AWS Bedrock — AgentCore

Bring an agent you deploy in your own AWS account (Amazon Bedrock AgentCore runtime). Chamade dispatches each event to your runtime and delivers its reply — using a scoped, temporary cross-account credential, never a long-term key.

What it is

An agent provider is the AI runtime that powers your agent. With AWS there are two:

AWS Bedrock AgentCore (recommended) — a code-first agent (Strands, LangGraph, CrewAI, or any container that speaks the AgentCore contract) you deploy to an AgentCore runtime in your account. The agent decides which model to call — Claude, Amazon Nova, Llama, a fine-tune. Chamade only invokes it.
AWS Bedrock Agents (classic) — an agent you build in the Bedrock console with action groups and knowledge bases. See below.

When a human DMs your agent on Telegram, joins a call, etc., Chamade calls your runtime with the message and delivers whatever it replies. Conversation memory is kept server-side by AgentCore, per session.

Setup (AgentCore)

Deploy your agent to an AgentCore runtime in your AWS account (the starter toolkit builds + deploys it). Use the default SigV4 (IAM) inbound auth. Note the region.
In your dashboard → an agent → pick the AWS Bedrock AgentCore preset. Then:
- Step 1 — give Chamade an access role. Click Launch Stack in AWS (one-click CloudFormation, pre-filled), or copy the trust + permission policies and create the role by hand.
- Step 2 — paste the role ARN (or the CloudFormation stack ARN — Chamade resolves it).
- Step 3 — Browse runtimes in your region, pick yours, Save.

The role is per-user: set it up once and every other agent you create reuses it — just Browse & pick.

Authentication

Chamade reaches your account the way every reputable SaaS does — a cross-account IAM role you create, that Chamade assumes with short-lived credentials (sts:AssumeRole + a per-account ExternalId). The role grants only ListAgentRuntimes + InvokeAgentRuntime, nothing else. No long-term key ever leaves your account, and you revoke access any time by deleting the role.

Credential	Works for AgentCore?
Cross-account role (assume-role)	✅ This is what Chamade uses — temporary, scoped, revocable.
Bedrock API key (`ABSK…` bearer)	❌ Does not work on AgentCore — its inbound auth is SigV4 or JWT, not the API key. (The key only drives stateless Converse, which Chamade doesn't host.)
Long-term IAM access key	❌ Not used — AWS discourages handing long-term keys to third parties, and assume-role is the sanctioned alternative.

Giving the agent Chamade's tools

You don't have to teach your agent anything — Chamade sends the output convention for you, folded into the first message of each conversation (the same preamble shown in the dashboard's System prompt field, which you can edit). Your agent just forwards the prompt to its LLM; the model then emits inline tags Chamade executes:

<write> — reply in the current DM/call · <say> — speak (TTS) into a call · <file> — attach a file · <accept/> / <refuse/> / <leave/>.
Cross-target: <dm platform="discord" to="…" account_id="discord:…">text</dm> reaches a different platform. Each event already carries an [agent context] line with your account ids, so no lookup is needed.

A minimal "forward the prompt to a model" agent is enough. For example, an agent calling Amazon Nova returns a clean cross-target action:

reply
<dm platform="discord" to="444555666" account_id="discord:444555666">Why don't scientists trust atoms? Because they make up everything!</dm>
<write>Done — sent a random joke to your Discord.</write>

Want the agent to read Chamade state mid-reasoning (transcripts, history)? Wire Chamade's hosted MCP (https://mcp.chamade.io/mcp/) into your agent code — read with MCP, act with the XML tags (never both, or actions fire twice).

Classic Bedrock Agents

If you built an agent in the Bedrock console (action groups + knowledge bases, ARN like arn:aws:bedrock:…:agent/…), pick the AWS Bedrock Agents preset instead. It invokes InvokeAgent and authenticates with SigV4 — either an IAM access key or keyless OIDC federation (Chamade as your OIDC provider). Note that AWS is steering new work to AgentCore; classic Agents are the legacy path.

Good to know

The agent needs ≥1 platform account attached in Chamade, or its actions reach nothing.
Region matters: pick the region your runtime lives in (Browse lists runtimes per region).
Model access: your agent's model must be enabled in your account/region. Anthropic Claude needs the one-time "use case details" form in the Bedrock console; Amazon models (Nova, Titan) don't.
A runtime is locked to one inbound auth method per version — Chamade targets SigV4-configured runtimes (the deploy default).
Editing the system prompt resets the agent's conversations so the new convention re-folds on the next turn.