|
| 1 | +# Claude Code on AgentCore Runtime with S3 Files |
| 2 | + |
| 3 | +Deploys Claude Code as an HTTP agent on AWS Bedrock AgentCore Runtime, with an S3 Files file system mounted at `/mnt/s3files` for persistent storage shared across sessions. |
| 4 | + |
| 5 | +## Architecture |
| 6 | + |
| 7 | +``` |
| 8 | + ┌─────────────────────────┐ ┌─────────────────────────┐ |
| 9 | + │ AgentCore Runtime │ │ AgentCore Runtime │ |
| 10 | + │ Session A │ │ Session B │ |
| 11 | + │ (Claude Code) │ │ (Claude Code) │ |
| 12 | + │ │ │ │ |
| 13 | + │ /mnt/s3files ──────────┼────┐ │ /mnt/s3files ──────────┼────┐ |
| 14 | + └─────────────────────────┘ │ └─────────────────────────┘ │ |
| 15 | + │ │ |
| 16 | + ▼ ▼ |
| 17 | + ┌──────────────────────────────────────────────────┐ |
| 18 | + │ S3 Files File System │ |
| 19 | + │ │ |
| 20 | + │ ┌────────────────────────┐ │ |
| 21 | + │ │ S3 Files Access Point │ │ |
| 22 | + │ │ (uid/gid 1000) │ │ |
| 23 | + │ └───────────┬────────────┘ │ |
| 24 | + └──────────────┼───────────────────────────────────┘ |
| 25 | + │ |
| 26 | + ▼ |
| 27 | + ┌──────────────────────────────┐ |
| 28 | + │ S3 Bucket │ |
| 29 | + │ (agentcore-<account-id>) │ |
| 30 | + │ │ |
| 31 | + │ agents/ │ |
| 32 | + │ ├── skills/ │ |
| 33 | + │ ├── results/ │ |
| 34 | + │ └── ... │ |
| 35 | + └──────────────────────────────┘ |
| 36 | +``` |
| 37 | + |
| 38 | +Multiple runtime sessions mount the same S3 Files file system, enabling agents to share skills, results, and data across independent invocations. |
| 39 | + |
| 40 | +``` |
| 41 | +CloudFormation stack (cfn-vpc.yaml): |
| 42 | + VPC, subnets, NAT Gateway, Security Group |
| 43 | + S3 Files IAM role, file system, access point, mount targets |
| 44 | +
|
| 45 | +deploy.py creates: |
| 46 | + IAM execution role |
| 47 | + AgentCore Runtime (container from ECR, S3 Files mounted at /mnt/s3files) |
| 48 | +``` |
| 49 | + |
| 50 | +## Prerequisites |
| 51 | + |
| 52 | +### Python environment |
| 53 | + |
| 54 | +```bash |
| 55 | +uv venv --python 3.13 .venv |
| 56 | +source .venv/bin/activate |
| 57 | +uv pip install boto3 awscli --force-reinstall --no-cache-dir |
| 58 | +``` |
| 59 | + |
| 60 | +### S3 Files IAM policies |
| 61 | + |
| 62 | +The CloudFormation stack creates an IAM role (`S3FilesRole`) with the permissions required by S3 Files (S3, KMS, and EventBridge). For the full list of required policies, see the [S3 Files prerequisite policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files-prereq-policies.html) documentation. |
| 63 | + |
| 64 | +## Step-by-step guide |
| 65 | + |
| 66 | +### Step 1 — Infrastructure setup (CloudFormation) |
| 67 | + |
| 68 | +Run the setup script to create the S3 bucket, deploy the CloudFormation stack (VPC, subnets, NAT Gateway, Security Group, S3 Files), build the arm64 Docker image, and push it to ECR. |
| 69 | + |
| 70 | +```bash |
| 71 | +./setup.sh us-west-2 |
| 72 | +``` |
| 73 | + |
| 74 | +All outputs are saved to `envvars.config` and used automatically by the next steps. |
| 75 | + |
| 76 | +### Step 2 — Deploy the agent |
| 77 | + |
| 78 | +Create the IAM execution role and the AgentCore Runtime: |
| 79 | + |
| 80 | +```bash |
| 81 | +python deploy.py |
| 82 | +``` |
| 83 | + |
| 84 | +The script waits until the runtime status is `READY` and saves the runtime config to `runtime_config.json`. |
| 85 | + |
| 86 | +If you need to update an existing runtime (e.g. after rebuilding the Docker image), run: |
| 87 | + |
| 88 | +```bash |
| 89 | +python update.py |
| 90 | +``` |
| 91 | + |
| 92 | +### Step 3 — Invoke the agent |
| 93 | + |
| 94 | +Send a prompt to the deployed agent. The first call creates a new session; subsequent calls can reuse the session ID for conversation continuity. |
| 95 | + |
| 96 | +**Session A** — create a shared skill on the persistent filesystem: |
| 97 | + |
| 98 | +```bash |
| 99 | +python invoke.py "can u create a new skill, to review python code? This skill should be created into /mnt/s3files/skills/" |
| 100 | +``` |
| 101 | + |
| 102 | +Continue the conversation within the same session: |
| 103 | + |
| 104 | +```bash |
| 105 | +python invoke.py --session <session-a-id> "now add unit tests for that skill" |
| 106 | +``` |
| 107 | + |
| 108 | +**Session B** — a completely new session accesses the same filesystem and uses the skill created by Session A: |
| 109 | + |
| 110 | +```bash |
| 111 | +python invoke.py "list the skills available in /mnt/s3files/skills/ and use the python review skill to review this code: def add(a,b): return a+b" |
| 112 | +``` |
| 113 | + |
| 114 | +Both sessions share `/mnt/s3files`, so anything written by one session is immediately available to others. |
| 115 | + |
| 116 | +### Step 4 — Execute a command on the running session |
| 117 | + |
| 118 | +Run a shell command directly on the container using the session ID from the previous step: |
| 119 | + |
| 120 | +```bash |
| 121 | +python exec_cmd.py --session 7fd93a80-8838-4721-abea-b1787dd0172c "ls -l /mnt/s3files" |
| 122 | +``` |
| 123 | + |
| 124 | +### Step 5 — Cleanup |
| 125 | + |
| 126 | +Delete all AgentCore resources (runtime, IAM role) and the CloudFormation stack. The S3 bucket is kept. |
| 127 | + |
| 128 | +```bash |
| 129 | +python cleanup.py |
| 130 | +``` |
| 131 | + |
| 132 | +Or use the shell wrapper: |
| 133 | + |
| 134 | +```bash |
| 135 | +./cleanup.sh |
| 136 | +``` |
0 commit comments