AWS cli documentation change
Summary
Added detailed configuration options for OAuth2 credential providers including client secret management via AWS Secrets Manager, token exchange configurations, and authentication methods. Updated provider-specific parameters to support external secret storage.
Security assessment
The changes introduce documentation for secure client secret management using AWS Secrets Manager, including secret rotation and access control capabilities. New token exchange configurations (RFC 8693/RFC 7523) and authentication methods enhance security documentation but don't indicate a vulnerability fix.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md index 861ce535f..ac5c614cd 100644 --- a//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md +++ b//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md @@ -15 +15 @@ - * [AWS CLI 2.34.55 Command Reference](../../index.html) » + * [AWS CLI 2.34.57 Command Reference](../../index.html) » @@ -233,0 +234,93 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>> +>> clientSecretConfig -> (structure) +>> +>>> A reference to the AWS Secrets Manager secret that stores the client secret. This includes the secret ID and the JSON key used to extract the client secret value from the secret. Required when `clientSecretSource` is set to `EXTERNAL` . +>>> +>>> secretId -> (string) [required] +>>> +>>>> The ID of the AWS Secrets Manager secret that stores the secret value. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `2048` +>>>> + +>>> +>>> jsonKey -> (string) [required] +>>> +>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> + +>> +>> clientSecretSource -> (string) +>> +>>> The source type of the client secret. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager. +>>> +>>> Possible values: +>>> +>>> * `MANAGED` +>>> * `EXTERNAL` +>>> + +>> +>> onBehalfOfTokenExchangeConfig -> (structure) +>> +>>> The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants. +>>> +>>> grantType -> (string) [required] +>>> +>>>> The grant type for the on-behalf-of token exchange. +>>>> +>>>> Possible values: +>>>> +>>>> * `TOKEN_EXCHANGE` +>>>> * `JWT_AUTHORIZATION_GRANT` +>>>> + +>>> +>>> tokenExchangeGrantTypeConfig -> (structure) +>>> +>>>> Configuration specific to the TOKEN_EXCHANGE grant type (RFC 8693). +>>>> +>>>> actorTokenContent -> (string) [required] +>>>> +>>>>> The content type for the actor token in the token exchange. +>>>>> +>>>>> Possible values: +>>>>> +>>>>> * `NONE` +>>>>> * `M2M` +>>>>> * `AWS_IAM_ID_TOKEN_JWT` +>>>>> + +>>>> +>>>> actorTokenScopes -> (list) +>>>> +>>>>> The scopes for the actor token. Only valid when actorTokenContent is M2M. +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `128` +>>>>>> + +>> +>> clientAuthenticationMethod -> (string) +>> +>>> The client authentication method to use when authenticating with the token endpoint. +>>> +>>> Possible values: +>>> +>>> * `CLIENT_SECRET_BASIC` +>>> * `CLIENT_SECRET_POST` +>>> * `AWS_IAM_ID_TOKEN_JWT` +>>> + @@ -511,0 +605,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +> +> googleOauth2ProviderConfig -> (structure) +> +>> The configuration for a Google OAuth2 provider. @@ -513 +610 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> onBehalfOfTokenExchangeConfig -> (structure) +>> clientId -> (string) [required] @@ -515 +612 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants. +>>> The client ID for the Google OAuth2 provider. @@ -517 +614 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> grantType -> (string) [required] +>>> Constraints: @@ -519 +616,23 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>> The grant type for the on-behalf-of token exchange. +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) +>> +>>> The client secret for the Google OAuth2 provider. +>>> +>>> Constraints: +>>> +>>> * min: `0` +>>> * max: `2048` +>>> + +>> +>> clientSecretConfig -> (structure) +>> +>>> A reference to the AWS Secrets Manager secret that stores the client secret. This includes the secret ID and the JSON key used to extract the client secret value from the secret. Required when `clientSecretSource` is set to `EXTERNAL` . +>>> +>>> secretId -> (string) [required] +>>> +>>>> The ID of the AWS Secrets Manager secret that stores the secret value. @@ -521 +640 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>> Possible values: +>>>> Constraints: @@ -523,2 +642,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>> * `TOKEN_EXCHANGE` ->>>> * `JWT_AUTHORIZATION_GRANT` +>>>> * min: `1` +>>>> * max: `2048` @@ -528 +647 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> tokenExchangeGrantTypeConfig -> (structure) +>>> jsonKey -> (string) [required] @@ -530,3 +649 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>> Configuration specific to the TOKEN_EXCHANGE grant type (RFC 8693). ->>>> ->>>> actorTokenContent -> (string) [required] +>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret. @@ -534,9 +651 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>>> The content type for the actor token in the token exchange. ->>>>> ->>>>> Possible values: ->>>>> ->>>>> * `NONE` ->>>>> * `M2M` ->>>>> * `AWS_IAM_ID_TOKEN_JWT` ->>>>> - +>>>> Constraints: @@ -544 +653,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>> actorTokenScopes -> (list) +>>>> * min: `1` +>>>> * max: `128` @@ -546,9 +655,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>>> The scopes for the actor token. Only valid when actorTokenContent is M2M. ->>>>> ->>>>> (string) ->>>>> ->>>>>> Constraints: ->>>>>> ->>>>>> * min: `1` ->>>>>> * max: `128` ->>>>>> @@ -557 +658 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> clientAuthenticationMethod -> (string) +>> clientSecretSource -> (string) @@ -559 +660 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> The client authentication method to use when authenticating with the token endpoint. +>>> The source type of the client secret. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager. @@ -563,3 +664,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * `CLIENT_SECRET_BASIC` ->>> * `CLIENT_SECRET_POST` ->>> * `AWS_IAM_ID_TOKEN_JWT` +>>> * `MANAGED` +>>> * `EXTERNAL` @@ -569 +669 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc -> googleOauth2ProviderConfig -> (structure) +> githubOauth2ProviderConfig -> (structure) @@ -571 +671 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> The configuration for a Google OAuth2 provider. +>> The configuration for a GitHub OAuth2 provider. @@ -575 +675 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc