Skip to content

Quick start

Go from zero to your first agent-created pull request in about 30 minutes. This guide covers only the minimum path - see the Developer guide and User guide for the full details.

Steps 4–6 offer ABCA CLI and AWS CLI tabs on each step (ABCA CLI is the default). Steps 4–5 share the same tab choice; Step 6 uses a separate tab group because submit adds a REST API call via curl on the AWS CLI path.

Install these before you begin:

  • AWS account with credentials configured (aws configure). If you use named profiles, set AWS_PROFILE before running any commands in this guide.
  • Amazon Bedrock — The agent invokes Claude through Bedrock. IAM grantInvoke in the CDK stack is required but not sufficient: your account must also satisfy Amazon Bedrock model access for the model you use (including Anthropic first-time use where applicable, Marketplace subscription flow on first serverless use, and a valid payment method for Marketplace-backed models). See Amazon Bedrock before your first task after Step 3.
  • Docker - for building the agent container image. On an x86_64 host you also need QEMU/binfmt to build the arm64 (Graviton) image — see the caution in Step 3.
  • Node.js v20 or later (Node 24 is the supported maximum — see CI matrix)
  • mise - task runner (install guide)
  • AWS CDK CLI - npm install -g aws-cdk (after mise is active)
  • GitHub account — You need a GitHub profile to fork the sample repository and create a fine-grained personal access token (PAT) the agent uses to push branches and open pull requests. A free github.com account is sufficient.

This project uses mise to manage tool versions (Node.js, Python, security scanners) and run tasks across the monorepo. Yarn Classic handles JavaScript workspaces (cdk/, cli/, docs/).

Terminal window
git clone https://github.com/aws-samples/sample-autonomous-cloud-coding-agents.git
cd sample-autonomous-cloud-coding-agents
# Trust mise config and install tools
mise trust
mise install
# Enable Yarn via Corepack
corepack enable
corepack prepare yarn@1.22.22 --activate
# Install dependencies and build
export MISE_EXPERIMENTAL=1
mise run install
mise run build

mise run install installs all JavaScript and Python dependencies across the monorepo. mise run build compiles the CDK app, the CLI, the agent image, and the docs site. A successful build means you are ready to deploy.

Note: mise run build includes CDK synthesis, which queries AWS for availability zones. Your active AWS credentials must have at least ec2:DescribeAvailabilityZones permission, or the build will fail. If you use named profiles, make sure AWS_PROFILE is set before running the build.

The agent works by cloning a GitHub repository, creating a branch, making code changes, running the build and tests, and opening a pull request. This means it needs write access to a real repository you control.

The Quick Start uses awslabs/agent-plugins — a lightweight sample repo designed for testing the platform. You must fork it to your own GitHub account before continuing; do not point the platform at the upstream awslabs/agent-plugins repo unless you have direct write access there (most users do not).

  1. Sign in to GitHub and open github.com/awslabs/agent-plugins.
  2. Click Fork (top-right), choose your personal account (or an organization you admin), and confirm.
  3. Wait for the fork to finish. Your copy lives at https://github.com/<your-username>/agent-plugins.
  4. Note the owner/repo slug — for example jane-doe/agent-plugins. You will use this exact string in CDK context, the PAT repository scope, and every submit --repo … command in Step 6.

Every repository the agent can work on must be onboarded as a Blueprint construct in the CDK stack. The Blueprint writes a configuration record to DynamoDB; the orchestrator checks this before accepting tasks.

For the sample AgentPlugins blueprint, cdk/src/stacks/agent.ts resolves the GitHub owner/repo in this order: the BLUEPRINT_REPO environment variable, then CDK context blueprintRepo, then the default awslabs/agent-plugins:

const blueprintRepo = process.env.BLUEPRINT_REPO ?? this.node.tryGetContext('blueprintRepo') ?? 'awslabs/agent-plugins';
const agentPluginsBlueprint = new Blueprint(this, 'AgentPluginsBlueprint', {
repo: blueprintRepo,
repoTable: repoTable.table,
});

Recommended: add your fork to cdk/cdk.json so the value is checked in and you do not have to export an environment variable in every shell session. Edit cdk/cdk.json and add a "context" block (create it if missing):

{
"app": "npx ts-node -P tsconfig.json --prefer-ts-exts src/main.ts",
"context": {
"blueprintRepo": "your-username/agent-plugins"
}
}

Replace your-username/agent-plugins with the slug from your fork in the previous step.

