evaluate.
  * If you’re unsure about the JSON path format, see the definition used in the [REST API connection](https://docs.probe.splx.ai/ai-red-teaming/probe/target/rest-api#integration-setup).
* **Image Response Path**
  * JSON path to images in the response (array of base64 strings or URLs), if your runtime returns images.
* **Audios Response Path**
  * JSON path to audio in the response, if your runtime returns audio.
* **Documents Response Path**
  * JSON path to documents/files in the response, if your runtime returns documents.

{% hint style="warning" %}
If you can’t locate a field in the AWS console, it’s probably not AWS metadata. It’s likely part of **your runtime’s request/response contract** (payload + response paths).
{% endhint %}