AWS cli documentation change
Summary
Updated AWS CLI version from 2.34.21 to 2.34.23 and significantly expanded documentation for the synchronize-gateway-targets command. Added detailed information about authorization states, static tool schemas, IAM credential provider, private endpoint configurations, and OAuth2 authorization data.
Security assessment
The changes add extensive documentation about security features including: authorization states (CREATE_PENDING_AUTH, UPDATE_PENDING_AUTH, SYNCHRONIZE_PENDING_AUTH), IAM credential provider with SigV4 signing, private endpoint configurations with security groups, and OAuth2 authorization. These are security feature enhancements rather than fixes for specific vulnerabilities. The documentation clarifies security controls but doesn't indicate any security incident being addressed.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/synchronize-gateway-targets.md b/cli/latest/reference/bedrock-agentcore-control/synchronize-gateway-targets.md index a5f904386..f8daa2941 100644 --- a//cli/latest/reference/bedrock-agentcore-control/synchronize-gateway-targets.md +++ b//cli/latest/reference/bedrock-agentcore-control/synchronize-gateway-targets.md @@ -15 +15 @@ - * [AWS CLI 2.34.21 Command Reference](../../index.html) » + * [AWS CLI 2.34.23 Command Reference](../../index.html) » @@ -59 +59,5 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c -The gateway targets. +Synchronizes the gateway targets by fetching the latest tool definitions from the target endpoints. + +You cannot synchronize a target that is in a pending authorization state (`CREATE_PENDING_AUTH` , `UPDATE_PENDING_AUTH` , or `SYNCHRONIZE_PENDING_AUTH` ). Wait for the authorization to complete or fail before synchronizing. + +You cannot synchronize a target that has a static tool schema (`mcpToolSchema` ) configured. Remove the static schema through an `UpdateGatewayTarget` call to enable dynamic tool synchronization. @@ -291,0 +296,3 @@ targets -> (list) +>>> * `CREATE_PENDING_AUTH` +>>> * `UPDATE_PENDING_AUTH` +>>> * `SYNCHRONIZE_PENDING_AUTH` @@ -718,0 +726,36 @@ targets -> (list) +>>>>> +>>>>> mcpToolSchema -> (tagged union structure) +>>>>> +>>>>>> The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema. +>>>>>> +>>>>>> ### Note +>>>>>> +>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `s3`, `inlinePayload`. +>>>>>> +>>>>>> s3 -> (structure) +>>>>>> +>>>>>>> The Amazon S3 location of the tool schema. This location contains the schema definition file. +>>>>>>> +>>>>>>> uri -> (string) +>>>>>>> +>>>>>>>> The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3. +>>>>>>>> +>>>>>>>> Constraints: +>>>>>>>> +>>>>>>>> * pattern: `s3://.{1,2043}` +>>>>>>>> + +>>>>>>> +>>>>>>> bucketOwnerAccountId -> (string) +>>>>>>> +>>>>>>>> The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket. +>>>>>>>> +>>>>>>>> Constraints: +>>>>>>>> +>>>>>>>> * pattern: `[0-9]{12}` +>>>>>>>> + +>>>>>> +>>>>>> inlinePayload -> (string) +>>>>>> +>>>>>>> The inline payload containing the MCP tool schema definition. @@ -835 +878 @@ targets -> (list) ->>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `oauthCredentialProvider`, `apiKeyCredentialProvider`. +>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `oauthCredentialProvider`, `apiKeyCredentialProvider`, `iamCredentialProvider`. @@ -973,0 +1017,28 @@ targets -> (list) +>>>>> +>>>>> iamCredentialProvider -> (structure) +>>>>> +>>>>>> The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint. +>>>>>> +>>>>>> service -> (string) [required] +>>>>>> +>>>>>>> The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint. +>>>>>>> +>>>>>>> Constraints: +>>>>>>> +>>>>>>> * min: `1` +>>>>>>> * max: `64` +>>>>>>> * pattern: `[a-zA-Z0-9._-]+` +>>>>>>> + +>>>>>> +>>>>>> region -> (string) +>>>>>> +>>>>>>> The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway’s Region. +>>>>>>> +>>>>>>> Constraints: +>>>>>>> +>>>>>>> * min: `1` +>>>>>>> * max: `32` +>>>>>>> * pattern: `[a-zA-Z0-9-]+` +>>>>>>> + @@ -1041,0 +1113,191 @@ targets -> (list) +>> +>> privateEndpoint -> (tagged union structure) +>> +>>> The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC. +>>> +>>> ### Note +>>> +>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `selfManagedLatticeResource`, `managedLatticeResource`. +>>> +>>> selfManagedLatticeResource -> (tagged union structure) +>>> +>>>> Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration. +>>>> +>>>> ### Note +>>>> +>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `resourceConfigurationIdentifier`. +>>>> +>>>> resourceConfigurationIdentifier -> (string) +>>>> +>>>>> The ARN or ID of the VPC Lattice resource configuration. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `20` +>>>>> * max: `2048` +>>>>> * pattern: `((rcfg-[0-9a-z]{17})|(arn:[a-z0-9\-]+:vpc-lattice:[a-zA-Z0-9\-]+:\d{12}:resourceconfiguration/rcfg-[0-9a-z]{17}))` +>>>>> + +>>> +>>> managedLatticeResource -> (structure) +>>> +>>>> Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf. +>>>> +>>>> vpcIdentifier -> (string) [required] +>>>> +>>>>> The ID of the VPC that contains your private resource. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * pattern: `vpc-(([0-9a-z]{8})|([0-9a-z]{17}))` +>>>>> + +>>>> +>>>> subnetIds -> (list) [required] +>>>> +>>>>> The subnet IDs within the VPC where the VPC Lattice resource gateway is placed. +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * pattern: `subnet-[0-9a-zA-Z]{8,17}` +>>>>>> + +>>>> +>>>> endpointIpAddressType -> (string) [required] +>>>> +>>>>> The IP address type for the resource configuration endpoint. +>>>>> +>>>>> Possible values: +>>>>> +>>>>> * `IPV4` +>>>>> * `IPV6` +>>>>> + +>>>> +>>>> securityGroupIds -> (list) +>>>> +>>>>> The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `0` +>>>>> * max: `5` +>>>>> + +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * pattern: `sg-(([0-9a-z]{8})|([0-9a-z]{17}))` +>>>>>> + +>>>> +>>>> tags -> (map) +>>>> +>>>>> Tags to apply to the managed VPC Lattice resource gateway. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `0` +>>>>> * max: `50` +>>>>> + +>>>>> +>>>>> key -> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `128` +>>>>>> * pattern: `[a-zA-Z0-9\s._:/=+@-]*` +>>>>>> + +>>>>> +>>>>> value -> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `0` +>>>>>> * max: `256`