AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-05-31 · Documentation low

File: cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md

Summary

Added support for external client secret storage in AWS Secrets Manager, client secret source specification, on-behalf-of token exchange configuration, and client authentication methods for OAuth2 credential providers.

Security assessment

The changes introduce documentation for securely managing client secrets through AWS Secrets Manager integration (clientSecretConfig with secretId/jsonKey), specify client secret source options (MANAGED/EXTERNAL), and add authentication methods like token exchange flows (RFC 8693/RFC 7523). These enhance security by enabling secure credential storage and additional authentication protocols, but don't address a specific vulnerability.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
index 74562a426..a673d6d2b 100644
--- a//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
+++ b//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.55 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.57 Command Reference](../../index.html) »
@@ -232,0 +233,93 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>> 
+>> clientSecretConfig -> (structure)
+>>
+>>> A reference to the AWS Secrets Manager secret that stores the client secret. This includes the secret ID and the JSON key used to extract the client secret value from the secret. Required when `clientSecretSource` is set to `EXTERNAL` .
+>>> 
+>>> secretId -> (string) [required]
+>>>
+>>>> The ID of the AWS Secrets Manager secret that stores the secret value.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `2048`
+>>>> 
+
+>>> 
+>>> jsonKey -> (string) [required]
+>>>
+>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `128`
+>>>> 
+
+>> 
+>> clientSecretSource -> (string)
+>>
+>>> The source type of the client secret. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `MANAGED`
+>>>   * `EXTERNAL`
+>>> 
+
+>> 
+>> onBehalfOfTokenExchangeConfig -> (structure)
+>>
+>>> The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants.
+>>> 
+>>> grantType -> (string) [required]
+>>>
+>>>> The grant type for the on-behalf-of token exchange.
+>>>> 
+>>>> Possible values:
+>>>> 
+>>>>   * `TOKEN_EXCHANGE`
+>>>>   * `JWT_AUTHORIZATION_GRANT`
+>>>> 
+
+>>> 
+>>> tokenExchangeGrantTypeConfig -> (structure)
+>>>
+>>>> Configuration specific to the TOKEN_EXCHANGE grant type (RFC 8693).
+>>>> 
+>>>> actorTokenContent -> (string) [required]
+>>>>
+>>>>> The content type for the actor token in the token exchange.
+>>>>> 
+>>>>> Possible values:
+>>>>> 
+>>>>>   * `NONE`
+>>>>>   * `M2M`
+>>>>>   * `AWS_IAM_ID_TOKEN_JWT`
+>>>>> 
+
+>>>> 
+>>>> actorTokenScopes -> (list)
+>>>>
+>>>>> The scopes for the actor token. Only valid when actorTokenContent is M2M.
+>>>>> 
+>>>>> (string)
+>>>>>
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `1`
+>>>>>>   * max: `128`
+>>>>>> 
+
+>> 
+>> clientAuthenticationMethod -> (string)
+>>
+>>> The client authentication method to use when authenticating with the token endpoint.
+>>> 
+>>> Possible values:
+>>> 
+>>>   * `CLIENT_SECRET_BASIC`
+>>>   * `CLIENT_SECRET_POST`
+>>>   * `AWS_IAM_ID_TOKEN_JWT`
+>>> 
+
@@ -510,0 +604,4 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+> 
+> googleOauth2ProviderConfig -> (structure)
+>
+>> The configuration for a Google OAuth2 provider.
@@ -512 +609 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->> onBehalfOfTokenExchangeConfig -> (structure)
+>> clientId -> (string) [required]
@@ -514 +611 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>> The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants.
+>>> The client ID for the Google OAuth2 provider.
@@ -516 +613 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>> grantType -> (string) [required]
+>>> Constraints:
@@ -518 +615,23 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>> The grant type for the on-behalf-of token exchange.
+>>>   * min: `1`
+>>>   * max: `256`
+>>> 
+
+>> 
+>> clientSecret -> (string)
+>>
+>>> The client secret for the Google OAuth2 provider.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `0`
+>>>   * max: `2048`
+>>> 
+
+>> 
+>> clientSecretConfig -> (structure)
+>>
+>>> A reference to the AWS Secrets Manager secret that stores the client secret. This includes the secret ID and the JSON key used to extract the client secret value from the secret. Required when `clientSecretSource` is set to `EXTERNAL` .
+>>> 
+>>> secretId -> (string) [required]
+>>>
+>>>> The ID of the AWS Secrets Manager secret that stores the secret value.
@@ -520 +639 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>> Possible values:
+>>>> Constraints:
@@ -522,2 +641,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>>   * `TOKEN_EXCHANGE`
->>>>   * `JWT_AUTHORIZATION_GRANT`
+>>>>   * min: `1`
+>>>>   * max: `2048`
@@ -527 +646 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>> tokenExchangeGrantTypeConfig -> (structure)
+>>> jsonKey -> (string) [required]
@@ -529,3 +648 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>> Configuration specific to the TOKEN_EXCHANGE grant type (RFC 8693).
->>>> 
->>>> actorTokenContent -> (string) [required]
+>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret.
@@ -533,9 +650 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>>> The content type for the actor token in the token exchange.
->>>>> 
->>>>> Possible values:
->>>>> 
->>>>>   * `NONE`
->>>>>   * `M2M`
->>>>>   * `AWS_IAM_ID_TOKEN_JWT`
->>>>> 
-
+>>>> Constraints:
@@ -543 +652,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>> actorTokenScopes -> (list)
+>>>>   * min: `1`
+>>>>   * max: `128`
@@ -545,9 +654,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>>> The scopes for the actor token. Only valid when actorTokenContent is M2M.
->>>>> 
->>>>> (string)
->>>>>
->>>>>> Constraints:
->>>>>> 
->>>>>>   * min: `1`
->>>>>>   * max: `128`
->>>>>> 
@@ -556 +657 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->> clientAuthenticationMethod -> (string)
+>> clientSecretSource -> (string)
@@ -558 +659 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>> The client authentication method to use when authenticating with the token endpoint.
+>>> The source type of the client secret. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager.
@@ -562,3 +663,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->>>   * `CLIENT_SECRET_BASIC`
->>>   * `CLIENT_SECRET_POST`
->>>   * `AWS_IAM_ID_TOKEN_JWT`
+>>>   * `MANAGED`
+>>>   * `EXTERNAL`
@@ -568 +668 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
-> googleOauth2ProviderConfig -> (structure)
+> githubOauth2ProviderConfig -> (structure)
@@ -570 +670 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
->> The configuration for a Google OAuth2 provider.
+>> The configuration for a GitHub OAuth2 provider.
@@ -574 +674 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc