AWS cli medium security documentation change
Summary
Added detailed configuration structures for Microsoft Entra ID (Azure AD) tenant integration with validation constraints
Security assessment
Introduced tenantId field with security constraints (min:1, max:2048) for Microsoft integration, which helps prevent misconfigurations in multi-tenant environments. Documented proper isolation of OAuth2 application tenants.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md index 5e3b1f2cb..2b1c6e26b 100644 --- a//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md +++ b//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md @@ -15 +15 @@ - * [AWS CLI 2.31.13 Command Reference](../../index.html) » + * [AWS CLI 2.31.16 Command Reference](../../index.html) » @@ -69,0 +70 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc + [--tags <value>] @@ -117,0 +119,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +> * `AtlassianOauth2` +> * `LinkedinOauth2` +> * `XOauth2` +> * `OktaOauth2` +> * `OneLoginOauth2` +> * `PingOneOauth2` +> * `FacebookOauth2` +> * `YandexOauth2` +> * `RedditOauth2` +> * `ZoomOauth2` +> * `TwitchOauth2` +> * `SpotifyOauth2` +> * `DropboxOauth2` +> * `NotionOauth2` +> * `HubspotOauth2` +> * `CyberArkOauth2` +> * `FusionAuthOauth2` +> * `Auth0Oauth2` +> * `CognitoOauth2` @@ -127 +147 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc -> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`. +> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`, `atlassianOauth2ProviderConfig`, `linkedinOauth2ProviderConfig`, `includedOauth2ProviderConfig`. @@ -171,0 +192,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>>>> +>>>> tokenEndpointAuthMethods -> (list) +>>>> +>>>>> The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `2` +>>>>> + +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * pattern: `(client_secret_post|client_secret_basic)` +>>>>>> + @@ -323,0 +363,101 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>> +>> tenantId -> (string) +>> +>>> The Microsoft Entra ID (formerly Azure AD) tenant ID for your organization. This identifies the specific tenant within Microsoft’s identity platform where your application is registered. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> atlassianOauth2ProviderConfig -> (structure) +> +>> Configuration settings for Atlassian OAuth2 provider integration. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the Atlassian OAuth2 provider. This identifier is assigned by Atlassian when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the Atlassian OAuth2 provider. This secret is assigned by Atlassian and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> linkedinOauth2ProviderConfig -> (structure) +> +>> Configuration settings for LinkedIn OAuth2 provider integration. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the LinkedIn OAuth2 provider. This identifier is assigned by LinkedIn when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the LinkedIn OAuth2 provider. This secret is assigned by LinkedIn and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> includedOauth2ProviderConfig -> (structure) +> +>> The configuration for a non-custom OAuth2 provider. This includes settings for supported OAuth2 providers that have built-in integration support. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the supported OAuth2 provider. This identifier is assigned by the OAuth2 provider when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the supported OAuth2 provider. This secret is assigned by the OAuth2 provider and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +>> +>> issuer -> (string) +>> +>>> Token issuer of your isolated OAuth2 application tenant. This URL identifies the authorization server that issues tokens for this provider. +>> +>> authorizationEndpoint -> (string) +>> +>>> OAuth2 authorization endpoint for your isolated OAuth2 application tenant. This is where users are redirected to authenticate and authorize access to their resources. +>> +>> tokenEndpoint -> (string) +>> +>>> OAuth2 token endpoint for your isolated OAuth2 application tenant. This is where authorization codes are exchanged for access tokens. @@ -336 +476,2 @@ JSON Syntax: - "responseTypes": ["string", ...] + "responseTypes": ["string", ...], + "tokenEndpointAuthMethods": ["string", ...] @@ -358,0 +500,9 @@ JSON Syntax: + "clientId": "string", + "clientSecret": "string", + "tenantId": "string" + }, + "atlassianOauth2ProviderConfig": { + "clientId": "string", + "clientSecret": "string" + }, + "linkedinOauth2ProviderConfig": { @@ -360,0 +511,7 @@ JSON Syntax: + }, + "includedOauth2ProviderConfig": { + "clientId": "string", + "clientSecret": "string", + "issuer": "string", + "authorizationEndpoint": "string", + "tokenEndpoint": "string" @@ -364,0 +522,44 @@ JSON Syntax: +`--tags` (map) + +> A map of tag keys and values to assign to the OAuth2 credential provider. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. +> +> Constraints: +> +> * min: `0` +> * max: `50` +> + +> +> key -> (string) +> +>> Constraints: +>> +>> * min: `1` +>> * max: `128` +>> * pattern: `[a-zA-Z0-9\s._:/=+@-]*` +>> + +> +> value -> (string) +>