After changing cdk.json, recompile the CDK app so the updated context is picked up before deploy:

Terminal window
export MISE_EXPERIMENTAL=1
mise //cdk:compile

You can also run a full mise run build (includes compile). Then deploy in Step 3 with mise //cdk:deploy. If you already deployed once with the wrong repo name, edit cdk.json and redeploy — the Blueprint updates the DynamoDB record on stack update.

Alternatively, for a one-off deploy without editing cdk.json:

Terminal window
export BLUEPRINT_REPO=your-username/agent-plugins

Or pass context on the command line: cdk deploy -c blueprintRepo=your-username/agent-plugins. The environment variable wins over context when both are set.

The resolved repo value must match exactly what you pass to the CLI later (owner/repo format). To onboard additional repositories, add more Blueprint constructs in agent.ts and redeploy (see Onboard your own repositories below).

The agent authenticates to GitHub using a fine-grained personal access token (PAT). Go to GitHub → SettingsDeveloper settingsFine-grained tokensGenerate new token.

Grant these permissions on that repository:

PermissionAccessWhy
ContentsRead and writeClone the repo and push branches
Pull requestsRead and writeCreate and update pull requests
IssuesReadRead issue context for tasks that reference an issue
MetadataRead (default)Required by GitHub for all fine-grained tokens

Keep the token value — you will store it in AWS Secrets Manager in Step 4.

The CDK stack deploys the full platform: API Gateway, Lambda functions (orchestrator, task CRUD, webhooks), DynamoDB tables, AgentCore Runtime, VPC with network isolation, Cognito user pool, and CloudWatch dashboards.

Terminal window
# Bootstrap CDK (first time only)
mise //cdk:bootstrap
# Deploy the stack (~10 minutes). --require-approval never lets it run
# unattended; drop the flag if you want to review IAM/security-group changes.
mise //cdk:deploy -- --require-approval never

CDK bootstrap provisions the staging resources CDK needs (S3 bucket, IAM roles). The deploy itself takes around 10 minutes — most of the time is spent building the Docker image and provisioning the AgentCore Runtime.

The stack grants the AgentCore runtime bedrock:InvokeModel* on the foundation models and cross-Region inference profiles declared in cdk/src/stacks/agent.ts (grantInvoke). That covers IAM only.

You must also be able to invoke the model in Bedrock from your account (and Region):

  1. Access and subscription — Bedrock serverless foundation models are used with the right IAM and, for third-party models, AWS Marketplace permissions; first-time subscription can take up to several minutes. Missing prerequisites often surface as AccessDeniedException. See Request access to models in the Bedrock User Guide.
  2. Anthropic first-time use — For Anthropic models, submit use-case details once per account (console model catalog or PutUseCaseForModelAccess) before invocation, as described in the same guide (unless you use the documented bedrock-mantle exception).
  3. Inference profile as modelId — For InvokeModel / streaming, pass the inference profile ID or ARN where Bedrock requires it (for example us.anthropic.claude-sonnet-4-6 for US cross-Region Sonnet 4.6). See Use an inference profile in model invocation.
  4. Cross-Region routing — System-defined inference profiles can route across Regions within a geography. IAM (and any SCPs) must allow the profile and underlying model in all relevant Regions; see Supported Regions and models for inference profiles.

If a task fails immediately with text like the model is not available on your Bedrock deployment, open the Bedrock console model catalog for your deployment Region, complete access steps for that model family, align the repo model_id (DynamoDB / Blueprint) and runtime IAM with an enabled inference profile, then redeploy and retry.

The agent reads the GitHub PAT from AWS Secrets Manager at runtime. The CDK stack created an empty secret for you - now you need to put your token value in it. Replace ghp_your_token_here with the actual token from Step 2. Make sure REGION matches where you deployed - if it is empty, the AWS CLI builds a malformed endpoint URL and fails silently.

