AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-07-10 · Documentation low

File: cli/latest/reference/bedrock-agentcore-control/create-gateway.md

Summary

Added documentation for 'advertisedScopeMapping' parameter in OAuth configuration, which maps internal scopes to externally advertised values for token validation and client communication.

Security assessment

The change documents a new security feature for OAuth scope mapping that enhances security by decoupling internal validation scopes from externally advertised values. This prevents exposure of internal scope names in metadata/headers, reducing information leakage. No vulnerability fix is indicated.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/create-gateway.md b/cli/latest/reference/bedrock-agentcore-control/create-gateway.md
index acfce28fd..2dd683b62 100644
--- a//cli/latest/reference/bedrock-agentcore-control/create-gateway.md
+++ b//cli/latest/reference/bedrock-agentcore-control/create-gateway.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.16 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.19 Command Reference](../../index.html) »
@@ -331,0 +332,31 @@ JSON Syntax:
+>> 
+>> advertisedScopeMapping -> (map)
+>>
+>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `50`
+>>> 
+
+>>> 
+>>> key -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
+>>> 
+>>> value -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
@@ -768,0 +800,2 @@ JSON Syntax:
+        "advertisedScopeMapping": {"string": "string"
+          ...},
@@ -1444,0 +1478,31 @@ authorizerConfiguration -> (tagged union structure)
+>> 
+>> advertisedScopeMapping -> (map)
+>>
+>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `50`
+>>> 
+
+>>> 
+>>> key -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
+>>> 
+>>> value -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
@@ -2109 +2173 @@ wafConfiguration -> (structure)
-  * [AWS CLI 2.35.16 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.19 Command Reference](../../index.html) »