Skip to content

Add Codex CLI with OpenAI API key example on AgentCore Runtime#1513

Draft
Sushant20 wants to merge 4 commits into
awslabs:mainfrom
Sushant20:add-codex-openai-api-key-example
Draft

Add Codex CLI with OpenAI API key example on AgentCore Runtime#1513
Sushant20 wants to merge 4 commits into
awslabs:mainfrom
Sushant20:add-codex-openai-api-key-example

Conversation

@Sushant20
Copy link
Copy Markdown

@Sushant20 Sushant20 commented May 19, 2026
edited
Loading

Amazon Bedrock AgentCore Samples Pull Request

Important

  1. We strictly follow a issue-first approach, please first open an issue relating to this Pull Request.
  2. Once this Pull Request is ready for review please attach review ready label to it. Only PRs with review ready will be reviewed.

Issue number: #[1513]

Concise description of the PR

Add Codex CLI with OpenAI API key integration on AgentCore Runtime, demonstrating how to deploy
OpenAI-powered coding agents with persistent S3 Files storage and secure API key management via
AWS Secrets Manager. This complements the existing Claude Code examples by showing how to integrate
third-party LLM providers with AgentCore Runtime.

User experience

Before this change:

  • Users only had examples using Claude Code with Bedrock models
  • No examples showing how to integrate third-party LLM providers (OpenAI, etc.) with AgentCore Runtime
  • No guidance on secure API key management for external services

After this change:

  • Users can deploy Codex CLI agents powered by OpenAI's GPT-4o on AgentCore Runtime
  • Complete example showing AWS Secrets Manager integration for secure API key storage
  • Demonstrates the same persistent storage pattern (S3 Files) as Claude Code examples
  • Clear documentation on setup, prerequisites, and troubleshooting
  • Architecture diagram showing integration points (Runtime → Secrets Manager → OpenAI)

Key features:

  • Codex CLI running in containerized AgentCore Runtime
  • S3 Files mounted at /mnt/s3files for persistent cross-session storage
  • Secure OpenAI API key retrieval from AWS Secrets Manager at container startup
  • VPC-isolated deployment with proper IAM scoping
  • Full lifecycle scripts: setup.sh, deploy.py, invoke.py, update.py, cleanup.py
  • Comprehensive error handling and troubleshooting guidance

Checklist

  • I have reviewed the contributing guidelines
  • Add your name to CONTRIBUTORS.md
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Are you uploading a dataset? N/A - No datasets
  • Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
    • ✅ Introduction: Overview of Codex CLI deployment with S3 Files
    • ✅ Architecture Diagram: Shows Runtime, S3 Files, Secrets Manager, and S3 Bucket
    • ✅ Prerequisites: Python 3.13, Docker, AWS credentials, OpenAI API key setup
    • ✅ Usage: 5-step guide (setup, deploy, invoke, exec, cleanup)
    • ✅ Sample Prompts: Creating skills, cross-session usage examples
    • ✅ Clean Up: cleanup.py and cleanup.sh scripts
  • I agree to resolve any issues created for this example in the future.
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

Implementation Details

Files Added:

  • Dockerfile - Codex CLI container with OpenAI configuration
  • README.md - Complete documentation with architecture, setup, and usage
  • cfn-vpc.yaml - VPC infrastructure with S3 Files setup
  • codex-config.toml - Codex configuration pointing to OpenAI models
  • entrypoint.sh - Secure credential loading from Secrets Manager with error handling
  • server.js - HTTP server for AgentCore Runtime protocol
  • deploy.py - IAM role and runtime creation with Secrets Manager permissions
  • invoke.py - Agent invocation with session management
  • exec_cmd.py - Direct command execution in running sessions
  • update.py - Runtime updates for image/config changes
  • cleanup.py / cleanup.sh - Resource cleanup scripts
  • setup.sh - Infrastructure setup and Docker image build

Key Improvements:

  • ✅ Added comprehensive OpenAI API Key setup section in README with Secrets Manager commands
  • ✅ Updated architecture diagram to include AWS Secrets Manager
  • ✅ Added error handling in entrypoint.sh for missing secrets with helpful messages
  • ✅ Fixed all Claude references to Codex CLI across all files
  • ✅ Corrected model descriptions (Claude Sonnet 4.6 → OpenAI gpt-4o)
  • ✅ IAM permissions include secretsmanager:GetSecretValue for secure API key retrieval
  • ✅ Added Sushant20 to CONTRIBUTORS.md

Similar Examples:

This example follows the same pattern as:

  • 01-claude-code-with-s3-files - Same infrastructure, different LLM provider

@github-actions github-actions Bot added 01-tutorials 01-tutorials 01-AgentCore-runtime 01-tutorials/01-AgentCore-runtime labels May 19, 2026
@Sushant20 Sushant20 marked this pull request as ready for review May 19, 2026 05:20
@Sushant20 Sushant20 marked this pull request as draft May 19, 2026 05:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

01-AgentCore-runtime 01-tutorials/01-AgentCore-runtime 01-tutorials 01-tutorials

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Sushant20