Terminal window
cd cli
REGION=us-east-1 # your deployment region
# Interactive prompt — stores in the platform GitHubTokenSecretArn output
node lib/bin/bgagent.js github set-token --region "$REGION" --stack-name backgroundagent-dev

For a repository with a per-blueprint token secret (credentials.githubTokenSecretArn on the Blueprint), target that repo instead:

Terminal window
cd cli
node lib/bin/bgagent.js github set-token --region "$REGION" --repo your-org/your-repo

The REST API uses Amazon Cognito for authentication. Self-signup is disabled, so an operator must create users (AWS credentials with cognito-idp:AdminCreateUser and cognito-idp:AdminSetUserPassword on the pool — no ABCA CLI configure required yet). The pool requires the username to be a valid email, a password of at least 12 characters mixing uppercase, lowercase, digits, and symbols, and the user’s email to be pre-verified.

Terminal window
cd cli
REGION=us-east-1 # your deployment region (same as Step 4)
# Creates the user, sets a permanent password, and writes credentials + configure bundle
# to ~/.bgagent/invites/you@example.com.txt (mode 0600)
node lib/bin/bgagent.js admin invite-user you@example.com \
--region "$REGION" \
--stack-name backgroundagent-dev

The command wraps AdminCreateUser + AdminSetUserPassword: email is pre-verified, the welcome email is suppressed (avoids SES errors on new accounts), and the password is permanent (no forced change on first login). When stack outputs are available, the invite file also includes a configure bundle for Step 6.

To manage users later:

Terminal window
cd cli
node lib/bin/bgagent.js admin list-users --region "$REGION" --stack-name backgroundagent-dev
node lib/bin/bgagent.js admin reset-password you@example.com --region "$REGION"
node lib/bin/bgagent.js admin delete-user someone@example.com --region "$REGION"

Authenticate, then submit your first task. A typical simple task takes 2-5 minutes. When it completes, you will see a PR URL — open it in your browser to review the agent’s work.

The ABCA CLI handles Cognito authentication, token caching, and output formatting.

Terminal window
cd cli
REGION=us-east-1 # your deployment region (same as Step 4)
# After Step 5 invite-user: paste the bundle from ~/.bgagent/invites/you@example.com.txt
node lib/bin/bgagent.js configure --from-bundle "<paste bundle from invite file>"
# Or read ApiUrl / UserPoolId / AppClientId from CloudFormation (same as `platform outputs`)
node lib/bin/bgagent.js configure --region "$REGION" --stack-name backgroundagent-dev
# Log in (password from ~/.bgagent/invites/you@example.com.txt)
node lib/bin/bgagent.js login --username you@example.com
# Submit your first task and wait for it to complete
node lib/bin/bgagent.js submit \
--repo your-username/agent-plugins \
--task "Add a CODEOWNERS file to the repository root" \
--wait

The --wait flag polls until the task reaches a terminal state. You can still pass --api-url, --user-pool-id, or --client-id to override individual stack outputs.

ABCA CLI-only helpers after submit — use watch to stream progress events in real time:

Terminal window
cd cli
node lib/bin/bgagent.js watch <TASK_ID>

While a task is running, you can steer the agent with a nudge:

Terminal window
cd cli
node lib/bin/bgagent.js nudge <TASK_ID> "Also add a test for the edge case"

If your blueprint defines any Cedar HITL policies tagged @tier("soft"), the agent pauses on matching tool calls and waits for your decision. This step walks through the flow end-to-end. Run the commands below from the cli/ directory (cd cli from the repo root).

