|
You're shipping Node.js agents on AWS Lambda. They call third-party APIs, spawn sub-agents, and handle user data — inside a 15-second invocation window. Hard-coding API keys won't cut it: the service-account model breaks when your principal is autonomous. Credentials need task-scoped lifetimes, not developer-scoped ones.
This workshop covers the identity architecture for AI agents running in serverless environments:
- AWS STS for time-bounded credential assumption — each Lambda invocation gets a short-lived role session scoped to that specific task and user delegation
- AWS Secrets Manager for automated rotation — agents pull fresh credentials at invocation time, never from environment variables or committed config files
- AWS CloudTrail for non-repudiable audit — trace each agent API call back to a specific session, task, and delegation chain
We'll walk through OAuth-based agent identity with Auth0, showing how machine-to-machine tokens and federation policies scope what a serverless agent can access across multi-tenant environments.
|