AWS bedrock-agentcore documentation change
Summary
Added Secrets Manager integration option for client secrets and clarified that selection method cannot be changed after creation.
Security assessment
Documents secure secret storage alternative but lacks evidence of fixing a specific vulnerability. Adds security feature documentation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-update-oauth-client.md b/bedrock-agentcore/latest/devguide/identity-update-oauth-client.md index afbb496d0..88411c01b 100644 --- a//bedrock-agentcore/latest/devguide/identity-update-oauth-client.md +++ b//bedrock-agentcore/latest/devguide/identity-update-oauth-client.md @@ -19 +19,11 @@ You can modify the configuration settings for your existing OAuth client. For ex - 4. On the **Update OAuth Client** page, update the information as needed. + 4. On the **Update OAuth Client** page, update the information as needed. For **Client secret selection method** , choose one of the following options: + + 1. **Provide Client secret** – Enter the client secret value directly. + + 1. For **Client secret** , enter the updated confidential key associated with your client ID. AgentCore Identity securely stores this value for authentication. + + 2. **Provide Client secret via Secrets Manager** – Reference a secret stored in AWS Secrets Manager instead of entering the value directly. + + 1. For **Secrets Manager** , enter or select the ARN of the Secrets Manager secret that contains your client secret. + + 2. For **JSON key** , enter the JSON key in your Secrets Manager secret that contains the client secret value for your OAuth client. @@ -27,0 +38,4 @@ The updated OAuth client configuration takes effect immediately and will be used +###### Note + +You cannot switch between providing a client secret directly and referencing one stored in AWS Secrets Manager. To change the client secret selection method, delete the OAuth client and create a new one. +