AWS cli documentation change
Summary
Added proxy configuration option for routing browser traffic through customer-managed proxies with domain-based routing and HTTP Basic authentication via AWS Secrets Manager
Security assessment
The change introduces new documentation for proxy configuration capabilities, including authentication via Secrets Manager and domain-based routing rules. This adds security documentation about secure proxy management and credential handling, but there's no evidence of fixing an existing security vulnerability.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore/start-browser-session.md b/cli/latest/reference/bedrock-agentcore/start-browser-session.md index a0f691e9f..38554339c 100644 --- a//cli/latest/reference/bedrock-agentcore/start-browser-session.md +++ b//cli/latest/reference/bedrock-agentcore/start-browser-session.md @@ -15 +15 @@ - * [AWS CLI 2.33.18 Command Reference](../../index.html) » + * [AWS CLI 2.33.21 Command Reference](../../index.html) » @@ -85,0 +86 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc + [--proxy-configuration <value>] @@ -311,0 +313,143 @@ JSON Syntax: +`--proxy-configuration` (structure) + +> Optional proxy configuration for routing browser traffic through customer-specified proxy servers. When provided, enables HTTP Basic authentication via Amazon Web Services Secrets Manager and domain-based routing rules. Requires `secretsmanager:GetSecretValue` IAM permission for the specified secret ARNs. +> +> proxies -> (list) [required] +> +>> An array of 1-5 proxy server configurations for domain-based routing. Each proxy can specify which domains it handles via `domainPatterns` , enabling flexible routing of different traffic through different proxies based on destination domain. +>> +>> Constraints: +>> +>> * min: `1` +>> * max: `5` +>> + +>> +>> (tagged union structure) +>> +>>> Union type representing different proxy configurations. Currently supports external customer-managed proxies. +>>> +>>> ### Note +>>> +>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `externalProxy`. +>>> +>>> externalProxy -> (structure) +>>> +>>>> Configuration for an external customer-managed proxy server. +>>>> +>>>> server -> (string) [required] +>>>> +>>>>> The hostname of the proxy server. Must be a valid DNS hostname (maximum 253 characters). +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `253` +>>>>> * pattern: `[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*` +>>>>> + +>>>> +>>>> port -> (integer) [required] +>>>> +>>>>> The port number of the proxy server. Valid range: 1-65535. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `65535` +>>>>> + +>>>> +>>>> domainPatterns -> (list) +>>>> +>>>>> Optional array of domain patterns that should route through this specific proxy. Supports `.example.com` for subdomain matching (matches any subdomain of example.com) or `example.com` for exact domain matching. If omitted, this proxy acts as a catch-all for domains not matched by other proxies. Maximum 100 patterns per proxy, each up to 253 characters. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `100` +>>>>> + +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `253` +>>>>>> * pattern: `(\.)?[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*` +>>>>>> + +>>>> +>>>> credentials -> (tagged union structure) +>>>> +>>>>> Optional authentication credentials for the proxy server. If omitted, the proxy is accessed without authentication (useful for IP-allowlisted proxies). +>>>>> +>>>>> ### Note +>>>>> +>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `basicAuth`. +>>>>> +>>>>> basicAuth -> (structure) +>>>>> +>>>>>> HTTP Basic Authentication credentials (username and password) stored in Amazon Web Services Secrets Manager. +>>>>>> +>>>>>> secretArn -> (string) [required] +>>>>>> +>>>>>>> The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret containing proxy credentials. The secret must be a JSON object with `username` and `password` string fields that meet validation requirements. The caller must have `secretsmanager:GetSecretValue` permission for this ARN. Example secret format: `{"username": "proxy_user", "password": "secure_password"}` +>>>>>>> +>>>>>>> Constraints: +>>>>>>> +>>>>>>> * pattern: `arn:aws:secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[a-zA-Z0-9/_+=.@-]+` +>>>>>>> + +> +> bypass -> (structure) +> +>> Optional configuration for domains that should bypass all proxies and connect directly to their destination, like the internet. Takes precedence over all proxy routing rules. +>> +>> domainPatterns -> (list) +>> +>>> Array of domain patterns that should bypass the proxy. Supports `.amazonaws.com` for subdomain matching or `amazonaws.com` for exact domain matching. Requests to these domains connect directly without using any proxy. Maximum 253 characters per pattern. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `100` +>>> + +>>> +>>> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `253` +>>>> * pattern: `(\.)?[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*` +>>>> + + +JSON Syntax: + + + { + "proxies": [ + { + "externalProxy": { + "server": "string", + "port": integer, + "domainPatterns": ["string", ...], + "credentials": { + "basicAuth": { + "secretArn": "string" + } + } + } + } + ... + ], + "bypass": { + "domainPatterns": ["string", ...] + } + } + + @@ -496 +640 @@ streams -> (structure) - * [AWS CLI 2.33.18 Command Reference](../../index.html) » + * [AWS CLI 2.33.21 Command Reference](../../index.html) »