First, check which rules apply to your repo:

Terminal window
cd cli
node lib/bin/bgagent.js policies list --repo owner/repo

Submit a task that will plausibly trip a soft-deny rule — for example, one of the default blueprint rules guards force-pushes:

Terminal window
cd cli
node lib/bin/bgagent.js submit --repo owner/repo \
--task "Force-push the feature branch so the history is linear"

In a second terminal, watch the task:

Terminal window
cd cli
node lib/bin/bgagent.js watch <TASK_ID>

When the agent hits the guarded tool call, watch prints an approval_requested event and the task status flips to AWAITING_APPROVAL. List the pending approval:

Terminal window
cd cli
node lib/bin/bgagent.js pending

The output includes ready-to-run approve/deny lines. Pick one:

Terminal window
cd cli
# Approve just this call
node lib/bin/bgagent.js approve <TASK_ID> <REQUEST_ID>
# Or deny with a reason that nudges the agent toward a safer approach
node lib/bin/bgagent.js deny <TASK_ID> <REQUEST_ID> \
--reason "Don't force-push shared branches; open a revert PR instead"

The task transitions back to RUNNING immediately on a decision. The denial reason is injected into the agent’s context so it can adapt rather than retry the same tool call. If no decision arrives within the rule’s timeout (300 s by default), the gate is treated as a denial with timed_out as the reason.

If you want a task to run without interactive gates (e.g. an unattended overnight job), pre-approve the scopes you trust up-front:

Terminal window
cd cli
node lib/bin/bgagent.js submit --repo owner/repo --issue 42 \
--pre-approve tool_type:Bash \
--pre-approve write_path:tests/**

Hard-deny rules (no @tier("soft") annotation) are always enforced — --pre-approve only short-circuits soft-deny rules. For the full command reference see User guide — Approval gates; for authoring your own rules see the Cedar policy guide.

Here is what the platform did after you ran node lib/bin/bgagent.js submit:

  1. Task creation - The CLI authenticated via Cognito and sent a POST /v1/tasks request. The API validated the request, checked idempotency, and stored a task record in DynamoDB with status SUBMITTED.
  2. Orchestration - The durable orchestrator picked up the task and ran admission control (concurrency limits). It then ran pre-flight checks - calling the GitHub API to verify your token can access the repository with push permissions. If the token were read-only, the task would have failed here with a clear error instead of failing later inside the agent.
  3. Context hydration - The orchestrator assembled the agent’s prompt: your task description, any repository memory from past tasks, and the system prompt that defines the agent’s behavioral contract. The task transitioned to HYDRATING.
  4. Agent execution - An isolated MicroVM started via AgentCore Runtime. The agent cloned your repository, created a branch (bgagent/<task-id>/<description-slug>), made the requested changes, ran mise run build to verify the build passes, committed incrementally, and opened a pull request. The task transitioned to RUNNING.
  5. Finalization - The orchestrator detected the agent finished, recorded the PR URL, cost, and duration on the task record, and transitioned to COMPLETED.
ErrorCauseFix
yarn: command not foundCorepack not enabled or mise not activated in your shellRun eval "$(mise activate zsh)", then corepack enable && corepack prepare yarn@1.22.22 --activate
MISE_EXPERIMENTAL requiredNamespaced tasks need the experimental flagexport MISE_EXPERIMENTAL=1
exec /bin/sh: exec format error during image buildx86 host building the arm64 (Graviton) agent image without QEMU/binfmtRun docker run --privileged --rm tonistiigi/binfmt --install arm64, or build from a native arm64 host (see Step 3 caution)
AccessDeniedException on update-trace-segment-destinationX-Ray → CloudWatch Logs tracing is optional and the call may be SCP-blocked on Org accountsSkip it — tracing is disabled by default and not required to deploy (see Step 3 note)
mise run build fails with ec2:DescribeAvailabilityZones errorAWS credentials missing or insufficient for CDK synthSet AWS_PROFILE or configure credentials with at least EC2 read access
CDK deploy prompts for approval and hangsNon-interactive terminal (CI/CD, scripts)Pass --require-approval never to cdk deploy (Step 3 uses it) or use an interactive terminal
Deploy rolled back; can’t redeploy (ROLLBACK_COMPLETE)A first-create failure leaves the stack un-updatablemise //cdk:destroy (or delete the stack), then deploy again. Do not force-delete past stuck VPC resources — it orphans the VPC, and VPCs are quota-capped per Region
Stack stuck in DELETE_FAILED on a security group / subnetAgentCore’s service-managed (Hyperplane) ENIs reclaim asynchronously after the runtime is goneWait ~20–40 min for AWS to release the ENIs, then retry mise //cdk:destroy. You cannot force-detach an amazon-aws-owned ENI
put-secret-value returns double-dot endpointREGION variable is emptySet REGION=us-east-1 (or your actual region) before running the command
Model / Bedrock errors in logs (not available on your bedrock, zero tokens)Model not entitled for the account or Region, wrong modelId shape, or missing Marketplace / FTU stepsFollow Amazon Bedrock before your first task above; confirm model access and use an inference profile ID such as us.anthropic.claude-sonnet-4-6 where required; keep grantInvoke in agent.ts aligned with that model
REPO_NOT_ONBOARDED on task submitBlueprint repo does not match what you passed to the CLIConfirm BLUEPRINT_REPO, CDK context blueprintRepo, or the repo prop on the Blueprint in cdk/src/stacks/agent.ts resolves to exactly the same owner/repo you pass to the CLI
INSUFFICIENT_GITHUB_REPO_PERMISSIONSPAT is missing required permissions or is scoped to the wrong repoRegenerate the PAT with Contents (read/write) and Pull requests (read/write) scoped to your fork, then update Secrets Manager
Task stuck in SUBMITTEDOrchestrator Lambda may not have been invokedCheck CloudWatch logs for the orchestrator Lambda; verify the stack deployed successfully
node: command not found in cli/mise shell activation missingRun eval "$(mise activate zsh)" and confirm node --version shows v22.x

Once you have the basic flow working, here are the main ways to customize the platform for your needs.

Add more Blueprint constructs in cdk/src/stacks/agent.ts and redeploy. Each Blueprint registers one repository. You can onboard as many repos as you want - each one gets its own configuration record in DynamoDB.

new Blueprint(this, 'MyServiceBlueprint', {
repo: 'my-org/my-service',
repoTable: repoTable.table,
});

Blueprints accept optional overrides to customize agent behavior per repository: which model to use, how many turns the agent gets, cost budget limits, extra system prompt instructions, and network egress rules. See the User guide - Per-repo overrides for the full list.

new Blueprint(this, 'CustomBlueprint', {
repo: 'my-org/my-service',
repoTable: repoTable.table,
agent: {
modelId: 'us.anthropic.claude-sonnet-4-6',
maxTurns: 50,
systemPromptOverrides: 'Always write tests. Use conventional commits.',
},
});

The agent automatically loads project-level instructions from CLAUDE.md at the repository root (or .claude/CLAUDE.md). This is the most effective way to improve agent output for a specific repo - tell it your build commands, coding conventions, architecture boundaries, and constraints. See the Prompt guide for examples and best practices.

Webhooks let external systems (GitHub Actions, CI pipelines) create tasks without Cognito credentials, using HMAC-SHA256 authentication. This is useful for automating PR review on every PR, or triggering code changes from CI events. See the User guide - Webhooks for setup instructions.

Run from the cli/ directory (cd cli from the repo root):

  • Try an issue-based task: node lib/bin/bgagent.js submit --repo owner/repo --issue 42
  • Iterate on a PR: node lib/bin/bgagent.js submit --repo owner/repo --pr 1
  • Review a PR: node lib/bin/bgagent.js submit --repo owner/repo --review-pr 1
  • Pick a workflow explicitly: node lib/bin/bgagent.js submit --repo owner/repo --task "..." --workflow coding/new-task-v1 — see User guide - Workflows
  • Watch a task live: node lib/bin/bgagent.js watch <TASK_ID> — stream progress events
  • Steer a running task: node lib/bin/bgagent.js nudge <TASK_ID> "focus on tests" — mid-run guidance
  • Enable tracing: node lib/bin/bgagent.js submit --repo owner/repo --issue 42 --trace then node lib/bin/bgagent.js trace download <TASK_ID>
  • Manage webhooks: node lib/bin/bgagent.js webhook create --name "My CI" — automate task submission from external systems
  • Run locally first: Test with ./agent/run.sh before deploying - see the Developer guide