AWS cli documentation change
Summary
Added documentation for new features in the update-gateway-target command including: private endpoint configuration with VPC Lattice integration, MCP tool schema configuration, IAM credential provider, and authorization state handling. Also updated CLI version reference.
Security assessment
The changes add documentation for security-related features including IAM credential provider with SigV4 signing, private endpoint configuration with security group controls, and authorization state management. However, there is no evidence these changes address a specific security vulnerability or incident - they appear to be routine feature additions and documentation improvements.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/update-gateway-target.md b/cli/latest/reference/bedrock-agentcore-control/update-gateway-target.md index 3d80fdbf9..343f23f93 100644 --- a//cli/latest/reference/bedrock-agentcore-control/update-gateway-target.md +++ b//cli/latest/reference/bedrock-agentcore-control/update-gateway-target.md @@ -15 +15 @@ - * [AWS CLI 2.34.21 Command Reference](../../index.html) » + * [AWS CLI 2.34.23 Command Reference](../../index.html) » @@ -60,0 +61,2 @@ Updates an existing gateway target. +You cannot update a target that is in a pending authorization state (`CREATE_PENDING_AUTH` , `UPDATE_PENDING_AUTH` , or `SYNCHRONIZE_PENDING_AUTH` ). Wait for the authorization to complete or fail before updating the target. + @@ -73,0 +76 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc + [--private-endpoint <value>] @@ -522,0 +526,36 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>>> +>>> mcpToolSchema -> (tagged union structure) +>>> +>>>> The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema. +>>>> +>>>> ### Note +>>>> +>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `s3`, `inlinePayload`. +>>>> +>>>> s3 -> (structure) +>>>> +>>>>> The Amazon S3 location of the tool schema. This location contains the schema definition file. +>>>>> +>>>>> uri -> (string) +>>>>> +>>>>>> The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * pattern: `s3://.{1,2043}` +>>>>>> + +>>>>> +>>>>> bucketOwnerAccountId -> (string) +>>>>> +>>>>>> The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * pattern: `[0-9]{12}` +>>>>>> + +>>>> +>>>> inlinePayload -> (string) +>>>> +>>>>> The inline payload containing the MCP tool schema definition. @@ -686 +725,8 @@ JSON Syntax: - "endpoint": "string" + "endpoint": "string", + "mcpToolSchema": { + "s3": { + "uri": "string", + "bucketOwnerAccountId": "string" + }, + "inlinePayload": "string" + } @@ -747 +793 @@ JSON Syntax: ->>> This is a Tagged Union structure. Only one of the following top level keys can be set: `oauthCredentialProvider`, `apiKeyCredentialProvider`. +>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `oauthCredentialProvider`, `apiKeyCredentialProvider`, `iamCredentialProvider`. @@ -885,0 +932,28 @@ JSON Syntax: +>>> +>>> iamCredentialProvider -> (structure) +>>> +>>>> The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint. +>>>> +>>>> service -> (string) [required] +>>>> +>>>>> The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `64` +>>>>> * pattern: `[a-zA-Z0-9._-]+` +>>>>> + +>>>> +>>>> region -> (string) +>>>> +>>>>> The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway’s Region. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `32` +>>>>> * pattern: `[a-zA-Z0-9-]+` +>>>>> + @@ -906,0 +981,4 @@ JSON Syntax: + }, + "iamCredentialProvider": { + "service": "string", + "region": "string" @@ -993,0 +1072,151 @@ JSON Syntax: +`--private-endpoint` (tagged union structure) + +> The private endpoint configuration for the gateway target. Use this to connect the gateway to private resources in your VPC. +> +> ### Note +> +> This is a Tagged Union structure. Only one of the following top level keys can be set: `selfManagedLatticeResource`, `managedLatticeResource`. +> +> selfManagedLatticeResource -> (tagged union structure) +> +>> Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration. +>> +>> ### Note +>> +>> This is a Tagged Union structure. Only one of the following top level keys can be set: `resourceConfigurationIdentifier`. +>> +>> resourceConfigurationIdentifier -> (string) +>> +>>> The ARN or ID of the VPC Lattice resource configuration. +>>> +>>> Constraints: +>>> +>>> * min: `20` +>>> * max: `2048` +>>> * pattern: `((rcfg-[0-9a-z]{17})|(arn:[a-z0-9\-]+:vpc-lattice:[a-zA-Z0-9\-]+:\d{12}:resourceconfiguration/rcfg-[0-9a-z]{17}))` +>>> + +> +> managedLatticeResource -> (structure) +> +>> Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf. +>> +>> vpcIdentifier -> (string) [required] +>> +>>> The ID of the VPC that contains your private resource. +>>> +>>> Constraints: +>>> +>>> * pattern: `vpc-(([0-9a-z]{8})|([0-9a-z]{17}))` +>>> + +>> +>> subnetIds -> (list) [required] +>> +>>> The subnet IDs within the VPC where the VPC Lattice resource gateway is placed. +>>> +>>> (string) +>>> +>>>> Constraints: +>>>> +>>>> * pattern: `subnet-[0-9a-zA-Z]{8,17}` +>>>> + +>> +>> endpointIpAddressType -> (string) [required] +>> +>>> The IP address type for the resource configuration endpoint. +>>> +>>> Possible values: +>>> +>>> * `IPV4` +>>> * `IPV6` +>>> + +>> +>> securityGroupIds -> (list) +>> +>>> The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used. +>>> +>>> Constraints: +>>> +>>> * min: `0` +>>> * max: `5` +>>> + +>>> +>>> (string) +>>> +>>>> Constraints: +>>>> +>>>> * pattern: `sg-(([0-9a-z]{8})|([0-9a-z]{17}))` +>>>> + +>> +>> tags -> (map) +>> +>>> Tags to apply to the managed VPC Lattice resource gateway. +>>> +>>> Constraints: +>>> +>>> * min: `0` +>>> * max: `50` +>>> + +>>> +>>> key -> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> * pattern: `[a-zA-Z0-9\s._:/=+@-]*` +>>>>