AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-07-10 · Documentation low

File: cli/latest/reference/bedrock-agentcore-control/create-harness.md

Summary

Added documentation for 'advertisedScopeMapping' parameter in harness configuration, enabling mapping between internal token validation scopes and externally advertised OAuth scopes.

Security assessment

Documents a security enhancement for OAuth implementations that allows separation of internal and external scope names. This improves security by preventing internal scope naming conventions from being exposed in client-facing metadata, but doesn't address a specific vulnerability.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/create-harness.md b/cli/latest/reference/bedrock-agentcore-control/create-harness.md
index ae42709e9..8aeea88ca 100644
--- a//cli/latest/reference/bedrock-agentcore-control/create-harness.md
+++ b//cli/latest/reference/bedrock-agentcore-control/create-harness.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.16 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.19 Command Reference](../../index.html) »
@@ -529,0 +530,31 @@ JSON Syntax:
+>> 
+>> advertisedScopeMapping -> (map)
+>>
+>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `50`
+>>> 
+
+>>> 
+>>> key -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
+>>> 
+>>> value -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
@@ -966,0 +998,2 @@ JSON Syntax:
+        "advertisedScopeMapping": {"string": "string"
+          ...},
@@ -3298,0 +3332,31 @@ harness -> (structure)
+>>> 
+>>> advertisedScopeMapping -> (map)
+>>>
+>>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `50`
+>>>> 
+
+>>>> 
+>>>> key -> (string)
+>>>>
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `255`
+>>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>>> 
+
+>>>> 
+>>>> value -> (string)
+>>>>
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `255`
+>>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>>> 
+
@@ -3868 +3932 @@ harness -> (structure)
-  * [AWS CLI 2.35.16 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.19 Command Reference](../../index.html) »