AWS Security ChangesHomeSearch

AWS agent-toolkit documentation change

Service: agent-toolkit · 2026-07-10 · Documentation low

File: agent-toolkit/latest/userguide/security_iam_service-with-iam.md

Summary

Added documentation for OAuth condition keys in AWS Sign-in including OAuthClientId, OAuthRedirectUri, OAuthGrantType, and OAuthClientAuthentication keys with usage guidance

Security assessment

The change introduces new OAuth-specific condition keys for fine-grained access control but provides no evidence of addressing a specific vulnerability. It proactively documents security features for OAuth authentication flows.

Diff

diff --git a/agent-toolkit/latest/userguide/security_iam_service-with-iam.md b/agent-toolkit/latest/userguide/security_iam_service-with-iam.md
index 1d1e60d72..e80d35758 100644
--- a//agent-toolkit/latest/userguide/security_iam_service-with-iam.md
+++ b//agent-toolkit/latest/userguide/security_iam_service-with-iam.md
@@ -7 +7 @@
-Authorization flowMCP condition context keysIdentity-based policiesTemporary credentialsDeprecated actions
+Authorization flowMCP condition context keysOAuth condition keysIdentity-based policiesTemporary credentialsDeprecated actions
@@ -58,0 +59,48 @@ For more information about global condition context keys, see [IAM condition con
+## OAuth condition keys for AWS Sign-in
+
+When you use OAuth authentication with AWS MCP Server through AWS Sign-in, the following service-specific condition keys are available in the `signin:` namespace. Use these keys in IAM policies and SCPs to govern how OAuth is used within your organization.
+
+`signin:OAuthClientId`
+    
+
+The ARN of the OAuth client making the request. Use this key to allow only approved OAuth clients to access AWS MCP Server.
+
+Type: String (ARN)
+
+Applies to: `signin:AuthorizeOAuth2Access`, `signin:CreateOAuth2Token`
+
+`signin:OAuthRedirectUri`
+    
+
+The redirect URI used in the authorization request. Use this key to restrict token delivery to trusted redirect URIs such as localhost or corporate domains.
+
+Type: String
+
+Applies to: `signin:AuthorizeOAuth2Access`
+
+`signin:OAuthGrantType`
+    
+
+The OAuth grant type being used. Use this key to control which OAuth authorization flows are permitted.
+
+Type: String
+
+Example values: `authorization_code`, `refresh_token`, `client_credentials`
+
+Applies to: `signin:CreateOAuth2Token`
+
+`signin:OAuthClientAuthentication`
+    
+
+The client authentication method used. Use this key to require specific authentication methods.
+
+Type: String
+
+Example values: `none`, `client_secret_basic`, `client_secret_post`
+
+Applies to: `signin:CreateOAuth2Token`
+
+OAuth access tokens carry the `aws:SignInSessionArn` global condition key. This key contains the unique ARN of the AWS Sign-in session.
+
+For more information about OAuth condition keys, see [OAuth condition keys reference](https://docs.aws.amazon.com/signin/latest/userguide/reference-signin-condition-keys.html) in the _AWS Sign-in User Guide_. For OAuth authentication setup and governance examples, see [OAuth 2.1 authentication for AWS MCP Server](./oauth-authentication.html).
+