AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-07-10 · Documentation low

File: cli/latest/reference/bedrock-agentcore-control/create-payment-manager.md

Summary

Added documentation for 'advertisedScopeMapping' parameter in OAuth configuration, allowing scope mapping between identity provider and service tokens

Security assessment

The change documents new OAuth security configuration options for scope mapping between identity providers and services. This enhances security by allowing proper scope validation and advertisement in WWW-Authenticate headers, but doesn't fix a specific vulnerability.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/create-payment-manager.md b/cli/latest/reference/bedrock-agentcore-control/create-payment-manager.md
index e8ae0deee..b278e9869 100644
--- a//cli/latest/reference/bedrock-agentcore-control/create-payment-manager.md
+++ b//cli/latest/reference/bedrock-agentcore-control/create-payment-manager.md
@@ -15 +15 @@
-  * [AWS CLI 2.35.16 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.19 Command Reference](../../index.html) »
@@ -205,0 +206,31 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+>> 
+>> advertisedScopeMapping -> (map)
+>>
+>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `50`
+>>> 
+
+>>> 
+>>> key -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
+>>> 
+>>> value -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
@@ -642,0 +674,2 @@ JSON Syntax:
+        "advertisedScopeMapping": {"string": "string"
+          ...},
@@ -996,0 +1030,31 @@ authorizerConfiguration -> (tagged union structure)
+>> 
+>> advertisedScopeMapping -> (map)
+>>
+>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `50`
+>>> 
+
+>>> 
+>>> key -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
+>>> 
+>>> value -> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `255`
+>>>>   * pattern: `[\x21\x23-\x5B\x5D-\x7E]+`
+>>>> 
+
@@ -1513 +1577 @@ tags -> (map)
-  * [AWS CLI 2.35.16 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.19 Command Reference](../../index.html) »