r/aws_bedrockagentcore_oauth2_credential_provider: add on_behalf_of_token_exchange_config block#48658
Open
rh0dy wants to merge 2 commits into
Open
r/aws_bedrockagentcore_oauth2_credential_provider: add on_behalf_of_token_exchange_config block#48658rh0dy wants to merge 2 commits into
rh0dy wants to merge 2 commits into
Conversation
…oken_exchange_config block for OBO token exchange
Contributor
Community GuidelinesThis comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀 Voting for Prioritization
Pull Request Authors
|
jesseturner21
pushed a commit
to jesseturner21/terraform-provider-aws
that referenced
this pull request
Jul 1, 2026
…t config and custom endpoint/token-exchange Stacked on hashicorp#48517 (jesseturner21). Adds the remaining CreateOauth2CredentialProviderInput gaps not covered by hashicorp#48517 or hashicorp#48658: - client_secret_source + client_secret_config (external AWS Secrets Manager secret) on all provider blocks - custom-only: client_authentication_method, on_behalf_of_token_exchange_config (+ token_exchange_grant_type_config), private_endpoint, private_endpoint_overrides Verified against aws-sdk-go-v2 service/bedrockagentcorecontrol v1.45.1. NOT PUSHED — awaiting coordination with hashicorp#48517 author before contributing upstream.
|
Hi @rh0dy, heads-up on some overlap we have #48517 open (opened a few days earlier) which adds this same Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rollback Plan
If a change needs to be reverted, we will publish an updated version of the library.
Changes to Security Controls
No changes to the provider's own security controls. This adds a new optional configuration block that is passed through to the AWS Bedrock AgentCore API; the on-behalf-of token exchange it configures is brokered server-side by AWS AgentCore Identity. OAuth client credentials continue to be handled by the existing write-only attributes/AWS Secrets Manager integration on this resource and are unchanged.
Description
Adds the
oauth2_provider_config.custom_oauth2_provider_config.on_behalf_of_token_exchange_configblock toaws_bedrockagentcore_oauth2_credential_provider, enabling on-behalf-of (OBO) token exchange on custom OAuth2 credential providers.The new block supports:
grant_type(Required)TOKEN_EXCHANGE(RFC 8693) orJWT_AUTHORIZATION_GRANT(RFC 7523)token_exchange_grant_type_config(Optional) used with theTOKEN_EXCHANGEgrant type:actor_token_content(Required)M2M,AWS_IAM_ID_TOKEN_JWT, orNONEactor_token_scopes(Optional) scopes for the actor token; only valid whenactor_token_contentisM2MIncludes acceptance test coverage and documentation.
Relations
Relates #48486.
References
Output from Acceptance Testing