AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-05-01 · Documentation low

File: cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md

Summary

Updated OAuth2 credential provider configuration to support additional well-known endpoints, made clientId and clientSecret optional with relaxed length constraints, added on-behalf-of token exchange configuration (RFC 8693/RFC 7523), and new client authentication methods including AWS IAM ID tokens.

Security assessment

The changes enhance OAuth2 security capabilities by adding support for token exchange flows and new authentication methods, but there's no evidence of addressing a specific vulnerability. The modifications document new security features like token exchange grants and IAM-based authentication.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
index 6822d9fa4..56c225405 100644
--- a//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
+++ b//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.38 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.40 Command Reference](../../index.html) »
@@ -167 +167 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -212 +212 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->> clientId -> (string) [required]
+>> clientId -> (string)
@@ -218 +218 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>   * min: `1`
+>>>   * min: `0`
@@ -223 +223 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->> clientSecret -> (string) [required]
+>> clientSecret -> (string)
@@ -229 +229 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>   * min: `1`
+>>>   * min: `0`
@@ -510,0 +511,56 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>> 
+>> onBehalfOfTokenExchangeConfig -> (structure)
+>>
+>>> The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants.
+>>> 
+>>> grantType -> (string) [required]
+>>>
+>>>> The grant type for the on-behalf-of token exchange.
+>>>> 
+>>>> Possible values:
+>>>> 
+>>>>   * `TOKEN_EXCHANGE`
+>>>>   * `JWT_AUTHORIZATION_GRANT`
+>>>> 
+
+>>> 
+>>> tokenExchangeGrantTypeConfig -> (structure)
+>>>
+>>>> Configuration specific to TOKEN_EXCHANGE grant type (RFC 8693)
+>>>> 
+>>>> actorTokenContent -> (string) [required]
+>>>>
+>>>>> The content type for the actor token in the token exchange.
+>>>>> 
+>>>>> Possible values:
+>>>>> 
+>>>>>   * `NONE`
+>>>>>   * `M2M`
+>>>>>   * `AWS_IAM_ID_TOKEN_JWT`
+>>>>> 
+
+>>>> 
+>>>> actorTokenScopes -> (list)
+>>>>
+>>>>> Only valid when actorTokenContent is M2M
+>>>>> 
+>>>>> (string)
+>>>>>
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `1`
+>>>>>>   * max: `128`
+>>>>>> 
+
+>> 
+>> clientAuthenticationMethod -> (string)
+>>
+>>> The client authentication method to use when authenticating with the token endpoint.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `CLIENT_SECRET_BASIC`
+>>>   * `CLIENT_SECRET_POST`
+>>>   * `AWS_IAM_ID_TOKEN_JWT`
+>>> 
+
@@ -793 +849,9 @@ JSON Syntax:
-        ]
+        ],
+        "onBehalfOfTokenExchangeConfig": {
+          "grantType": "TOKEN_EXCHANGE"|"JWT_AUTHORIZATION_GRANT",
+          "tokenExchangeGrantTypeConfig": {
+            "actorTokenContent": "NONE"|"M2M"|"AWS_IAM_ID_TOKEN_JWT",
+            "actorTokenScopes": ["string", ...]
+          }
+        },
+        "clientAuthenticationMethod": "CLIENT_SECRET_BASIC"|"CLIENT_SECRET_POST"|"AWS_IAM_ID_TOKEN_JWT"
@@ -1047 +1111 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1379,0 +1444,56 @@ oauth2ProviderConfigOutput -> (tagged union structure)
+>> 
+>> onBehalfOfTokenExchangeConfig -> (structure)
+>>
+>>> The configuration for on-behalf-of token exchange.
+>>> 
+>>> grantType -> (string) [required]
+>>>
+>>>> The grant type for the on-behalf-of token exchange.
+>>>> 
+>>>> Possible values:
+>>>> 
+>>>>   * `TOKEN_EXCHANGE`
+>>>>   * `JWT_AUTHORIZATION_GRANT`
+>>>> 
+
+>>> 
+>>> tokenExchangeGrantTypeConfig -> (structure)
+>>>
+>>>> Configuration specific to TOKEN_EXCHANGE grant type (RFC 8693)
+>>>> 
+>>>> actorTokenContent -> (string) [required]
+>>>>
+>>>>> The content type for the actor token in the token exchange.
+>>>>> 
+>>>>> Possible values:
+>>>>> 
+>>>>>   * `NONE`
+>>>>>   * `M2M`
+>>>>>   * `AWS_IAM_ID_TOKEN_JWT`
+>>>>> 
+
+>>>> 
+>>>> actorTokenScopes -> (list)
+>>>>
+>>>>> Only valid when actorTokenContent is M2M
+>>>>> 
+>>>>> (string)
+>>>>>
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `1`
+>>>>>>   * max: `128`
+>>>>>> 
+
+>> 
+>> clientAuthenticationMethod -> (string)
+>>
+>>> The client authentication method used when authenticating with the token endpoint.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `CLIENT_SECRET_BASIC`
+>>>   * `CLIENT_SECRET_POST`
+>>>   * `AWS_IAM_ID_TOKEN_JWT`
+>>> 
+
@@ -1399 +1519 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1473 +1593 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1547 +1667 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1621 +1741 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1695 +1815 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1769 +1889 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1843 +1963 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -1917 +2037 @@ oauth2ProviderConfigOutput -> (tagged union structure)
->>>>   * pattern: `.+/\.well-known/openid-configuration`
+>>>>   * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)`
@@ -2007 +2127 @@ status -> (string)
-  * [AWS CLI 2.34.38 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.40 Command Reference](../../index.html) »