fix(fetch): use _CLIENT_SECRET suffix when reading OAuth secret from env

tejaskash · tejaskash · commit 7d37805da379 · 2026-03-25T18:48:10.000-04:00
The write path stores secrets as AGENTCORE_CREDENTIAL_{NAME}_CLIENT_SECRET
but the read path was looking for AGENTCORE_CREDENTIAL_{NAME} without the
suffix, causing token fetch to always fail with "Client secret not found".
diff --git a/src/cli/operations/fetch-access/__tests__/fetch-gateway-token.test.ts b/src/cli/operations/fetch-access/__tests__/fetch-gateway-token.test.ts
@@ -138,7 +138,7 @@ describe('fetchGatewayToken', () => {
   describe('auth type CUSTOM_JWT', () => {
     beforeEach(() => {
       vi.mocked(readEnvFile).mockResolvedValue({
-        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH: 'test-secret',
+        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_SECRET: 'test-secret',
         AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_ID: 'test-client',
       });
 
@@ -170,7 +170,7 @@ describe('fetchGatewayToken', () => {
 
     it('uses tier 2 CLIENT_ID env var when set', async () => {
       vi.mocked(readEnvFile).mockResolvedValue({
-        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH: 'test-secret',
+        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_SECRET: 'test-secret',
         AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_ID: 'tier2-client',
       });
 
@@ -187,7 +187,7 @@ describe('fetchGatewayToken', () => {
 
     it('falls back to tier 3 allowedClients[0] when no CLIENT_ID env var', async () => {
       vi.mocked(readEnvFile).mockResolvedValue({
-        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH: 'test-secret',
+        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_SECRET: 'test-secret',
       });
 
       const projectSpecWithFallbackClient = {
@@ -296,7 +296,7 @@ describe('fetchGatewayToken', () => {
 
     it('throws when client_id is not resolvable', async () => {
       vi.mocked(readEnvFile).mockResolvedValue({
-        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH: 'test-secret',
+        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_SECRET: 'test-secret',
         // no CLIENT_ID env var
       });
 
@@ -326,7 +326,7 @@ describe('fetchGatewayToken', () => {
 
     it('throws when OIDC discovery returns non-ok response', async () => {
       vi.mocked(readEnvFile).mockResolvedValue({
-        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH: 'test-secret',
+        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_SECRET: 'test-secret',
         AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_ID: 'test-client',
       });
 
@@ -345,7 +345,7 @@ describe('fetchGatewayToken', () => {
 
     it('throws with status and error body when token request fails', async () => {
       vi.mocked(readEnvFile).mockResolvedValue({
-        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH: 'test-secret',
+        AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_SECRET: 'test-secret',
         AGENTCORE_CREDENTIAL_MYGATEWAY_OAUTH_CLIENT_ID: 'test-client',
       });
 
diff --git a/src/cli/operations/fetch-access/fetch-runtime-token.ts b/src/cli/operations/fetch-access/fetch-runtime-token.ts
@@ -30,9 +30,9 @@ export async function canFetchRuntimeToken(
     );
     if (!hasCredential) return false;
 
-    const secretEnvVar = computeDefaultCredentialEnvVarName(credName);
+    const envVarPrefix = computeDefaultCredentialEnvVarName(credName);
     const envVars = await readEnvFile();
-    return !!envVars[secretEnvVar];
+    return !!envVars[`${envVarPrefix}_CLIENT_SECRET`];
   } catch {
     return false;
   }
diff --git a/src/cli/operations/fetch-access/oauth-token.ts b/src/cli/operations/fetch-access/oauth-token.ts
@@ -46,7 +46,8 @@ export async function fetchOAuthToken(opts: {
   }
 
   // Resolve client_secret from .env.local
-  const secretEnvVar = computeDefaultCredentialEnvVarName(credName);
+  const envVarPrefix = computeDefaultCredentialEnvVarName(credName);
+  const secretEnvVar = `${envVarPrefix}_CLIENT_SECRET`;
   const envVars = await readEnvFile();
   const clientSecret = envVars[secretEnvVar];
   if (!clientSecret) {
@@ -56,7 +57,7 @@ export async function fetchOAuthToken(opts: {
   }
 
   // Resolve client_id using 3-tier fallback
-  const clientId = resolveClientId(deployedState, targetName, credName, secretEnvVar, envVars, jwtConfig);
+  const clientId = resolveClientId(deployedState, targetName, credName, envVarPrefix, envVars, jwtConfig);
   if (!clientId) {
     throw new Error(
       `Could not determine OAuth client ID for '${resourceName}'. Ensure the resource was created with --client-id.`
@@ -140,7 +141,7 @@ function resolveClientId(
   deployedState: DeployedState,
   targetName: string,
   credName: string,
-  secretEnvVar: string,
+  envVarPrefix: string,
   envVars: Record<string, string>,
   jwtConfig: { allowedClients?: string[] }
 ): string | undefined {
@@ -150,8 +151,8 @@ function resolveClientId(
     return (deployedCred as Record<string, string>).clientId;
   }
 
-  // Tier 2: env var ${secretEnvVar}_CLIENT_ID
-  const clientIdEnvVar = `${secretEnvVar}_CLIENT_ID`;
+  // Tier 2: env var ${envVarPrefix}_CLIENT_ID
+  const clientIdEnvVar = `${envVarPrefix}_CLIENT_ID`;
   const envClientId = envVars[clientIdEnvVar];
   if (envClientId) {
     return envClientId;
