fix(bedrock-agentcore-alpha): default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. #36323
Conversation
github-actions
bot
added
the
distinguished-contributor
mazyu36
changed the title
aws-cdk-automation
added
the
pr/needs-further-review
mazyu36
force-pushed
the
fix/agentcore-gateway
branch
2 times, most recently
from
f50496f to
e7953de
Compare
mazyu36
force-pushed
the
fix/agentcore-gateway
branch
from
e7953de to
50a727d
Compare
|
||||||||||||||
|
||||||||||||||
aws-cdk-automation
added
the
pr/needs-community-review
alvazjor
changed the title
| /** | ||
| * The Cognito User Pool Domain created for the gateway (if using default Cognito authorizer) | ||
| */ | ||
| public userPoolDomain?: cognito.UserPoolDomain; |
There was a problem hiding this comment.
This should be using the interface
| /** | ||
| * The Cognito Resource Server created for the gateway (if using default Cognito authorizer) | ||
| */ | ||
| public resourceServer?: cognito.UserPoolResourceServer; |
There was a problem hiding this comment.
This should be using the interface
| scopeDescription: 'Read access to gateway tools', | ||
| }), | ||
| cognito.OAuthScope.resourceServer(resourceServer, { | ||
| scopeName: 'write', |
There was a problem hiding this comment.
By default we give write access? This seems like a potentially risky scenario no?
There was a problem hiding this comment.
This follows the AWS documentation configuration. Ref
aws-cdk-automation
removed
the
pr/needs-community-review
|
I am thinking if instead of having these changes as the default cognito auth, it should be a new type of |
mergify
bot
dismissed
alvazjor’s stale review
Pull request has been modified.
…fault lifecycleConfiguration values (aws#36379) ### Issue # (if applicable) Closes aws#36376 ### Reason for this change The Runtime construct was incorrectly forcing default lifecycleConfiguration values even when users didn't specify them, causing unwanted lifecycle management settings to be applied and diverging from AWS Bedrock AgentCore API behavior where this configuration is completely optional. ### Description of changes Modified to only set lifecycleConfiguration when explicitly provided by users, instead of forcing default values (idleRuntimeSessionTimeout: 900, maxLifetime: 28800) ### Describe any new or updated permissions being added N/A ### Description of how you validated changes * Updated and verified all existing unit tests pass * Updated integration test snapshots that were affected by the removal of default lifecycle configuration ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) BREAKING CHANGE: Runtime constructs will no longer automatically include lifecycleConfiguration with default values when not explicitly specified by users. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) None ### Reason for this change AWS SES now supports for private access via interface VPC endpoint. https://aws.amazon.com/jp/about-aws/whats-new/2025/12/amazon-ses-vpc-api-endpoints/ ### Description of changes Add SES interface VPC endpoints ### Describe any new or updated permissions being added None ### Description of how you validated changes ```console ❯ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --region us-east-1 --query ServiceNames | grep email "com.amazonaws.us-east-1.email", "com.amazonaws.us-east-1.email-fips", ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ws#36407) Restrict pull request trigger to specific snapshot files. ### Issue # (if applicable) Closes #<issue number here>. ### Reason for this change ### Description of changes ### Describe any new or updated permissions being added ### Description of how you validated changes ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
@alvazjor AgentCore Gateway is designed for AI agents to connect and invoke tools via MCP endpoints. https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html Therefore, M2M authentication is the primary use case for inbound authorization, and the documentation guides users to set up Cognito with M2M authentication. Ref
The current default creates a Cognito User Pool Client for user authentication. While it technically works with AgentCore Gateway, creating a non-primary use case by default could confuse users. That said, there are several approaches we could take:
Since this is an alpha module, I thought option 1 would be preferable. However, if we want to minimize impact, option 2 might be better. What do you think? |
aws-cdk-automation
added
the
pr/needs-community-review
|
We can go with option 1 for now, being an alpha package, Will review again and add any additional comments if I see something |
6 participants
Issue # (if applicable)
N/A
Reason for this change
Gateway requires M2M authentication for service-to-service communication. The default Cognito authorizer was missing OAuth 2.0 client credentials flow configuration, making Gateway unusable for its intended purpose.
Description of changes
Updated the default Cognito authorizer configuration to support M2M authentication:
readandwritescopesuserPool,userPoolClient,userPoolDomain,resourceServer) as public properties for Runtime integrationRef:
Describe any new or updated permissions being added
N/A
Description of how you validated changes
Add unit tests and an integ test.
BREAKING CHANGE: The User Pool Client will be replaced and new Resource Server and Domain resources will be added for existing Gateway stacks using the default Cognito authorizer.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license