11import { SecureCredentials , readEnvFile } from '../../../lib' ;
22import type { AgentCoreProjectSpec , Credential } from '../../../schema' ;
3- import { getCredentialProvider } from '../../aws' ;
3+ import { createControlClient , getCredentialProvider } from '../../aws' ;
44import { isNoCredentialsError } from '../../errors' ;
55import { getAwsLoginGuidance } from '../../external-requirements/checks' ;
66import { computeDefaultCredentialEnvVarName } from '../../primitives/credential-utils' ;
@@ -13,7 +13,7 @@ import {
1313 updateApiKeyProvider ,
1414 updateOAuth2Provider ,
1515} from '../identity' ;
16- import { BedrockAgentCoreControlClient , GetTokenVaultCommand } from '@aws-sdk/client-bedrock-agentcore-control' ;
16+ import { type BedrockAgentCoreControlClient , GetTokenVaultCommand } from '@aws-sdk/client-bedrock-agentcore-control' ;
1717import { CreateKeyCommand , KMSClient } from '@aws-sdk/client-kms' ;
1818
1919// ─────────────────────────────────────────────────────────────────────────────
@@ -55,19 +55,17 @@ export interface SetupApiKeyProvidersOptions {
5555export async function setupApiKeyProviders ( options : SetupApiKeyProvidersOptions ) : Promise < PreDeployIdentityResult > {
5656 const { projectSpec, configBaseDir, region, runtimeCredentials, enableKmsEncryption } = options ;
5757 const results : ApiKeyProviderSetupResult [ ] = [ ] ;
58- const credentials = getCredentialProvider ( ) ;
59-
6058 const envVars = await readEnvFile ( configBaseDir ) ;
6159 // Wrap env vars in SecureCredentials and merge with runtime credentials
6260 const envCredentials = SecureCredentials . fromEnvVars ( envVars ) ;
6361 const allCredentials = runtimeCredentials ? envCredentials . merge ( runtimeCredentials ) : envCredentials ;
6462
65- const client = new BedrockAgentCoreControlClient ( { region, credentials } ) ;
63+ const client = createControlClient ( region ) ;
6664
6765 // Configure KMS encryption for token vault if enabled
6866 let kmsKeyArn : string | undefined ;
6967 if ( enableKmsEncryption ) {
70- const kmsResult = await setupTokenVaultKms ( region , credentials , projectSpec ) ;
68+ const kmsResult = await setupTokenVaultKms ( region , projectSpec ) ;
7169 if ( ! kmsResult . success ) {
7270 return {
7371 results : [
@@ -100,11 +98,10 @@ export async function setupApiKeyProviders(options: SetupApiKeyProvidersOptions)
10098
10199async function setupTokenVaultKms (
102100 region : string ,
103- credentials : ReturnType < typeof getCredentialProvider > ,
104101 projectSpec : AgentCoreProjectSpec
105102) : Promise < { success : boolean ; keyArn ?: string ; error ?: string } > {
106103 try {
107- const controlClient = new BedrockAgentCoreControlClient ( { region, credentials } ) ;
104+ const controlClient = createControlClient ( region ) ;
108105
109106 // Check if the token vault already has a customer-managed key
110107 try {
@@ -120,7 +117,7 @@ async function setupTokenVaultKms(
120117 }
121118
122119 // No CMK configured — create a new KMS key and set it on the vault
123- const kmsClient = new KMSClient ( { region, credentials } ) ;
120+ const kmsClient = new KMSClient ( { region, credentials : getCredentialProvider ( ) } ) ;
124121 const response = await kmsClient . send (
125122 new CreateKeyCommand ( {
126123 Description : `AgentCore Identity encryption key for ${ projectSpec . name } ` ,
@@ -289,13 +286,12 @@ export interface PreDeployOAuth2Result {
289286export async function setupOAuth2Providers ( options : SetupOAuth2ProvidersOptions ) : Promise < PreDeployOAuth2Result > {
290287 const { projectSpec, configBaseDir, region, runtimeCredentials } = options ;
291288 const results : OAuth2ProviderSetupResult [ ] = [ ] ;
292- const credentials = getCredentialProvider ( ) ;
293289
294290 const envVars = await readEnvFile ( configBaseDir ) ;
295291 const envCredentials = SecureCredentials . fromEnvVars ( envVars ) ;
296292 const allCredentials = runtimeCredentials ? envCredentials . merge ( runtimeCredentials ) : envCredentials ;
297293
298- const client = new BedrockAgentCoreControlClient ( { region, credentials } ) ;
294+ const client = createControlClient ( region ) ;
299295
300296 for ( const credential of projectSpec . credentials ) {
301297 if ( credential . authorizerType === 'OAuthCredentialProvider' ) {
0 commit comments