AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-10-16 · Security-related medium

File: cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md

Summary

Added detailed configuration structures for Microsoft Entra ID (Azure AD) tenant integration with validation constraints

Security assessment

Introduced tenantId field with security constraints (min:1, max:2048) for Microsoft integration, which helps prevent misconfigurations in multi-tenant environments. Documented proper isolation of OAuth2 application tenants.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md
index 5e3b1f2cb..2b1c6e26b 100644
--- a//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md
+++ b//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.13 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.16 Command Reference](../../index.html) »
@@ -69,0 +70 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+    [--tags <value>]
@@ -117,0 +119,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>   * `AtlassianOauth2`
+>   * `LinkedinOauth2`
+>   * `XOauth2`
+>   * `OktaOauth2`
+>   * `OneLoginOauth2`
+>   * `PingOneOauth2`
+>   * `FacebookOauth2`
+>   * `YandexOauth2`
+>   * `RedditOauth2`
+>   * `ZoomOauth2`
+>   * `TwitchOauth2`
+>   * `SpotifyOauth2`
+>   * `DropboxOauth2`
+>   * `NotionOauth2`
+>   * `HubspotOauth2`
+>   * `CyberArkOauth2`
+>   * `FusionAuthOauth2`
+>   * `Auth0Oauth2`
+>   * `CognitoOauth2`
@@ -127 +147 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
-> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`.
+> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`, `atlassianOauth2ProviderConfig`, `linkedinOauth2ProviderConfig`, `includedOauth2ProviderConfig`.
@@ -171,0 +192,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>>>> 
+>>>> tokenEndpointAuthMethods -> (list)
+>>>>
+>>>>> The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `2`
+>>>>> 
+
+>>>>> 
+>>>>> (string)
+>>>>>
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * pattern: `(client_secret_post|client_secret_basic)`
+>>>>>> 
+
@@ -323,0 +363,101 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>> 
+>> tenantId -> (string)
+>>
+>>> The Microsoft Entra ID (formerly Azure AD) tenant ID for your organization. This identifies the specific tenant within Microsoft’s identity platform where your application is registered.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+> 
+> atlassianOauth2ProviderConfig -> (structure)
+>
+>> Configuration settings for Atlassian OAuth2 provider integration.
+>> 
+>> clientId -> (string) [required]
+>>
+>>> The client ID for the Atlassian OAuth2 provider. This identifier is assigned by Atlassian when you register your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+>> 
+>> clientSecret -> (string) [required]
+>>
+>>> The client secret for the Atlassian OAuth2 provider. This secret is assigned by Atlassian and used along with the client ID to authenticate your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+> 
+> linkedinOauth2ProviderConfig -> (structure)
+>
+>> Configuration settings for LinkedIn OAuth2 provider integration.
+>> 
+>> clientId -> (string) [required]
+>>
+>>> The client ID for the LinkedIn OAuth2 provider. This identifier is assigned by LinkedIn when you register your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+>> 
+>> clientSecret -> (string) [required]
+>>
+>>> The client secret for the LinkedIn OAuth2 provider. This secret is assigned by LinkedIn and used along with the client ID to authenticate your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+> 
+> includedOauth2ProviderConfig -> (structure)
+>
+>> The configuration for a non-custom OAuth2 provider. This includes settings for supported OAuth2 providers that have built-in integration support.
+>> 
+>> clientId -> (string) [required]
+>>
+>>> The client ID for the supported OAuth2 provider. This identifier is assigned by the OAuth2 provider when you register your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+>> 
+>> clientSecret -> (string) [required]
+>>
+>>> The client secret for the supported OAuth2 provider. This secret is assigned by the OAuth2 provider and used along with the client ID to authenticate your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+>> 
+>> issuer -> (string)
+>>
+>>> Token issuer of your isolated OAuth2 application tenant. This URL identifies the authorization server that issues tokens for this provider.
+>> 
+>> authorizationEndpoint -> (string)
+>>
+>>> OAuth2 authorization endpoint for your isolated OAuth2 application tenant. This is where users are redirected to authenticate and authorize access to their resources.
+>> 
+>> tokenEndpoint -> (string)
+>>
+>>> OAuth2 token endpoint for your isolated OAuth2 application tenant. This is where authorization codes are exchanged for access tokens.
@@ -336 +476,2 @@ JSON Syntax:
-            "responseTypes": ["string", ...]
+            "responseTypes": ["string", ...],
+            "tokenEndpointAuthMethods": ["string", ...]
@@ -358,0 +500,9 @@ JSON Syntax:
+        "clientId": "string",
+        "clientSecret": "string",
+        "tenantId": "string"
+      },
+      "atlassianOauth2ProviderConfig": {
+        "clientId": "string",
+        "clientSecret": "string"
+      },
+      "linkedinOauth2ProviderConfig": {
@@ -360,0 +511,7 @@ JSON Syntax:
+      },
+      "includedOauth2ProviderConfig": {
+        "clientId": "string",
+        "clientSecret": "string",
+        "issuer": "string",
+        "authorizationEndpoint": "string",
+        "tokenEndpoint": "string"
@@ -364,0 +522,44 @@ JSON Syntax:
+`--tags` (map)
+
+> A map of tag keys and values to assign to the OAuth2 credential provider. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
+> 
+> Constraints:
+> 
+>   * min: `0`
+>   * max: `50`
+> 
+
+> 
+> key -> (string)
+>
+>> Constraints:
+>> 
+>>   * min: `1`
+>>   * max: `128`
+>>   * pattern: `[a-zA-Z0-9\s._:/=+@-]*`
+>> 
+
+> 
+> value -> (string)
+>