AWS cli documentation change
Summary
Updated payment credential provider documentation to support external secret management via AWS Secrets Manager. Added new configuration parameters (apiKeySecretSource, walletSecretSource, appSecretSource, authorizationPrivateKeySource) and corresponding secretConfig structures with secretId and jsonKey fields. Removed 'required' constraint from direct secret fields and updated validation patterns.
Security assessment
The changes introduce explicit support for external secret management using AWS Secrets Manager (through new EXTERNAL source options). This enhances security by allowing secrets to be stored/managed in Secrets Manager instead of being passed directly. However, there's no evidence this change addresses a specific vulnerability; it documents new security capabilities.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/update-payment-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/update-payment-credential-provider.md index f995a201b..7340fc4db 100644 --- a//cli/latest/reference/bedrock-agentcore-control/update-payment-credential-provider.md +++ b//cli/latest/reference/bedrock-agentcore-control/update-payment-credential-provider.md @@ -15 +15 @@ - * [AWS CLI 2.34.55 Command Reference](../../index.html) » + * [AWS CLI 2.34.57 Command Reference](../../index.html) » @@ -142 +142 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> apiKeySecret -> (string) [required] +>> apiKeySecret -> (string) @@ -148 +148 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * min: `1` +>>> * min: `0` @@ -150 +150,31 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * pattern: `[a-zA-Z0-9+/=\-_\s]+` +>>> * pattern: `[a-zA-Z0-9+/=\-_\s]*` +>>> + +>> +>> apiKeySecretSource -> (string) +>> +>>> The source type of the API key secret for the Coinbase Developer Platform. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager. +>>> +>>> Possible values: +>>> +>>> * `MANAGED` +>>> * `EXTERNAL` +>>> + +>> +>> apiKeySecretConfig -> (structure) +>> +>>> A reference to the AWS Secrets Manager secret that stores the API key secret. This includes the secret ID and the JSON key used to extract the API key secret value from the secret. Required when `apiKeySecretSource` is set to `EXTERNAL` . +>>> +>>> secretId -> (string) [required] +>>> +>>>> The ID of the AWS Secrets Manager secret that stores the secret value. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `2048` +>>>> + +>>> +>>> jsonKey -> (string) [required] @@ -151,0 +182,7 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> @@ -154 +191 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> walletSecret -> (string) [required] +>> walletSecret -> (string) @@ -160 +197 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * min: `1` +>>> * min: `0` @@ -162 +199,29 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * pattern: `[a-zA-Z0-9+/=\-_\s]+` +>>> * pattern: `[a-zA-Z0-9+/=\-_\s]*` +>>> + +>> +>> walletSecretSource -> (string) +>> +>>> The source type of the wallet secret for the Coinbase Developer Platform. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager. +>>> +>>> Possible values: +>>> +>>> * `MANAGED` +>>> * `EXTERNAL` +>>> + +>> +>> walletSecretConfig -> (structure) +>> +>>> A reference to the AWS Secrets Manager secret that stores the wallet secret. This includes the secret ID and the JSON key used to extract the wallet secret value from the secret. Required when `walletSecretSource` is set to `EXTERNAL` . +>>> +>>> secretId -> (string) [required] +>>> +>>>> The ID of the AWS Secrets Manager secret that stores the secret value. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `2048` +>>>> + @@ -163,0 +229,9 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>>> jsonKey -> (string) [required] +>>> +>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> @@ -182 +256 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> appSecret -> (string) [required] +>> appSecret -> (string) @@ -188 +262 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * min: `1` +>>> * min: `0` @@ -190 +264,18 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * pattern: `[a-zA-Z0-9+/=\-_\s]+` +>>> * pattern: `[a-zA-Z0-9+/=\-_\s]*` +>>> + +>> +>> appSecretSource -> (string) +>> +>>> The source type of the app secret. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager. +>>> +>>> Possible values: +>>> +>>> * `MANAGED` +>>> * `EXTERNAL` +>>> + +>> +>> appSecretConfig -> (structure) +>> +>>> A reference to the AWS Secrets Manager secret that stores the app secret. This includes the secret ID and the JSON key used to extract the app secret value from the secret. Required when `appSecretSource` is set to `EXTERNAL` . @@ -191,0 +283,20 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>>> secretId -> (string) [required] +>>> +>>>> The ID of the AWS Secrets Manager secret that stores the secret value. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `2048` +>>>> + +>>> +>>> jsonKey -> (string) [required] +>>> +>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> @@ -194 +305 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> authorizationPrivateKey -> (string) [required] +>> authorizationPrivateKey -> (string) @@ -200 +311 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * min: `1` +>>> * min: `0` @@ -202 +313,12 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * pattern: `[a-zA-Z0-9+/=\-_\s]+` +>>> * pattern: `[a-zA-Z0-9+/=\-_\s]*` +>>> + +>> +>> authorizationPrivateKeySource -> (string) +>> +>>> The source type of the authorization private key. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager. +>>> +>>> Possible values: +>>> +>>> * `MANAGED` +>>> * `EXTERNAL` @@ -204,0 +327,26 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>> +>> authorizationPrivateKeyConfig -> (structure) +>> +>>> A reference to the AWS Secrets Manager secret that stores the authorization private key. This includes the secret ID and the JSON key used to extract the authorization private key value from the secret. Required when `authorizationPrivateKeySource` is set to `EXTERNAL` . +>>> +>>> secretId -> (string) [required] +>>> +>>>> The ID of the AWS Secrets Manager secret that stores the secret value. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `2048` +>>>> + +>>> +>>> jsonKey -> (string) [required] +>>> +>>>> The JSON key used to extract the secret value from the AWS Secrets Manager secret. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `128` +>>>> + @@ -221 +369 @@ Shorthand Syntax: - coinbaseCdpConfiguration={apiKeyId=string,apiKeySecret=string,walletSecret=string},stripePrivyConfiguration={appId=string,appSecret=string,authorizationPrivateKey=string,authorizationId=string} + coinbaseCdpConfiguration={apiKeyId=string,apiKeySecret=string,apiKeySecretSource=string,apiKeySecretConfig={secretId=string,jsonKey=string},walletSecret=string,walletSecretSource=string,walletSecretConfig={secretId=string,jsonKey=string}},stripePrivyConfiguration={appId=string,appSecret=string,appSecretSource=string,appSecretConfig={secretId=string,jsonKey=string},authorizationPrivateKey=string,authorizationPrivateKeySource=string,authorizationPrivateKeyConfig={secretId=string,jsonKey=string},authorizationId=string} @@ -231 +379,11 @@ JSON Syntax: - "walletSecret": "string"