Skip to content

fix(bedrock-agentcore-alpha): default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. #36323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mazyu36 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(bedrock-agentcore-alpha): default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. #36323

mazyu36 wants to merge 5 commits into from

Conversation

@mazyu36
Copy link
Contributor

@mazyu36 mazyu36 commented Dec 7, 2025
edited
Loading

Issue # (if applicable)

N/A

Reason for this change

Gateway requires M2M authentication for service-to-service communication. The default Cognito authorizer was missing OAuth 2.0 client credentials flow configuration, making Gateway unusable for its intended purpose.

Description of changes

Updated the default Cognito authorizer configuration to support M2M authentication:

  • Added Cognito Resource Server with read and write scopes
  • Enabled OAuth 2.0 client credentials flow in User Pool Client
  • Created Cognito Domain for OAuth2 token endpoint access
  • Exposed Cognito resources (userPool, userPoolClient, userPoolDomain, resourceServer) as public properties for Runtime integration

Ref:

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Add unit tests and an integ test.

BREAKING CHANGE: The User Pool Client will be replaced and new Resource Server and Domain resources will be added for existing Gateway stacks using the default Cognito authorizer.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p2 label Dec 7, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team December 7, 2025 03:04
@github-actions github-actions bot added the distinguished-contributor [Pilot] contributed 50+ PRs to the CDK label Dec 7, 2025
@mazyu36 mazyu36 changed the title fix(bedrock-agentcore): default Cognito User pool is not set up for M2M authentication. fix(bedrock-agentcore): default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. Dec 7, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Dec 7, 2025
@pahud pahud mentioned this pull request Dec 7, 2025
Open
@mazyu36 mazyu36 force-pushed the fix/agentcore-gateway branch 2 times, most recently from f50496f to e7953de Compare December 8, 2025 15:17
@mazyu36 mazyu36 force-pushed the fix/agentcore-gateway branch from e7953de to 50a727d Compare December 9, 2025 08:52
@mazyu36 mazyu36 marked this pull request as ready for review December 9, 2025 10:46
@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025
edited
Loading

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results130 ran127 passed3 failed
TestResult
Security Guardian Results
packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/integ.gateway-with-runtime-m2m.js.snapshot/BedrockAgentCoreRuntimeGatewayM2MIntegTest.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/integ.gateway.js.snapshot/BedrockAgentCoreGatewayIntegTest.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/integ.target.js.snapshot/BedrockAgentCoreTargetIntegTest.template.json
iam-no-wildcard-actions-inline.guard❌ failure

@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2025
edited
Loading

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results with resolved templates130 ran127 passed3 failed
TestResult
Security Guardian Results with resolved templates
packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/integ.gateway-with-runtime-m2m.js.snapshot/BedrockAgentCoreRuntimeGatewayM2MIntegTest.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/integ.gateway.js.snapshot/BedrockAgentCoreGatewayIntegTest.template.json
iam-no-wildcard-actions-inline.guard❌ failure
packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/integ.target.js.snapshot/BedrockAgentCoreTargetIntegTest.template.json
iam-no-wildcard-actions-inline.guard❌ failure

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Dec 9, 2025
@alvazjor alvazjor self-assigned this Dec 9, 2025
@alvazjor alvazjor changed the title fix(bedrock-agentcore): default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. fix(bedrock-agentcore-alpha): default Cognito User Pool for AgentCore Gateway is not set up for M2M authentication. Dec 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@alvazjor alvazjor

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mazyu36 @aws-cdk-automation @alvazjor @kumvprat