Add external secret config and custom endpoint/token-exchange to oauth2 credential provider#1
Merged
jesseturner21 merged 1 commit intoJul 1, 2026
Conversation
…t config and custom endpoint/token-exchange Stacked on hashicorp#48517 (jesseturner21). Adds the remaining CreateOauth2CredentialProviderInput gaps not covered by hashicorp#48517 or hashicorp#48658: - client_secret_source + client_secret_config (external AWS Secrets Manager secret) on all provider blocks - custom-only: client_authentication_method, on_behalf_of_token_exchange_config (+ token_exchange_grant_type_config), private_endpoint, private_endpoint_overrides Verified against aws-sdk-go-v2 service/bedrockagentcorecontrol v1.45.1. NOT PUSHED — awaiting coordination with hashicorp#48517 author before contributing upstream.
Community GuidelinesThis comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀 Voting for Prioritization
Pull Request Authors
|
7467c62
into
jesseturner21:agentcore/oauth2_credential_provider
4 of 5 checks passed
|
Warning This Issue has been closed, meaning that any additional comments are much easier for the maintainers to miss. Please assume that the maintainers will not see them. Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on top of your hashicorp#48517. This adds the remaining
CreateOauth2CredentialProviderInputgaps that aren't covered by your PR, soaws_bedrockagentcore_oauth2_credential_providerreaches full parity with the SDK shape:On all provider blocks:
client_secret_source(MANAGED/EXTERNAL) +client_secret_config(secret_id,json_key) — reference an externally-managed AWS Secrets Manager secret for the client secret.On
custom_oauth2_provider_config:client_authentication_method(CLIENT_SECRET_BASIC/CLIENT_SECRET_POST/AWS_IAM_ID_TOKEN_JWT)on_behalf_of_token_exchange_config(+ nestedtoken_exchange_grant_type_config) — RFC 8693 / RFC 7523 flowsprivate_endpoint+private_endpoint_overrides— reuses the existing private-endpoint models fromaws_bedrockagentcore_gateway_targetIf you merge this into your branch, it rides along with hashicorp#48517.
Verified against
aws-sdk-go-v2service/bedrockagentcorecontrolv1.45.1.Heads up on overlap: the
on_behalf_of_token_exchange_configblock here also exists in @rh0dy's hashicorp#48658. Whichever of these lands second will need a small rebase around that block — flagging so it's not a surprise. Happy to drop it here if you'd rather it come solely via hashicorp#48658.Acceptance test