AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2025-10-16 · Documentation low

File: cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md

Summary

Expanded OAuth2 provider support with new configurations (Atlassian, LinkedIn, etc.), added token endpoint auth method constraints, and updated CLI version reference.

Security assessment

Added constraints for tokenEndpointAuthMethods (enforcing client_secret_post/client_secret_basic patterns) and clientSecret length validations improve security documentation. No evidence of patching a specific vulnerability.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
index 5a68caf27..e5b21a0c9 100644
--- a//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
+++ b//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.13 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.16 Command Reference](../../index.html) »
@@ -117,0 +118,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>   * `AtlassianOauth2`
+>   * `LinkedinOauth2`
+>   * `XOauth2`
+>   * `OktaOauth2`
+>   * `OneLoginOauth2`
+>   * `PingOneOauth2`
+>   * `FacebookOauth2`
+>   * `YandexOauth2`
+>   * `RedditOauth2`
+>   * `ZoomOauth2`
+>   * `TwitchOauth2`
+>   * `SpotifyOauth2`
+>   * `DropboxOauth2`
+>   * `NotionOauth2`
+>   * `HubspotOauth2`
+>   * `CyberArkOauth2`
+>   * `FusionAuthOauth2`
+>   * `Auth0Oauth2`
+>   * `CognitoOauth2`
@@ -127 +146 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
-> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`.
+> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`, `atlassianOauth2ProviderConfig`, `linkedinOauth2ProviderConfig`, `includedOauth2ProviderConfig`.
@@ -171,0 +191,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>>>> 
+>>>> tokenEndpointAuthMethods -> (list)
+>>>>
+>>>>> The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `2`
+>>>>> 
+
+>>>>> 
+>>>>> (string)
+>>>>>
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * pattern: `(client_secret_post|client_secret_basic)`
+>>>>>> 
+
@@ -323,0 +362,101 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>> 
+>> tenantId -> (string)
+>>
+>>> The Microsoft Entra ID (formerly Azure AD) tenant ID for your organization. This identifies the specific tenant within Microsoft’s identity platform where your application is registered.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+> 
+> atlassianOauth2ProviderConfig -> (structure)
+>
+>> Configuration settings for Atlassian OAuth2 provider integration.
+>> 
+>> clientId -> (string) [required]
+>>
+>>> The client ID for the Atlassian OAuth2 provider. This identifier is assigned by Atlassian when you register your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+>> 
+>> clientSecret -> (string) [required]
+>>
+>>> The client secret for the Atlassian OAuth2 provider. This secret is assigned by Atlassian and used along with the client ID to authenticate your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+> 
+> linkedinOauth2ProviderConfig -> (structure)
+>
+>> Configuration settings for LinkedIn OAuth2 provider integration.
+>> 
+>> clientId -> (string) [required]
+>>
+>>> The client ID for the LinkedIn OAuth2 provider. This identifier is assigned by LinkedIn when you register your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+>> 
+>> clientSecret -> (string) [required]
+>>
+>>> The client secret for the LinkedIn OAuth2 provider. This secret is assigned by LinkedIn and used along with the client ID to authenticate your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+> 
+> includedOauth2ProviderConfig -> (structure)
+>
+>> The configuration for a non-custom OAuth2 provider. This includes settings for supported OAuth2 providers that have built-in integration support.
+>> 
+>> clientId -> (string) [required]
+>>
+>>> The client ID for the supported OAuth2 provider. This identifier is assigned by the OAuth2 provider when you register your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+>> 
+>> clientSecret -> (string) [required]
+>>
+>>> The client secret for the supported OAuth2 provider. This secret is assigned by the OAuth2 provider and used along with the client ID to authenticate your application.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `2048`
+>>> 
+
+>> 
+>> issuer -> (string)
+>>
+>>> Token issuer of your isolated OAuth2 application tenant. This URL identifies the authorization server that issues tokens for this provider.
+>> 
+>> authorizationEndpoint -> (string)
+>>
+>>> OAuth2 authorization endpoint for your isolated OAuth2 application tenant. This is where users are redirected to authenticate and authorize access to their resources.
+>> 
+>> tokenEndpoint -> (string)
+>>
+>>> OAuth2 token endpoint for your isolated OAuth2 application tenant. This is where authorization codes are exchanged for access tokens.
@@ -336 +475,2 @@ JSON Syntax:
-            "responseTypes": ["string", ...]
+            "responseTypes": ["string", ...],
+            "tokenEndpointAuthMethods": ["string", ...]
@@ -358,0 +499,9 @@ JSON Syntax:
+        "clientId": "string",
+        "clientSecret": "string",
+        "tenantId": "string"
+      },
+      "atlassianOauth2ProviderConfig": {
+        "clientId": "string",
+        "clientSecret": "string"
+      },
+      "linkedinOauth2ProviderConfig": {
@@ -360,0 +510,7 @@ JSON Syntax:
+      },
+      "includedOauth2ProviderConfig": {
+        "clientId": "string",
+        "clientSecret": "string",
+        "issuer": "string",
+        "authorizationEndpoint": "string",
+        "tokenEndpoint": "string"
@@ -501,0 +658,19 @@ credentialProviderVendor -> (string)
+>   * `AtlassianOauth2`
+>   * `LinkedinOauth2`
+>   * `XOauth2`
+>   * `OktaOauth2`
+>   * `OneLoginOauth2`
+>   * `PingOneOauth2`
+>   * `FacebookOauth2`
+>   * `YandexOauth2`
+>   * `RedditOauth2`
+>   * `ZoomOauth2`
+>   * `TwitchOauth2`
+>   * `SpotifyOauth2`
+>   * `DropboxOauth2`
+>   * `NotionOauth2`
+>   * `HubspotOauth2`
+>   * `CyberArkOauth2`
+>   * `FusionAuthOauth2`
+>   * `Auth0Oauth2`
+>   * `CognitoOauth2`
@@ -514,0 +690,4 @@ credentialProviderArn -> (string)
+callbackUrl -> (string)
+
+> Callback URL to register on the OAuth2 credential provider as an allowed callback URL. This URL is where the OAuth2 authorization server redirects users after they complete the authorization flow.
+
@@ -521 +700 @@ oauth2ProviderConfigOutput -> (tagged union structure)